Windows Hardware Compatibility

Specifications for Windows 11, version

22H2 - Filter driver

Microsoft Confidential: Internal Use and Partners Under NDA Only

© 2021 Microsoft. All rights reserved. These materials are confidential to and maintained as a trade secret by
Microsoft Corporation. Information in these materials is restricted to Microsoft authorized recipients only. Any use,
distribution or public discussion of, and any feedback to, these materials is subject to the terms of the attached
license. By providing any feedback on these materials to Microsoft, you agree to the terms of that license.

Page 1 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Disclaimer
This document is provided “as-is”. Information and view expressed in this document, including URL and other
Internet website references, may change without notice.

Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection
is intended or should be inferred.

This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You
may copy and use this document for your internal, reference purposes. This document is confidential and proprietary
to Microsoft. It is disclosed and can be used only pursuant to a nondisclosure agreement.

Internet Explorer, Microsoft, TechNet, Windows, and Excel are trademarks of the Microsoft group of
companies. All other trademarks are property of their respective owners.

Page 2 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Microsoft Corporation Technical Documentation License Agreement (Standard)

READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE
MATERIALS, WHETHER AN INDIVIDUAL OR AN ENTITY ("YOU"). IF YOU HAVE ACCESSED THIS AGREEMENT IN THE PROCESS OF
DOWNLOADING MATERIALS ("MATERIALS") FROM A MICROSOFT WEB SITE, BY CLICKING "I ACCEPT", DOWNLOADING, USING OR
PROVIDING FEEDBACK ON THE MATERIALS, YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY
ACCESSING, USING OR PROVIDING FEEDBACK ON THE ATTACHED MATERIALS, YOU AGREE TO THESE TERMS.
1. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows:
(a) If You are an authorized representative of the corporation or other entity designated below ("Company"), and such Company has executed a Microsoft Corporation
Non-Disclosure Agreement that is not limited to a specific subject matter or event ("Microsoft NDA"), You represent that You have authority to act on behalf of
Company and agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms and conditions of the Microsoft NDA and that
Company will treat the Confidential Information accordingly;
(b) If You are an individual, and have executed a Microsoft NDA, You agree that the Confidential Information, as defined in the Microsoft NDA, is subject to the terms
and conditions of the Microsoft NDA and that You will treat the Confidential Information accordingly; or
(c)If a Microsoft NDA has not been executed, You (if You are an individual), or Company (if You are an authorized representative of Company), as applicable, agrees:
(a) to refrain from disclosing or distributing the Confidential Information to any third party for five (5) years from the date of disclosure of the Confidential Information
by Microsoft to Company/You; (b) to refrain from reproducing or summarizing the Confidential Information; and (c) to take reasonable security precautions, at least
as great as the precautions it takes to protect its own confidential information, but no less than reasonable care, to keep confidential the Confidential Information.
You/Company, however, may disclose Confidential Information in accordance with a judicial or other governmental order, provided You/Company either (i) gives
Microsoft reasonable notice prior to such disclosure and to allow Microsoft a reasonable opportunity to seek a protective order or equivalent, or (ii) obtains written
assurance from the applicable judicial or governmental entity that it will afford the Confidential Information the highest level of protection afforded under applicable
law or regulation. Confidential Information shall not include any information, however designated, that: (i) is or subsequently becomes publicly available without
Your/Company’s breach of any obligation owed to Microsoft; (ii) became known to You/Company prior to Microsoft’s disclosure of such information to You/Company
pursuant to the terms of this Agreement; (iii) became known to You/Company from a source other than Microsoft other than by the breach of an obligation of
confidentiality owed to Microsoft; or (iv) is independently developed by You/Company. For purposes of this paragraph, "Confidential Information" means nonpublic
information that Microsoft designates as being confidential or which, under the circumstances surrounding disclosure ought to be treated as confidential by Recipient.
"Confidential Information" includes, without limitation, information in tangible or intangible form relating to and/or including released or unreleased Microsoft
software or hardware products, the marketing or promotion of any Microsoft product, Microsoft's business policies or practices, and information received from others
that Microsoft is obligated to treat as confidential.

2. You may review these Materials only (a) as a reference to assist You in planning and designing Your product, service or technology ("Product") to interface with a
Microsoft Product as described in these Materials; and (b) to provide feedback on these Materials to Microsoft. All other rights are retained by Microsoft; this
agreement does not give You rights under any Microsoft patents. You may not (i) duplicate any part of these Materials, (ii) remove this agreement or any notices
from these Materials, or (iii) give any part of these Materials, or assign or otherwise provide Your rights under this agreement, to anyone else.

3. These Materials may contain preliminary information or inaccuracies, and may not correctly represent any associated Microsoft Product as commercially released.
All Materials are provided entirely "AS IS." To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED
AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY
INTELLECTUAL PROPERTY IN THEM.

4. If You are an entity and (a) merge into another entity or (b) a controlling ownership interest in You changes, Your right to use these Materials automatically
terminates and You must destroy them.

5. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to these Materials. However, any Feedback you
voluntarily provide may be used in Microsoft Products and related specifications or other documentation (collectively, "Microsoft Offerings") which in turn may be
relied upon by other third parties to develop their own Products. Accordingly, if You do give Microsoft Feedback on any version of these Materials or the Microsoft
Offerings to which they apply, You agree: (a) Microsoft may freely use, reproduce, license, distribute, and otherwise commercialize Your Feedback in any Microsoft
Offering; (b) You also grant third parties, without charge, only those patent rights necessary to enable other Products to use or interface with any specific parts of a
Microsoft Product that incorporate Your Feedback; and (c) You will not give Microsoft any Feedback (i) that You have reason to believe is subject to any patent,
copyright or other intellectual property claim or right of any third party; or (ii) subject to license terms which seek to require any Microsoft Offering incorporating or
derived from such Feedback, or other Microsoft intellectual property, to be licensed to or otherwise shared with any third party.

6. Microsoft has no obligation to maintain confidentiality of any Microsoft Offering, but otherwise the confidentiality of Your Feedback, including Your identity as the
source of such Feedback, is governed by Your NDA.

7. This agreement is governed by the laws of the State of Washington. Any dispute involving it must be brought in the federal or state superior courts located in King
County, Washington, and You waive any defenses allowing the dispute to be litigated elsewhere. If there is litigation, the losing party must pay the other party’s
reasonable attorneys’ fees, costs and other expenses. If any part of this agreement is unenforceable, it will be considered modified to the extent necessary to make
it enforceable, and the remainder shall continue in effect. This agreement is the entire agreement between You and Microsoft concerning these Materials; it may be
changed only by a written document signed by both You and Microsoft.

Page 3 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Table of Contents
Disclaimer........................................................................................................................................................................................................................... 2

Overview of Windows Hardware Compatibility Program .............................................................................................................................. 7

Glossary ............................................................................................................................................................................................................................... 8
Filter Requirements ........................................................................................................................................................................................................ 9

Filter.Driver.AntiVirus ................................................................................................................................................................................................ 9
Filter.Driver.AntiVirus.Functionality ................................................................................................................................................................ 9
Filter.Driver.AntiVirus.IcarDetection ............................................................................................................................................................... 9

Filter.Driver.AntiVirus.MiniFilter .................................................................................................................................................................... 10
Filter.Driver.AntiVirus.NamedPipeAndMailSlots .................................................................................................................................... 10
Filter.Driver.AntiVirus.RegistryAndProcess ............................................................................................................................................... 11

Filter.Driver.AntiVirus.Winsock ...................................................................................................................................................................... 12
Filter.Driver.DeviceGuard ..................................................................................................................................................................................... 13
Filter.Driver.DeviceGuard.DriverCompatibility ........................................................................................................................................ 13

Filter.Driver.EarlyLaunchAntiMalware ............................................................................................................................................................. 13
Filter.Driver.EarlyLaunchAntiMalware.BackupDriver ............................................................................................................................ 13
Filter.Driver.EarlyLaunchAntiMalware.ELAMSignatureAttributes.................................................................................................... 14

Filter.Driver.EarlyLaunchAntiMalware.MVIMembership ..................................................................................................................... 15
Filter.Driver.EarlyLaunchAntiMalware.Performance ............................................................................................................................. 15
Filter.Driver.EarlyLaunchAntiMalware.SignatureData .......................................................................................................................... 16
Filter.Driver.FileSystem .......................................................................................................................................................................................... 16

