Windows 10 Mobile must be configured to implement the management setting: Require a password be used before unlocking a Windows 10 Mobile device.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70131	MSWM-10-911005	SV-84753r1_rule		Medium

Description
Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #1

Description

Passwords provide a form of access control that prevents unauthorized individuals from accessing computing resources and sensitive data. Passwords may also be a source of entropy for generation of key encryption or data encryption keys. If a password is not required to access data, then this data is accessible to any adversary who obtains physical possession of the device. Requiring that a password be successfully entered before the mobile device data is unencrypted mitigates this risk. SFR ID: FMT_SMF_EXT.1.1 #1

STIG	Date
Microsoft Windows 10 Mobile Security Technical Implementation Guide	2017-09-11

Details

Check Text ( C-70607r1_chk )
Review Windows 10 Mobile configuration settings to determine if the mobile device requires that a password be entered before the device is unlocked. If feasible, use a spare device to test if a password is required to unlock it. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. Check whether the appropriate setting is configured on the MDM. Administration Console: 1. Ask the MDM administrator to display the "Password" setting in the MDM console. 2. Verify the settings for requiring a password is enforced. On the Windows 10 Mobile device: 1. Power down the device. 2. Power back up the device. 3. Verify that once the device powers up that the lockscreen is displayed and when you swipe up, the "Enter PIN" screen is shown and a PIN is required to access the device. If the MDM does not set the policy for requiring a password or if on the phone a password/PIN is not required to access the device, this is a finding.

Check Text ( C-70607r1_chk )

Review Windows 10 Mobile configuration settings to determine if the mobile device requires that a password be entered before the device is unlocked. If feasible, use a spare device to test if a password is required to unlock it.

This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device.

Check whether the appropriate setting is configured on the MDM.

Administration Console:

1. Ask the MDM administrator to display the "Password" setting in the MDM console.
2. Verify the settings for requiring a password is enforced.

On the Windows 10 Mobile device:

1. Power down the device.
2. Power back up the device.
3. Verify that once the device powers up that the lockscreen is displayed and when you swipe up, the "Enter PIN" screen is shown and a PIN is required to access the device.

If the MDM does not set the policy for requiring a password or if on the phone a password/PIN is not required to access the device, this is a finding.

Fix Text (F-76367r1_fix)
Configure the MDM system to enforce a password is required before unlocking a device. Deploy the policy on managed devices.