Filter.Driver.FileSystem.Functionality .......................................................................................................................................................... 16
Filter.Driver.FileSystem.MiniFilter ................................................................................................................................................................. 17
Filter.Driver.FileSystem.NamedPipeAndMailSlots ................................................................................................................................. 17

Filter.Driver.FileSystem.RegistryAndProcess ........................................................................................................................................... 19
Filter.Driver.Fundamentals ................................................................................................................................................................................... 19
Filter.Driver.Fundamentals.DriverQuality .................................................................................................................................................. 19

Filter.Driver.Network.LWF .................................................................................................................................................................................... 20
Filter.Driver.Network.LWF.Base ..................................................................................................................................................................... 20
Filter.Driver.Network.LWF.MTUSize ............................................................................................................................................................ 20

Filter.Driver.Retpoline ............................................................................................................................................................................................ 21
Filter.Driver.Retpoline.IndirectControlTransfers..................................................................................................................................... 21
Filter.Driver.Security ............................................................................................................................................................................................... 21

Filter.Driver.Security.NoTDIFilterAndLSP .................................................................................................................................................. 21

Page 4 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Filter.Driver.vSwitchExtension ............................................................................................................................................................................ 22
Filter.Driver.vSwitchExtension.ExtensionRequirements ...................................................................................................................... 22

Filter.Driver.WindowsFilteringPlatform .......................................................................................................................................................... 24
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-AppContainers-SupportModernApplications ............... 24
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-CleanUninstall ............................................................................. 24

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-ConnectionProxying-NoDeadlocks ................................... 25
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmFilters-MaintainOneTerminating ............................ 25
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmProviders-AssociateWithObjects ............................ 25

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmProviders-MaintainIdentifying ................................ 26
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmSublayers-UseOwnOrBuiltIn..................................... 27
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-NetworkDiagnosticsFramework-HelperClass ................ 28

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-NoAccessViolations .................................................................. 28
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-NoTamperingWith3rdPartyObjects ................................... 29
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-PacketInjection-NoDeadlocks ............................................. 29
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-StreamInjection-NoStreamStarvation .............................. 29

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-SupportPowerManagedStates ............................................. 30
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-WFPObjectACLs ......................................................................... 30
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-Winsock ......................................................................................... 31

Filter.Driver.WindowsFilteringPlatform.Firewall-DisableWindowsFirewallProperly ................................................................ 31
Filter.Driver.WindowsFilteringPlatform.Firewall-NotOnlyPermitAllFilters ................................................................................... 32
Filter.Driver.WindowsFilteringPlatform.Firewall-Support5TupleExceptions............................................................................... 32

Filter.Driver.WindowsFilteringPlatform.Firewall-SupportApplicationExceptions ..................................................................... 33
Filter.Driver.WindowsFilteringPlatform.Firewall-SupportMACAddressExceptions .................................................................. 33
Filter.Driver.WindowsFilteringPlatform.Firewall-UseWindowsFilteringPlatform ...................................................................... 33

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportAddressResolution ........................................ 34
Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportDynamicAddressing ...................................... 34
Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportIPv4 ...................................................................... 35

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportIPv6 ...................................................................... 36
Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportNameResolution............................................. 36
Filter.Driver.WindowsFilteringPlatform.Scenario-Support6to4 ....................................................................................................... 37

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportAutomaticUpdates .......................................................................... 37
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportBasicWebsiteBrowsing .................................................................. 38
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportFileAndPrinterSharing.................................................................... 38

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportICMPErrorMessages ....................................................................... 39
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportInternetStreaming ........................................................................... 39
Page 5 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Filter.Driver.WindowsFilteringPlatform.Scenario-SupportMediaExtenderStreaming ............................................................ 40
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportMobileBroadBand ........................................................................... 41

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportPeerNameResolution ..................................................................... 42
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportRemoteAssistance ........................................................................... 43
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportRemoteDesktop ............................................................................... 43

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportTeredo .................................................................................................. 44
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportVirtualPrivateNetworking ............................................................. 44
Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-InteropWithOtherExtensions ...................................................... 45

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-NoEgressModification ................................................................... 46
Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportLiveMigration ................................................................... 46
Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportRemoval .............................................................................. 46

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportReordering ......................................................................... 47

Page 6 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Overview of Windows Hardware Compatibility Program

The Windows Hardware Compatibility Program (WHCP) is the primary channel that we use to communicate to the
partner community the core expectations that Windows places on devices, kernel-affecting software, systems and
solutions. The purpose of the document is to help ensure that products can successfully and seamlessly integrate into
Windows. This communication starts with the core tenets and user scenarios that drove Windows design. Those
design principles translate into a set of features that cover fundamentals, connectivity, and product-specific features.
These design features are codified as discrete requirements which define what Windows expects from the various
components and connected devices. A product designed to meet the requirements will be reliable, stable, efficient in
power and performance, and provide a great Windows experience.

The program is unique in the industry in terms of the detail and engineering tools that Microsoft freely provides in
order to assist partners build, test, secure, and maintain products for success in the Windows environment. No other
program provides access to in-the-field telemetry in order to facilitate end-user support and quality assurance, nor as
powerful a method to deliver software, drivers and certain firmware updates to end-users necessary to correct
identified problems or allow new features to be embraced.

Partners can self-assess how their products comply with WHCP requirements by using the tests in the Windows
Hardware Lab Kit (Windows HLK) for Windows 10. The Windows HLK contains significant enhancements to encourage
efficient testing practices, such as early and focused testing, distributed testing and merged multifunction device
fundamental testing. Not all requirements are able to be tested in an automated fashion, and automated testing can't
fully assure absolute compliance with the requirements, so we continually analyze the end-user experience and
improve the tools over time.

All products will expose a suite of features that can be categorized into four basic groupings, and they must meet all
applicable requirements in order to be qualified for Windows Compatibility status. The four groups are:

1. Device.Devfund - fundamental requirements expected of any device, filter or system (the fundamental
features).
2. Device.Connectivity - The connectivity requirements exposed for the type of connectivity the device uses.
Devices that use more than one type of connectivity bus must meet all of the applicable connectivity buses
requirements.
3. Device/Filter/System specific requirements - The Device/System specific requirements assure that the
device/system behaves as Windows expects.
4. Additional requirements that are related to secondary functions added to the product. For example,
removable storage is commonly found on mobile broadband USB-connected units. Both storage and the
mobile broadband portion of the requirements must be met in order to be considered as Compatible.
Compatibility is a public statement of confidence from us that the tested device, filter driver, or system works well
with Windows. Compatibility benefits include:

⚫ Signing device drivers.

⚫ Publishing the product as qualified in various catalogs and on the compatibility center.
⚫ Collecting and pre-analyzing telemetry on your product in the field to improve your quality assurance
efforts.
⚫ Providing a free and extremely effective distribution channel for driver updates.
⚫ Providing eligibility for various marketing incentives and a logo license.

Page 7 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Glossary
If-Implemented: An If-Implemented requirement is a mandatory requirement for an optional feature or
function. The product is not required to implement the feature or function defined by the requirement, however if
the feature or function is implemented, it must comply with the requirement.

For example: Systems are not required to support USB Type C in the current requirements. If a system does
support USB Type C functionality, then the system is required to comply with all of the defined USB Type C
requirements.

Optional: An optional requirement is a recommendation that Microsoft strongly encourages be implemented when a
product supports the described features or functions. This optional requirement is not enforced during the Windows
Hardware Compatibility Program qualification. Therefore, it is possible to become Windows Hardware Compatibility
Program qualified and not comply with the given optional requirement.

For example: Microsoft recommends that HDD and SDD storage devices support Self-Monitoring, Analysis
and Reporting Technology (SMART) metrics per the ATA8-ACS4 specification in order to reduce the chance
of unexpected device failure or data loss. A storage device is not required to comply with this optional
requirement, even when the device supports SMART.

Page 8 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter Requirements
Filter.Driver.AntiVirus
Antivirus requirements for filter drivers

Filter.Driver.AntiVirus.Functionality
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows file systems, as
well as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Description

Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows file systems, as
well as interact accurately with the core components of the operating system. Some areas of particular interest are:

• Local File Systems

o NT API, Win32 API and Win32 mapped IO API usage

o Object ID functionality

o Reparse points

o Oplocks

o System cache usage

o Transactional capability

• Remote file systems

• Oplock semantics over SMB

Information about file system behavior: http://download.microsoft.com/download/4/3/8/43889780-8d45-4b2e-9d3a-

c696a890309f/File%20System%20Behavior%20Overview.pdf

Information about Oplock semantics over SMB, see the [MS-SMB2] protocol document at:
http://msdn.microsoft.com/en-us/library/cc246482(PROT.13).aspx

Filter.Driver.AntiVirus.IcarDetection
Anti-virus filter drivers must be architected to exercise basic anti-virus functionality, as well as interact accurately with
the core components of the operating system.

Page 9 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Applies to Windows 11 Client x64

Description

Anti-virus filter drivers must be architected to exercise basic anti-virus functionality, as well as interact accurately with
the core components of the operating system. Some areas of particular interest are:

• File systems
• Anti-virus functionality

Filter.Driver.AntiVirus.MiniFilter
A file system filter driver must be a minifilter driver that uses the file systems filter manager.

Applies to Windows 11 Client x64

Description

This requirement will be tested implicitly. The driver detection mechanism of the Windows Hardware Lab Kit will be
written such that legacy file system filter drivers are not enumerated. Only minifilter drivers will be enumerated and
surfaced in the kit. As such, a user will be unable to select a legacy filter driver for logo testing via the kit.

Information about filter manger and minifilter drivers available here:

http://msdn.microsoft.com/en-us/library/ff540402(v=VS.85).aspx
http://msdn.microsoft.com/en-us/windows/hardware/gg462968.aspx

Filter.Driver.AntiVirus.NamedPipeAndMailSlots
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Named Pipe and Mail Slots,
as well as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Page 10 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

Kernel mode filter drivers must be architected to maximize the reliability and functionality of Named Pipe and Mail
Slots, as well as interact accurately with the core components of the operating system. Some areas of particular
interest are:

• Named Pipe file system

o Functionality and stress for common APIs

o Anonymous pipes

o Pipe modes

o Open modes

o Invalid pipe names

o Flushing pipe

o Max pipe instance

o Pipe direction (in/out/duplex)

o Input and output buffer sizes

o Various call semantics, such as reconnecting a pipe that has been disconnected at the server end.

o Behavior validation of all named pipes operations for each distinct state of a pipe instance.

o Performance for named pipe creation and connection.

o Throughput for different in/out buffer sizes and number of clients.

o Scalability of increasing number of clients to time it takes for a connection to a named pipe instance

• Mail Slot file system

• Functionality and stress for common APIs

Information about Named Pipe and Mail Slots can be found at:
http://msdn.microsoft.com/en-us/library/aa365574(v=VS.85).aspx

Filter.Driver.AntiVirus.RegistryAndProcess
Kernel mode filter drivers must be architected to maximize the reliability and functionality of the Windows registry and
processes, as well as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Page 11 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

Kernel mode filter drivers must be architected to maximize the reliability and functionality of the Windows registry
and processes, as well as interact accurately with the core components of the operating system. Some areas of
particular interest are:

• Registry

o NT API and Win32 API usage

o Key functions

o Transaction registry operations

o Symbolic link behavior

• Process

o General module management

o Race conditions at thread/process termination

o Process management callback functionality

• Thread and process handle operations

Filter.Driver.AntiVirus.Winsock
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows Sockets, as well
as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Description

Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows Sockets, as well
as interact accurately with the core components of the operating system. Some areas of particular interest are:

• Winsock
• Winsock API functionality

Information about Winsock APIs can be found at:

http://msdn.microsoft.com/en-us/library/ms740673(VS.85).aspx
Page 12 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.DeviceGuard
All kernel drivers must be built to be compatible with Device Guard.

Filter.Driver.DeviceGuard.DriverCompatibility
Applies to Windows 11 Client x64
Windows 11 Client ARM64

Description

Windows 10 has a feature called Device Guard that gives organizations the ability to lock down devices in a way that
provides advanced malware protection against new and unknown malware variants as well as Advanced Persistent
Threats (APTs). Device Guard can use hardware technology and virtualization to isolate the Code Integrity (CI)
decision-making function from the rest of the Windows operating system. When using virtualization-based security to
isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification.
This means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be
directly modified.

Details are available on the Windows Hardware Certification Blog.

The following attributes must be set on the sys file

CompanyName Company name

FileDescription File/Product description of the driver
OriginalFilename Original file name
ProductName Product name
VS_FIXEDFILEINFO:
FileVersion Binary version number for the file. The version consists of two 32-bit integers, defined
by four 16-bit integers. "FILEVERSION 3,10,0,61" is an example.
ProductVersion Binary version number for the product with which the file is distributed. Similar to
FILEVERSION.

You can find more details on the following MSDN page:

• https://msdn.microsoft.com/en-us/library/windows/desktop/aa381058(v=vs.85).aspx

All kernel drivers on Windows MUST be signed by Microsoft (WHQL certificate) through the SysDev dashboard.

Filter.Driver.EarlyLaunchAntiMalware
This section describes requirements for early launch driver.

Filter.Driver.EarlyLaunchAntiMalware.BackupDriver
Early launch anti-malware drivers must include a backup copy in case of corruption.

Applies to Windows 11 Client x64

Page 13 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

The anti-malware (AM) driver is critical to the boot success of the computer. If the driver gets corrupted, then the
boot may not succeed. To provide the best user experience, it is required that when the AM driver is installed, it also
installs a copy in the driver backup store. This ensures a smooth remediation experience in the case that the primary
driver gets corrupted.

The location of the ELAM backup store is defined by Windows, and stored in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch ! BackupPath

Design Notes:
The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each subsequent boot
driver, the AM driver receives a callback from the PnP manager to determine whether the boot driver should be
initialized. The AM driver evaluates the boot driver and must return good, bad, or unknown. Based on the returned
classification and defined policy, the PnP manager decides whether to initialize the boot driver.

Filter.Driver.EarlyLaunchAntiMalware.ELAMSignatureAttributes
Requirement for the SignatureAttribute section in the ELAM INF files

Applies to Windows 11 Client x64

Description

ELAM files must be signed with a special signature as part of the submission process. The process of determining
what signature each module needs is being standardized; each INF file must now include a SignatureAttributes
section that uniquely identifies what type of signature is applicable for the associated driver binaries. Adding this
section to existing inf files is a very simple process.

An example follows:

[SignatureAttributes]

ELAMFILE.dll = SignatureAttributes.Elam

[SignatureAttributes.Elam]

Elam=true

Page 14 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.EarlyLaunchAntiMalware.MVIMembership
Early launch anti-malware drivers may only be created by MVI members.

Applies to Windows 11 Client x64

Description

Any early launch anti-malware (AM) driver may only be created by Microsoft Virus Initiative (MVI) members.

Design Notes:
The early launch AM drivers are started soon after the NTOS kernel starts. For each subsequent boot driver, the AM
driver receives a callback from the PnP manager to determine whether the boot driver should be initialized. The AM
driver evaluates the boot driver and must return good, bad, or unknown. Based on the returned classification and
defined policy, the PnP manager decides whether to initialize the boot driver.

Filter.Driver.EarlyLaunchAntiMalware.Performance
Early launch anti-malware drivers must be performant.

Applies to Windows 11 Client x64

Description

Callback Latency:
The anti-malware (AM) driver is required to return a result for each callback within 0.5 ms of receiving the callback.

Memory Allocation:
The AM driver, including both the driver image as well as its configuration (signature) data, is required to have a
limited memory footprint of 256 KB or less.

Unload Blocking:
Each AM driver will receive a synchronous callback after the last boot driver has been initialized indicating that the
AM driver will be unloaded. At this point, the AM driver must clean up and save any persistent status information. This
must occur within 0.5 ms as measured from the time when the kernel issues the callback to the driver to the time that
the AM driver returns the callback.

Design Notes:
The early launch AM drivers are started soon after the NTOS kernel starts. For each subsequent boot driver, the AM
driver receives a callback from the PnP manager to determine whether the boot driver should be initialized. The AM

Page 15 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
driver evaluates the boot driver and must return good, bad, or unknown. Based on the returned classification and
defined policy, the PnP manager decides whether to initialize the boot driver.

Filter.Driver.EarlyLaunchAntiMalware.SignatureData
Early launch anti-malware drivers must only use signature data stored in the Microsoft-specific location.

Applies to Windows 11 Client x64

Description

The AM driver must get its malware signature data from a single, well-known location and no other. The signature
data shall be stored in the registry in a new "ELAM" hive under HKLM that is loaded by Winload, and will therefore be
available to the AM driver prior to the file system being initialized. Each AM driver will have a unique key in which to
store their signature blob. The registry path and key shall be of the format HKLM\ELAM\<Vendor Name>\Measured
: Binary = <blob>.

Design Notes:
The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each subsequent boot
driver, the AM driver receives a callback from the PnP manager to determine whether the boot driver should be
initialized. The AM driver evaluates the boot driver and must return good, bad, or unknown. Based on the returned
classification and defined policy, the PnP manager decides whether to initialize the boot driver.

Filter.Driver.FileSystem

Filter.Driver.FileSystem.Functionality
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows file systems, as
well as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Description

Page 16 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows file systems, as
well as interact accurately with the core components of the operating system. Some areas of particular interest are:

• Local file systems

o NT API, Win32 API and Win32 mapped IO API usage

o Object ID functionality

o Reparse points

o Oplocks

o System cache usage

o Transactional capability

• Remote file systems

• Oplock semantics over SMB

Information about file system behavior: http://download.microsoft.com/download/4/3/8/43889780-8d45-4b2e-9d3a-

c696a890309f/File%20System%20Behavior%20Overview.pdf

Information about Oplock semantics over SMB, see the [MS-SMB2] protocol document at:
http://msdn.microsoft.com/en-us/library/cc246482(PROT.13).aspx

Filter.Driver.FileSystem.MiniFilter
A file system filter driver must be a minifilter driver using the file systems Filter Manager.

Applies to Windows 11 Client x64

Description

This requirement will be tested implicitly. The gatherer will be written such that it enumerates and surfaces only
minifilter drivers for the Windows Hardware Certification Kit (WHCK). Hence, a user will be unable to select a legacy
filter driver for certification testing.

Information about Filter Manger and minifilter drivers available here:

http://msdn.microsoft.com/en-us/library/ff540402(v=VS.85).aspx

Filter.Driver.FileSystem.NamedPipeAndMailSlots
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Named Pipe and Mail Slots,
as well as interact accurately with the core components of the operating system.

Page 17 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Applies to Windows 11 Client x64

Description

Kernel Mode filter drivers must be architected to maximize the reliability and functionality of Named Pipe and Mail
Slots, as well as interact accurately with the core components of the operating system. Some areas of particular
interest are:

• Named Pipe file system

o Functionality and stress for common APIs

o Anonymous pipes

o Pipe modes

o Open modes

o Invalid pipe names

o Flushing pipe

o Max pipe instance

o Pipe direction (in/out/duplex)

o Input and output buffer sizes

o Various call semantics, such as reconnecting a pipe that has been disconnected at the server end.

o Behavior validation of all named pipes operations for each distinct state of a pipe instance.

o Performance for named pipe creation and connection.

o Throughput for different in/out buffer sizes and number of clients.

o Scalability of increasing number of clients to time it takes for connection to a named pipe instance

• Mail Slot file system

• Functionality and stress for common APIs

Information about Named Pipe and Mail Slots can be found at:
http://msdn.microsoft.com/en-us/library/aa365574(v=VS.85).aspx

Page 18 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.FileSystem.RegistryAndProcess
Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows registry and
processes, as well as interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Description

Kernel mode filter drivers must be architected to maximize the reliability and functionality of Windows registry and
processes, as well as interact accurately with the core components of the operating system. Some areas of particular
interest are:

• Registry

o NT API and Win32 API usage

o Key functions

o Transaction registry operations

o Symbolic link behavior

• Process

o General module management

o Race conditions at thread/process termination

o Process management callback functionality

• Thread and process handle operations

Filter.Driver.Fundamentals
Corresponds to device driver fundamentals, but for filter drivers

Filter.Driver.Fundamentals.DriverQuality
A filter driver must be of high quality.

Applies to Windows 11 Client x64

Page 19 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

Driver components must not cause the system to crash or leak resources. These resources include, but are not limited
to the following:

• Memory
• Graphics Device Interface (GDI) or user objects
• Kernel objects such as files, mutex, semaphore, and device handles
• Critical sections
• Disk space
• Printer handles

Design Notes:

Sleep & PNP with IO Before And After Test - Test cycles the system through all sleep states and does basic PNP on all
devices on the system.

This test will be run with Driver Verifier enabled with standard settings.

Filter.Driver.Network.LWF
LAN requirements

Filter.Driver.Network.LWF.Base
All light weight filters must be NDIS 6.30 or greater.

Applies to Windows 11 Client x64

Description

All light weight filters must be NDIS 6.30 or greater and be compliant to the NDIS specification on MSDN.

Filter.Driver.Network.LWF.MTUSize
All light weight filters must be able to accept arbitrary packet sizes which might be greater than the miniport's MTU.

Applies to Windows 11 Client x64

Page 20 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

All light weight filters must be NDIS 6.30 or greater. All light weight filters must be able to accept arbitrary packet
sizes which might be greater than the miniport's MTU.

Filter.Driver.Retpoline
All kernel drivers that advertise support for retpoline must contain accurate retpoline relocations for all indirect control
transfers.

Filter.Driver.Retpoline.IndirectControlTransfers
Applies to Windows 10 Client x64

Description

Windows 10 has a feature called retpoline which greatly reduces the performance impact of mitigating the Spectre V2
vulnerability on the x64 architecture. Retpoline involves the runtime replacement of all indirect control transfers in a
kernel-mode binary with safe retpoline control transfer sequences. This runtime replacement is facilitated by retpoline
relocations stored in the binary metadata that describe the location and form of all indirect control transfers.

A kernel driver advertises that it supports retpoline by setting the IMAGE_GUARD_RETPOLINE_PRESENT bit
(0x00100000) in the GuardFlags field of the driver’s image load config directory.

If a kernel driver advertises that it supports retpoline it MUST contain retpoline relocations that accurately describe all
indirect control transfers in the binary.

Filter.Driver.Security
Additional TDI filter driver and LSP requirements related to security

Filter.Driver.Security.NoTDIFilterAndLSP
No TDI filters or LSPs are installed by the driver or associated software packages during installation or usage.

Applies to Windows 11 Client x64

Description
Page 21 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
There can be no use of TDI filters or LSPs by either kernel mode software or drivers, or user mode software or drivers.

Filter.Driver.vSwitchExtension
Filter.Driver.vSwitchExtension.ExtensionRequirements
Filter drivers that implement VM Switch Extensibility must support required functionalities, modes, and protocols.

Applies to Windows 11 Client x64

Description

Filter drivers that implement VM Switch Extensibility must support required functionalities, modes, and protocols.

Requirements

• An extension must pass NDIS Filter logo requirements.

o An extension must have a valid INF.

o An extension must make only NDIS, WDF, or WDM calls; any calls to other kernel mode components are
not allowed.

• An extension must support Hyper-V Live Migration.

o Don't break LM, Save/Restore, Export/Import

o Don't block saved data from another extension

o Don't block other extension interactions

• All traffic passing through a virtual switch coming from a VM, a host VNIC, external NIC, or extension must
not have headers modified by extensions. Exceptions from this requirement include:

o Redirecting traffic to a network appliance

o Mutable IP header fields (as specified in RFC 4302 section 3.3.3.1.1.1 for IPv4 and section 3.3.3.1.2.1 for
IPv6)

• An unconfigured extension must not "break" connectivity between the host and external network.
• A capture extension must not "break" connectivity between vSwitch ports.
• An extension must pass the following switch/port/NIC configuration OIDs down the stack of an extension:

o OID_SWITCH_PARAMETERS

Page 22 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 o OID_SWITCH_PORT_ARRAY

o OID_SWITCH_PORT_TEARDOWN

o OID_SWITCH_PORT_DELETE

o OID_SWITCH_NIC_ARRAY

o OID_SWITCH_NIC_CONNECT

o OID_SWITCH_NIC_DISCONNECT

o OID_SWITCH_NIC_DELETE

o OID_SWITCH_NIC_REQUEST

• An extension must pass the following policy/status OIDs that it does not consume down the stack:

o OID_SWITCH_PORT_PROPERTY_ADD

o OID_SWITCH_PORT_PROPERTY_UPDATE

o OID_SWITCH_PORT_PROPERTY_DELETE

o OID_SWITCH_PROPERTY_ADD

o OID_SWITCH_PROPERTY_UPDATE

o OID_SWITCH_PROPERTY_DELETE

o OID_SWITCH_PORT_FEATURE_STATUS_QUERY

o OID_SWITCH_FEATURE_STATUS_QUERY

• An extension must pass the following policy OIDs down the stack:

o OID_SWITCH_PORT_PROPERTY_ENUM

o OID_SWITCH_PROPERTY_ENUM

• An extension must pass the following up the stack:

o NDIS_SWITCH_NIC_STATUS_INDICATION

• A "capture" extension must not call any of the following functions:

Design Notes:
See the VM Switch Extensibility Specification.

Page 23 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-AppContainers-
SupportModernApplications
WFP-based products must not block App Container apps that are operating within their declared network intentions by
default, and should only block App Container apps when following specific user/admin intention or protecting the
system against a specific threat.

Applies to Windows 11 Client x64

Description

WFP-based products must not block App Container apps that are operating within their declared network intentions
by default, and should only block App Container apps when following specific user/admin intention or protecting the
system against a specific threat.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-CleanUninstall
WFP-based products must stop cleanly and clean up all running state upon uninstall.

Applies to Windows 11 Client x64

Description

This is to ensure that host firewalls do not leave unused objects upon uninstall, thereby potentially causing diagnostic
issues if another separate host firewall is installed on the same PC.
The following WFP objects need to be cleaned up: Provider, providerContext, Filter, subLayer, or callout.
In addition, additional installation requirements for applications (via the Software logo program) must be met.

Design Notes:

Applications can use either an MSI, or another installer that meets this requirement to ensure a satisfactory
install/uninstall experience on a Windows® based PC.
The installation requirements for applications (in the Software Logo Program) are located in the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=27028822-B172-4CEC-91A3-
26B610A4DA79&displaylang=en

Page 24 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-ConnectionProxying-
NoDeadlocks
WFP-based products that redirect or proxy at redirect layers (connect redirect), must use the new proxying API so that
other WFP-based products can determine that the connection has been proxied.

Applies to Windows 11 Client x64

Description

WFP-based products which redirect or proxy at redirect layers (connect redirect), must use the new proxy'ing API so
that other WFP-based products can determine that the connection has been proxy'ed.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmFilters-
MaintainOneTerminating
WFP-based products must create and maintain at least one terminating FWPM_FILTER object.

Applies to Windows 11 Client x64

Description

A terminating filter is one that returns a permit / block decision. It may exist as a static filter or within a callout. The
intent behind this requirement is to ensure that premium host firewalls perform at least one permit or block decision
and not simply maintain filters only for inspection purposes, whereas basic host firewalls may do so through WFP or
through other means such as TDI, NDIS, and WinSock LSP filters.

Design Notes:
The definition for the FWPM_FILTER object can be found in the following URL:
http://go.microsoft.com/fwlink/?LinkID=116902&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmProviders-
AssociateWithObjects
WFP-based products must associate all of their provider contexts, filters, sublayers, and callouts with their corresponding
identifying provider object.

Applies to Windows 11 Client x64

Page 25 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

For examples that illustrate the code behavior expected for various types of objects, please see below:
Reference the name & product of the company within an identifying provider object:

const PWSTR pCompanyName = L"Microsoft Corporation";

const PWSTR pProductName = L"Windows Firewall";
FWPM_PROVIDER0 myProvider;
myProvider.displayData.name = pCompanyName;
myProvider.displayData.description = pProductName;

Initialize the provider object:

FWPM_PROVIDER_CONTEXT0 myProviderContext;
FWPM_PROVIDER0 myProvider;
myProviderContext.providerKey = &(myProvider.providerKey);

Initialize the subLayer object & associate it to your respective provider object:

FWPM_SUBLAYER0 mySubLayer;
FWPM_PROVIDER0 myProvider;
mySubLayer.providerKey = &(myProvider.providerKey);

Initialize the callout object & associate it to your respective provider object:

FWPM_CALLOUT0 myCallout;
FWPM_PROVIDER0 myProvider;
myCallout.providerKey = &(myProvider.providerKey);

Initialize the filter object & associate it to your respective provider object:

FWPM_FILTER0 myFilter;
FWPM_PROVIDER0 myProvider;
myFilter.providerKey = &(myProvider.providerKey);

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmProviders-
MaintainIdentifying
WFP-based products must create and maintain at least one identifying FWPM_PROVIDER provider object.

Applies to Windows 11 Client x64

Page 26 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

An "identifying provider object" must reference the name & product of the company as shown in the example
below.
FWPM_PROVIDER0

1. All vendors must create and maintain at least 1 provider.

2. The provider.displayData.Name must contain the name of the company.
3. The provider.displayData.Description must contain the name of the product.

All objects created & "owned" by the vendor must reference only their provider(s):

const PWSTR pCompanyName = L"Microsoft Corporation";

const PWSTR pProductName = L"Windows Firewall";
FWPM_PROVIDER0 myProvider;

myProvider.displayData.name = pCompanyName;
myProvider.displayData.description = pProductName;

Design Notes:
The definition of the FWPM_PROVIDER object can be found in the following URL:
http://go.microsoft.com/fwlink/?LinkID=116844&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-FwpmSublayers-
UseOwnOrBuiltIn
WFP-based products must use only their own sublayer or one of the built-in sublayers.

Applies to Windows 11 Client x64

Description

A host firewall's own sublayer may be used to ensure that its filters must not be bypassed by a higher weight filter
from another host firewall. In addition, a host firewall must not override filters belonging to another host firewall.

Design Notes:
The definition for the FWPM_SUBLAYERobject can be found in the following URL:
http://go.microsoft.com/fwlink/?LinkID=116845&clcid=0x409

Page 27 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-
NetworkDiagnosticsFramework-HelperClass
WFP-based products must include a Network Diagnostics Framework (NDF) helper class that extends the Filtering
Platform helper class (FPHC).

Applies to Windows 11 Client x64

Description

The Windows Filtering Platform (WFP) includes a Network Diagnostics Framework (NDF) helper class, called the
Filtering Platform helper class (FPHC). FPHC can help to identify the root causes of connectivity issues caused by WFP.
A host firewall can invoke its own NDF helper class. FPHC extensibility allows these third-party helper classes to be
invoked during diagnostics.

FPHC can identify WFP as the cause of a connectivity issue. If available, FPHC can also identify the provider that
created the filter that is blocking network traffic. FPHC passes this information to NDF, which in turn can then notify
the user that WFP is causing the connectivity problem and give the name of the provider blocking traffic.

However, the FPHC cannot suggest a corrective action to the user, nor can it provide the reason that the filter is
blocking traffic to the user. Only an FPHC extension can perform those tasks.

Host firewalls must be able to successfully diagnose the inbound/outbound connection failures caused by the host
firewall, and provide an appropriate response to the end-user based on the diagnosis. (eg. Repair mechanism,
message explaining to the user the reason why the connection failed, etc).

Design Notes:
More information regarding NDF and FPHC can be found in the following links:

NDF : http://go.microsoft.com/fwlink/?LinkID=125463&clcid=0x409
FPHC : http://go.microsoft.com/fwlink/?LinkID=125464&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-NoAccessViolations
WFP-based products must not be the resulting cause of any access violation under high load or during driver
load/unload.

Applies to Windows 11 Client x64

Description

Page 28 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
WFP-based products must not be the resulting cause of any access violation under high load or during driver
load/unload (while under network load or not).

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-
NoTamperingWith3rdPartyObjects
WFP-based products must not attempt to remove or alter another WFP-based product's WFP objects and built-in objects.

Applies to Windows 11 Client x64

Description

This ensures interoperability between multiple host firewalls' WFP objects within the operating system.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-PacketInjection-NoDeadlocks
WFP-based products must not continually modify network packets that have already been modified and re-injected, so
as to create potential deadlocks.

Applies to Windows 11 Client x64

Description

Firewalls may use callouts to modify and re-inject network packets, when filtering at any layer. One or many host
firewalls may be present on the same system. When there is only one host firewall is present on the system,
continually modifying & re-injecting the same packets may result in reduced performance and is to be avoided. When
multiple host firewalls (with callouts) are present on the system, the same network packet(s) may continually be
modified by multiple callouts. When a host firewall continually modifies and reinjects the same packet, it may result in
the network packet never getting processed and could potentially create a deadlock, which is to be avoided.

Host firewalls must not modify and reinject the same network packet more than 2 times per layer. If such a situation
occurs, host firewalls may choose to let the packet go through, or drop the network packet.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-StreamInjection-
NoStreamStarvation
WFP-based product callouts at FWPM_LAYER_STREAM must not starve the data throughput.

Applies to Windows 11 Client x64

Page 29 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

To "Not Starve" means that Stream layer callout indications should not be pended to queue up more than 8 MB of
data.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-
SupportPowerManagedStates
WFP-based products must ensure network connectivity upon recovering from power managed states.

Applies to Windows 11 Client x64

Description

Tests must be run on a machine that supports all the power states (standby, hibernate, hybrid, shutdown, restart).
Host Firewalls allow the system to enter into and recover from the above mentioned power managed states. Upon
resuming from those particular power managed states, requirements from WFP should be met.

Firewalls should never pend packets such that a power state change refuses to work due to the pended packets.

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-WFPObjectACLs
WFP-based products must ACL all of their objects in a way that any other WFP-based product can at least enumerate
those objects using the corresponding WFP enumeration APIs.

Applies to Windows 11 Client x64

Description

WFP-based products must ACL all of their objects in a way that any other WFP-based product can at least enumerate
those objects using the corresponding WFP enumeration APIs.
This is to make sure that all WFP objects on the system can be enumerated by any Host firewall or application for
diagnostic purposes.

Page 30 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Design Notes:
As an example, Filter objects must be able to be enumerated by the FwpmFilterEnum function documented in the
following URL:
http://go.microsoft.com/fwlink/?LinkID=116839&clcid=0x409
Similarly, enumeration functions for other objects (provider, sublayer etc) can be found in the following URL:
http://go.microsoft.com/fwlink/?LinkID=116840&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign-Winsock
Kernel mode filter drivers are architected to maximize the reliability and functionality of Windows Sockets, as well as
interact accurately with the core components of the operating system.

Applies to Windows 11 Client x64

Description

Kernel mode filter drivers are architected to maximize the reliability and functionality of Windows Sockets, as well as
interact accurately with the core components of the operating system. Some areas of particular interest are:

• Winsock
• Winsock API functionality

Information about Winsock APIs can be found at:

http://msdn.microsoft.com/en-us/library/ms740673(VS.85).aspx

Filter.Driver.WindowsFilteringPlatform.Firewall-DisableWindowsFirewallProperly
Host firewalls must disable the Windows firewall using only the supported method.

Applies to Windows 11 Client x64

Description

Host firewalls are provided with the ability to selectively turn parts of Windows Firewall on or off. These parts specify
different types of rules (and subsequently filter sets), and may also be referred to as categories. Filter sets that may be
selectively turned off are Boot-Time Filters, Firewall Filters, Connection Security Filters, and Stealth Filters.

Page 31 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
The 'Register' interface is supported by the HNetCfg.FwProducts COM object. The put_DisplayName() call must be
used to fill in your product information.
Before turning off the firewall rules category, vendor firewalls must ensure that all filters must be installed.

This requirement ensures better interoperability with Windows. In addition, if all installed host firewalls on the system
are uninstalled for any reason, Windows Firewall is aware of this, and will automatically turn on the firewall filters,
ensuring that the system is always protected.
The Connection Security filters need to remain enabled to keep Windows scenarios protected. Specifically, the
Connection Security filters ensure that the system supports communications that require authentication and
encryption.

Design Notes:

This requirement ensures that firewall vendors disable Windows Firewall per documented guidelines.

Filter.Driver.WindowsFilteringPlatform.Firewall-NotOnlyPermitAllFilters
Host firewalls must not have only "permit_all" filters.

Applies to Windows 11 Client x64

Description

Host firewalls must not circumvent the intent of the Windows Filtering Platform API tests, by simply maintaining all
'permit_all' filters for all kinds of network traffic, which essentially is not meaningful filtering of network traffic. This
applies to both, static as well as callout filters. Similarly, Host firewalls must not maintain only 'block_all' filters.
However, that will be addressed when testing for consumer scenarios.

Filter.Driver.WindowsFilteringPlatform.Firewall-Support5TupleExceptions
All host based firewalls must be able to block/allow by 5-tuple parts (including port (ICMP type and code, UDP and TCP)
IP address, and protocol (e.g. UDP/TCP/ICMP)).

Applies to Windows 11 Client x64

Description

All host based firewalls must be able to block/allow by 5-tuple parts (including port (ICMP type and code, UDP and
TCP) IP address, protocol (e.g. UDP/TCP/ICMP)).

Page 32 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.Firewall-SupportApplicationExceptions
WFP-based products must support exceptions from corresponding applications.

Applies to Windows 11 Client x64

Description

In addition to supporting scenarios based on applications within Windows® it is important to support applications
(installed by the home user), that are registered with the host firewall for filtering purposes. Firewalls may use
parameters such as path, ports, etc as basis to permit or block application specific traffic. This scenario will need to
work with native IPv4, native IPv6, 6to4, and Teredo packets.
The word 'support' refers to the host firewall's capability to ensure exceptions from applications work with the host
firewall, if the application/user/network needs it. The host firewall must also have properly configured objects such as
filters, etc to support the required functionality, even though the functionality may not be enabled by default in the
UI.

Filter.Driver.WindowsFilteringPlatform.Firewall-SupportMACAddressExceptions
All host based firewalls that have filters in L2 (Native/Mac) layers must be able to Block or Allow by MAC address.

Applies to Windows 11 Client x64

Description

All host based firewalls that have filters in L2 (Native/Mac) layers must be able to Block or Allow by MAC address.

Filter.Driver.WindowsFilteringPlatform.Firewall-UseWindowsFilteringPlatform
Firewalls must comply with Windows Filtering Platform based APIs for filtering network traffic on home user solutions.

Applies to Windows 11 Client x64

Page 33 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

There must be no TDI, NDIS, WinSock LSP filters present upon installation of the host firewall on the PC. Only
Windows Filtering Platform (WFP) based static filters / callouts must be used on home user products.

Design Notes:
For more information on Windows Filtering Platform, please see the following link:
http://go.microsoft.com/fwlink/?LinkID=116899&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-
SupportAddressResolution
WFP-based products must support allowing for successful ARP and ICMP Neighbor Discovery exchanges.

Applies to Windows 11 Client x64

Description

WFP-based products must support ARP (for IPv4) and ICMP Neighbor Discovery (for IPv6) exchanges.

Firewalls allow the system to send out ARP and ICMP Neighbor Discovery requests and replies, as well as receive ARP
and ICMP Neighbor Discovery requests and replies.
The word 'support' refers to the host firewall's capability to make ARP work, if the application/user/network needs it.
The host firewall must also have properly configured objects such as filters, etc to support the required functionality,
even though the functionality may not be enabled by default in the UI.

Design Notes:
Host firewalls should allow the PC to send out ARP requests on behalf of another node rather than only on behalf of
itself, when ICS is running on the host.
As part of Internet Connection Sharing's (ICS) DHCP functionality, ICS DHCP can send out ARP requests on behalf of
another node in the subnet.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-
SupportDynamicAddressing
WFP-based products support allowing for successful DHCP exchanges over both IPv4 and IPv6.

Applies to Windows 11 Client x64

Page 34 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Description

Host firewalls support allowing successful DHCP exchanges over both IPv4 and IPv6.

DHCP DISCOVER, DHCP REQUEST & DHCP INFORM packets can be transmitted over outbound UDP source port 68
to destination port 67. DHCP OFFER & DHCP ACK & DHCP NACK packets can be received over inbound UDP source
port 67 to destination port 68. DHCPv6 packets can be transmitted over outbound UDP source port 546 to
destination port 547. DHCPv6 packets can be received over Inbound UDP Source Port 547 to destination port 546.

The word 'support' refers to the host firewall's capability to allow successful DHCP exchanges, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc. to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
Details can be found in the following URL: http://go.microsoft.com/fwlink/?LinkID=116834&clcid=0x409

Host firewalls should allow DHCP inbound and outbound as the server over the wireless interface when a service like
ICS is running on the host.

Internet Connection Sharing (ICS) acts as a DHCP server and expects to receive incoming DHCP clients.
DHCP DISCOVER, DHCP REQUEST & DHCP INFORM packets can be received over Inbound UDP source port 68 to
destination port 67.
DHCP OFFER & DHCP ACK & DHCP NACK packets can be transmitted over outbound UDP source port 67 to
destination port 68.

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportIPv4
WFP-based products must support IPv4 traffic.

Applies to Windows 11 Client x64

Description

This is to ensure that consumer host firewalls or other filtering components do not cause the loss of basic IPv4
connectivity on the PC.
The word 'support' refers to the host firewall's capability to make IPv4 work, if the application/user/network needs it.
The host firewall must also have properly configured objects such as filters, etc to support the required functionality,
even though the functionality may not be enabled by default in the UI.

Design Notes:
More information about IPv4, RFCs can be found in the following link:
http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409

Page 35 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-SupportIPv6
WFP-based products must support IPv6 traffic.

Applies to Windows 11 Client x64

Description

Windows® has IPv6 enabled by default. Host firewalls should not break native IPv6 connectivity (and therefore,
Windows scenarios based on IPv6) for customers.

The word 'support' refers to the host firewall's capability to make IPv6 work, if the application/user/network needs it.
The host firewall must also have properly configured objects such as filters, etc to support the required functionality,
even though the functionality may not be enabled by default in the UI.

Design Notes:
More information about IPv6 can be found in the following link:
http://go.microsoft.com/fwlink/?LinkID=116832&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental-
SupportNameResolution
WFP-based products must support allowing for successful DNS client queries.

Applies to Windows 11 Client x64

Description

DNS QUERY packet can be sent out over [Outbound UDP Destination Port 53 (Domain Name Server)] and DNS
QUERY RESPONSE packet to be received over [Inbound UDP Source Port 53 (Domain Name Server)]. Host firewalls
should allow successful DNS client queries over both IPv4 and IPv6.
The word 'support' refers to the host firewall's capability to allow successful DNS client queries, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:

Page 36 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
More information about DNS, RFCs can be found in the following link:
http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409
Host firewalls should allow this type of DNS traffic (Host as a server) over the wireless interface when a service like ICS
is running on the host.
This requirement applies to Internet Connection Sharing that acts as a DNS server (proxy) and expects receiving
incoming DNS requests from clients on destination UDP port 53, and respond to the DNS client with DNS response
with destination UDP port 53.

Filter.Driver.WindowsFilteringPlatform.Scenario-Support6to4
WFP-based products must support 6to4.

Applies to Windows 11 Client x64

Description

In certain markets, 6to4 technologies may help certain customers move to IPv6 connectivity. The following guidelines
may help meet this requirement:

• Host firewalls allow for the system to send and receive IPv6 packets over IPv4 protocol 41.

The word 'support' refers to the host firewall's capability to 6to4 work, if the application/user/network needs it. The
host firewall must also have properly configured objects such as filters, etc to support the required functionality, even
though the functionality may not be enabled by default in the UI.

Design Notes:
Please refer to the following article below for further information on 6to4:
http://go.microsoft.com/fwlink/?LinkID=116837&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportAutomaticUpdates
WFP-based products must support Automatic Updates in Windows.

Applies to Windows 11 Client x64

Description
Page 37 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
This is related to Automatic Updates / Windows Update (WU), which is a key scenario through which important
patches are installed on your PC to keep it up to date. The following guideline may help meet this requirement:

• Host firewalls allow outbound TCP connections to destination ports 80 & 443.

The word 'support' refers to the host firewall's capability to make Automatic Updates work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
For more information on Windows Updates/ Automatic Updates, please see the following link:
http://go.microsoft.com/fwlink/?LinkID=116898&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportBasicWebsiteBrowsing
WFP-based products must support basic internet browsing experiences.

Applies to Windows 11 Client x64

Description

This is to ensure that basic internet browsing experiences are supported upon installation of a host firewall on a
Windows® based computer.
Host firewalls must allow TCP packets over Ports 80 and 443 to support this scenario. This scenario must work with
native IPv4, native IPv6, 6to4, and Teredo packets.
The word 'support' refers to the host firewall's capability to ensure a successful internet browsing experience, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportFileAndPrinterSharing
WFP-based products must support file and printer sharing.

Applies to Windows 11 Client x64

Description

Page 38 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
This is to ensure that home users will be able to share content to and from other PCs inside of their home network, in
addition to printing content on shared printers.
Host firewalls must allow UDP packets specific to protocol 17 over Ports 137 / 138, and TCP packets specific to
protocol 6 over ports 139/445. This scenario must work with native IPv4, native IPv6, 6to4, and Teredo packets.
TCP packets should be allowed over ports 5357/5358 & UDP packets should be allowed over port 3702. This scenario
should work with native IPv4, native IPv6, 6to4, and Teredo packets.
The word 'support' refers to the host firewall's capability to make file and printer sharing work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
Please refer to the following link for more information:
http://go.microsoft.com/fwlink/?LinkID=116838&clcid=0x409
Please refer to the following documents for more information:

• HomeGroup Firewall Requirements: http://technet.microsoft.com/en-us/appcompat/default.aspx

• Network Location Dialog: http://technet.microsoft.com/en-us/appcompat/default.aspx
• PNRP: http://technet.microsoft.com/en-us/appcompat/default.aspx

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportICMPErrorMessages
WFP-based products must support ICMP error messages and discovery functions.

Applies to Windows 11 Client x64

Description

This is to ensure that host firewalls support ICMP error messages (per IETF RFCs 4890 and RFC 2979), for
inbound/outbound packets that must not be dropped. Important discovery functions must also be supported. The
specific error messages that need to be supported for both ICMPv4 and ICMPv6 are: Destination Unreachable, Time
Exceeded, and Parameter Problem. In addition, for ICMPv6, Packet too big, Router solicitation, Neighbor solicitation,
Router advertisement, and neighbor advertisement discovery functions must be supported.
The word 'support' refers to the host firewall's capability to make ICMP work, if the application/user/network needs it.
The host firewall must also have properly configured objects such as filters, etc to support the required functionality,
even though the functionality may not be enabled by default in the UI.

Design Notes:
For more information, please see http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportInternetStreaming
WFP-based products must support Internet streaming and Media sharing for media player network sharing services.

Page 39 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Applies to Windows 11 Client x64

Description

This is related to Automatic Updates / Windows Update (WU), which is a key scenario through which important
patches are installed on your PC to keep it up to date. The following guidelines may help meet this requirement:

Host firewalls allow outbound TCP connections to destination ports 80 & 443.
The word 'support' refers to the host firewall's capability to make Automatic Updates work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
For more information on Windows Updates/ Automatic Updates, please see the following link:
http://go.microsoft.com/fwlink/?LinkID=116898&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportMediaExtenderStreaming
WFP-based products must support media streaming scenarios based on extender technologies.

Applies to Windows 11 Client x64

Description

Extender technology is built into home entertainment devices such as TVs, DVD players, and cool, quiet components
that allow you to keep your PC where it makes sense and use it as a "hub" to provide your digital entertainment to
TVs throughout your house. These devices are called extender devices.
For example: With the new Extenders for Windows Media Center, you can stream the digital media you have on your
Windows Media Center PC in as many as five rooms in your house. Home-users may access the live and recorded TV,
music, movies, videos, sports, Internet TV and other online content on Windows® PCs through wired or wireless
home networks. Windows Media Center Extenders use network ports to communicate with Windows PCs. The
following exceptions tabled below may be useful in meeting this requirement:

Media Center Extender

SPECIFIC
Binary Port Direction Scope
svchost.exe (ssdpsrv) UDP 1900 Inbound Local Subnet

Page 40 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 svchost.exe TCP 3390 Inbound Local Subnet
(termservice)
svchost.exe (QWave) TCP 2177 Outbound, Inbound Local Subnet
svchost.exe (QWave) UDP 2177 Outbound, Inbound Local Subnet
System TCP 10244 Outbound, Inbound Local Subnet
ehshell.exe TCP 554 Outbound, Inbound Local Subnet
ehshell.exe UDP 5004, 5005 Outbound, Inbound Local Subnet
ehshell.exe TCP 8554-8558 Outbound, Inbound Local Subnet
ehshell.exe UDP 50004-50013 Outbound, Inbound Local Subnet
ehshell.exe UDP 7777-7781 Outbound, Inbound Local Subnet
mcrmgr.exe random Outbound Internet
mc2prov.exe random Outbound Internet
Svchost.exe (mcs2svc) random Outbound Local
Subnet
Media Center
Binaries/Ports
ehrecvr.exe random Outbound Internet
ehrec.exe random Outbound Internet
ehexthost.exe random Outbound, Inbound Internet
mcupdate.exe random Outbound Internet

Digital Cable Receiver

Device (OCUR)
ehprivjob.exe UDP 5001-5006 Inbound Local Subnet
svchost.exe UDP 1900 Outbound, Inbound Local Subnet
System TCP 2869 Outbound, Inbound Local Subnet
ehprivjob.exe TCP 554 Outbound Local Subnet
ehprivjob.exe UDP 5757-5772 Outbound Local Subnet

The word 'support' refers to the host firewall's capability to make internet streaming & media sharing for media player
network sharing services, work, if the application/user/network needs it. The host firewall must also have properly
configured objects such as filters, etc to support the required functionality, even though the functionality may not be
enabled by default in the UI.

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportMobileBroadBand
WFP-based products must allow mobile broadband devices that are compliant with Windows mobile broadband driver
model to function correctly.

Applies to Windows 11 Client x64

Description

Page 41 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
WFP-based products must allow mobile broadband devices that are compliant with the Windows mobile broadband
driver model to function correctly.
This is to ensure that host firewall functionality does not block the mobile broadband connectivity and the firewall
functionality works with MB devices.
Windows provides native support for mobile broadband (MB) data cards & embedded modules to work with
Windows. The MB devices need to implement their driver as per Windows mobile broadband driver model. The MB
driver model defines how the devices should be exposed to Windows and network packet format in which MB devices
should exchange data between network and system.

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportPeerNameResolution
WFP-based products must support Peer Name Resolution Protocol and the Peer-to-Peer Grouping Protocol.

Applies to Windows 11 Client x64

Description

Host firewalls support the Peer Name Resolution Protocol (PNRP) and the Peer-to-Peer Grouping Protocol, which are
required by some Peer-to-Peer applications. The Peer Name Resolution Protocol provides secure, serverless name
resolution, and the Peer-to-Peer Grouping Protocol provides secure, reliable multi-party communication. The
following guidelines may be useful in meeting this requirement:

1. Host firewalls support native IPv6 (NETWORK-0244) as well as Teredo (NETWORK-0248) and IPv6 packets to
IPv4 protocol 41 (^to4) (NETWORK-0249).

2. Host firewalls can allow for the system to send outbound, and receive inbound, UDP packets over port 3540.

3. Host firewalls can allow for the system to send outbound, and receive inbound, TCP packets over port 3587.

The word 'support' refers to the host firewall's capability to allow successful DHCP exchanges, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:

Please refer to the following documents for more information, these documents:

• HomeGroup firewall requirements: http://technet.microsoft.com/en-us/appcompat/default.aspx

• Network location dialog: http://technet.microsoft.com/en-us/appcompat/default.aspx
• PNRP: http://technet.microsoft.com/en-us/appcompat/default.aspx

Page 42 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.Scenario-SupportRemoteAssistance
WFP-based products must support Remote Assistance scenarios.

Applies to Windows 11 Client x64

Description

The Remote Assistance scenario is used by a helper to connect to a computer and to show the user a solution to the
problem. The following guidelines may help meet this requirement:
Host firewalls allow the computer to be reached by native IPv4, native IPv6, Teredo, and 6to4 (pass the corresponding
tests) and also allow traffic from the Remote Assistance application within Windows® (msra.exe) through the firewall.
The word 'support' refers to the host firewall's capability to make Remote Assistance work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
For information on how Remote Assistance works in general, please see the article below:
http://go.microsoft.com/fwlink/?LinkID=116842&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportRemoteDesktop
WFP-based products must support remote desktop.

Applies to Windows 11 Client x64

Description

Remote Desktop Connection is a technology that allows you to connect to a remote computer in a different location.
Remote desktop is a key Windows® scenario that would be relevant for consumers with multiple PCs at home trying
to access content that exists on one PC, from another PC.
The following guideline may help meet this requirement:

Host firewalls allow inbound TCP packets over Destination Port 3389 to support this scenario. This scenario will need
to work with native IPv4, native IPv6, 6to4, and Teredo packets.
The word 'support' refers to the host firewall's capability to make remote desktop work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Page 43 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Design Notes:
For more information on remote desktop, please see the article below:
http://go.microsoft.com/fwlink/?LinkID=116841&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportTeredo
WFP-based products must support Teredo.

Applies to Windows 11 Client x64

Description

Teredo may be used as a connectivity mechanism to support certain Windows scenarios such as remote assistance,
instant messaging and others. Hence, preserving Teredo connectivity is critical to supporting Windows consumer
scenarios.
For this requirement, the following must be met:

• Host firewalls allow DNS resolution of teredo.ipv6.microsoft.com.

• To allow client to Teredo server communication, host firewalls must allow for the system to send outbound
UDP/IPv4 packets to UDP port 3544.
• To allow Teredo connectivity, host firewalls must allow inbound and outbound UDP/IPv4 traffic over the
Teredo client system ports. These ports can be obtained using the FWPMSystemPortsGet notification to
determine the system port numbers used for communication using the Teredo interface.
• Host firewalls support ICMP error messages & discovery functions (NETWORK-0250 logo requirement).
• Host firewalls allow UPnP framework packets over UDP port 1900, and UPnP frameworkpackets over TCP
port 2869.

The word 'support' refers to the host firewall's capability to make Teredo work, if the application/user/network needs
it. The host firewall must also have properly configured objects such as filters, etc to support the required
functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
Please refer to the following article below for further information on Teredo:
http://go.microsoft.com/fwlink/?LinkID=116836&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario-SupportVirtualPrivateNetworking
WFP-based products must support VPN scenarios in Windows.

Page 44 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
 Applies to Windows 11 Client x64

Description

The following protocols and ports must be allowed:

• IP protocol 50: Allow ESP traffic

• IP protocol 51: Allow AH traffic
• UDP Port 500 / 4500: Allow ISAKMP traffic
• TCP / UDP Port 88: Allow Kerberos traffic

This ensures that firewalls support IPsec scenarios, such as IPsec VPN, which are used on client PCs to connect
securely over the internet.
In addition, host firewalls should allow successful IPsec communication over both IPv4 and IPv6. Host firewalls should
also allow UDP packets over port 1701, and TCP packets over port 443 to support this scenario. It is also
recommended that host firewalls allow TCP packets specific over port 1723. IP protocol 47 based packets should also
be allowed by the host firewall.
The word 'support' refers to the host firewall's capability to make the VPN scenarios work, if the
application/user/network needs it. The host firewall must also have properly configured objects such as filters, etc to
support the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:
Please refer to the following article for further information:
http://go.microsoft.com/fwlink/?LinkID=116843&clcid=0x409

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-InteropWithOtherExtensions
WFP must not block traffic from another vSwitch extension (WFP or LWF) by default, and should only do so when
following specific user/admin intention or protecting the system against a specific threat.

Applies to Windows 11 Client x64

Description

WFP must not block traffic from another vSwitch extension (WFP or LWF) by default, and should only do so when
following specific user/admin intention or protecting the system against a specific threat.

Page 45 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-NoEgressModification
WFP-based products that operate in the vSwitch must not modify packets on the Egress path of the vSwitch.

Applies to Windows 11 Client x64

Description

WFP-based products that operate in the vSwitch must not modify packets on the Egress path of the vSwitch.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportLiveMigration
WFP-based products that operate in the vSwitch must present a minimal MOF for Live Migration.

Applies to Windows 11 Client x64

Description

WFP-based products that operate in the vSwitch must present a minimal MOF for Live Migration. In the MOF, it must
declare itself Logo compliant for Live Migration and allow itself to be migrated or not block migration by default. The
total time for migrations for Live Migration cannot be longer than 2 seconds.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportRemoval
WFP-based products that operate in the vSwitch must be allowed to be removed when the admin disabled WFP for the
vSwitch instance.

Applies to Windows 11 Client x64

Description

Page 46 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.
WFP-based products that operate in the vSwitch must be allowed to be removed when the admin disabled WFP for
the vSwitch instance.

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch-SupportReordering
WFP-based products that operate in the vSwitch must respond to WFP vmSwitch reorder events.

Applies to Windows 11 Client x64

Description

WFP-based products that operate in the vmSwitch must respond to WFP vmSwitch reorder events.

Page 47 of 47
Microsoft Confidential
© 2021 Microsoft. All rights reserved. By using or providing feedback on these materials, you agree to the attached
license agreement.