********************************************************************** "Read First" Release Notes Microsoft Windows 2000 High Encryption Pack Release Candidate 3 October 1999 ********************************************************************** Information in this document, including URL and other Internet Web site references, is subject to change without notice. The example companies, organizations, products, people, and events depicted herein are fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. (c) 1999 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Contents 1.0 Introduction 2.0 Installing the Windows 2000 High Encryption Pack 2.1 OEM Preinstallation and Corporate Deployment 3.0 Summary of U.S. Export Regulations for Strong Encryption Products 3.1 Distributing or Using This Product in the United States or Canada 3.2 International Travel from the United States 3.2.1 Personal Use (TMP) 3.2.2 Demonstration and Marketing (TMP) 3.2.3 Personal Use (BAG) 3.3 Exports to Canada 3.4 Exports to U.S. Territories, Dependencies, and Possessions 3.5 Exports Under License Exception GOV 3.6 Exports Under License Exception ENC 3.6.1 Deployments by U.S. Firms and Their Foreign Subsidiaries 3.6.2 Deployments by Banks and Financial Institutions 3.6.3 Deployments by Health and Medical Organizations 3.7 Additional Information About U.S. Export Laws 3.8 Additional Information About Exporting Microsoft Products 3.9 Additional Resources for Information About United States Encryption Policy ====================================================================== 1.0 Introduction ====================================================================== Welcome to the Windows 2000 High Encryption Pack. This document provides complementary or late-breaking information to supplement the Microsoft Windows 2000 documentation. Print and read this document for critical preinstallation information about this release. To print Encread.txt 1. Open Encread.txt in Notepad or another word processor. 2. On the File menu, click Print. ====================================================================== 2.0 Installing the Windows 2000 High Encryption Pack ====================================================================== The Windows 2000 High Encryption Pack upgrades Windows 2000 to use the strongest possible, 128-bit encryption to protect your information. For more information about Windows 2000 security features, see the Windows 2000 documentation. You can install the High Encryption Pack from the Windows 2000 High Encryption Pack floppy disk, or from the following Web sites: * For Windows 2000 Professional, http://www.microsoft.com/isapi/redir.dll?prd=win2000&sbp= professional&ar=download&sba=crypto * For Windows 2000 Server, http://www.microsoft.com/isapi/redir.dll?prd=win2000&sbp= server&ar=download&sba=crypto To install the Windows 2000 High Encryption Pack from the floppy disk 1. Insert the High Encryption floppy disk into the computer's floppy disk drive. 2. Click Start, and then click Run. 3. Type :\encpack.exe, and then click OK. 4. Click Yes to begin installation. 5. When installation completes, remove the floppy disk and restart the computer. Note: The following notes are important to users who are installing the Windows 2000 High Encryption Pack: * You cannot uninstall the Windows 2000 High Encryption Pack. * Future upgrades of Windows 2000 automatically upgrade the High Encryption software. You do not need to reinstall the Windows 2000 High Encryption Pack. ---------------------------------------------------------------------- 2.1 OEM Preinstallation and Corporate Deployment ---------------------------------------------------------------------- The following instructions describe how original equipment manufacturers (OEMs) and corporations can preinstall and deploy the High Encryption Pack. To preinstall and deploy the High Encryption Pack on all computers 1. Insert the High Encryption floppy disk into a computer's floppy disk drive. 2. Copy Rsaenhs.dll from the floppy disk to your distribution folders in the \\\\i386\$OEM$\$$\System32 directory. 3. Remove the floppy disk. 4. On the destination computers, start the Windows 2000 installation from a distribution folder. To preinstall and deploy the High Encryption Pack on selected computers using sysprep 1. Insert the High Encryption floppy disk into a computer's floppy disk drive. 2. Copy Encpack.exe from the floppy disk to your distribution folders in the \\\\i386\$OEM$\$1\Sysprep\i386\$OEM$ directory. 3. Create a Cmdlines.txt file that contains the following lines: [Commands] ".\encpack.exe /q:a" 4. Copy the Cmdlines.txt file to your distribution folders in the \\\\i386\$OEM$\$1\Sysprep\i386\$OEM$ directory. 5. Remove the floppy disk. 6. Start the Windows 2000 installation on the master computer. 7. Run Sysprep.exe. 8. When the computer shuts down, use third-party software or hardware imaging tools to image the computer. 9. Create a Sysprep.inf file that contains the following lines: [Unattended] InstallFilesPath = %systemdrive%\Sysprep\i386 10. Copy the Sysprep.inf file to a location where the file can be used to customize installations or can be copied to a floppy for customized use. 11. Copy the image to the destination computers. 12. If you have tools that allow you to manipulate the image, you can replace an existing Sysprep.inf file on the computer with the updated file. Note: If you use a custom Sysprep.inf file to replace a Sysprep.inf file that was on the master computer when it was imaged, the InstallFilesPath and OEMPnpDriversPath references must be the same for both Sysprep.inf files. For more information about how to use Sysprep.exe and Sysprep.inf, see the Deptool.chm Help file in \Support\Tools\Deploy.cab on the Microsoft Windows 2000 CD. ====================================================================== 3.0 Summary of U.S. Export Regulations for Strong Encryption Products ====================================================================== WHO SHOULD CONSULT THIS SECTION: System administrators and others who anticipate deployment of strong encryption products outside the United States or Canada, or within a corporate environment that extends beyond United States or Canadian borders. DISCLAIMER: Microsoft makes this information available for informational purposes only. It may not reflect the most current legal developments, and Microsoft does not represent, warrant, or guarantee that it is complete, accurate, or up-to-date. The information is subject to change without notice. This information is not intended to constitute legal advice or to be used as a substitute for specific legal advice from a licensed attorney. You should not act (or refrain from acting) based upon the following information without obtaining professional advice regarding your particular facts and circumstances. Users are advised to consult legal counsel or the U.S. Department of Commerce to determine whether any particular use or distribution of this product might be considered an export. For more information, visit the U.S. Department of Commerce Web site at: http://www.bxa.doc.gov/ Note: Web addresses can change, so you may be unable to connect to the Web site mentioned here. The product contains strong encryption features and is classified for export from the United States under ECCN 5D002(c)(1). Export of strong encryption products from the United States is regulated under "EI controls" of the Export Administration Regulations (EAR, 15 CFR 730-744) of the U.S. Department of Commerce, Bureau of Export Administration (BXA). An export license or applicable license exception is required to export strong encryption products outside the U.S. or Canada. ---------------------------------------------------------------------- 3.1 Distributing or Using This Product in the United States or Canada ---------------------------------------------------------------------- There are no restrictions on the distribution or use of strong encryption products in the United States; in its territories, possessions, and dependencies; or in Canada. ---------------------------------------------------------------------- 3.2 International Travel from the United States ---------------------------------------------------------------------- Persons in the United States can travel internationally with strong encryption products under most circumstances without a U.S. export license. You can travel with strong encryption software (or hardware) intended for personal use, demonstration, or marketing as long as you comply with the rules for License Exceptions TMP or BAG. 3.2.1 Personal Use (TMP) ---------------------------------------------------------------------- If the traveler or the traveler's employer owns the strong encryption products, TMP permits most temporary exports, subject to the following conditions: * You cannot travel with the software to Cuba, Libya, North Korea, or Sudan. * You must return to the United States within one year, and you cannot leave software or copies of the software behind. * You must maintain "effective control" over the software (keep the software with you or store it securely). * Encryption products can be shipped to your overseas destination unaccompanied within one month before your departure or at any time after your departure. 3.2.2 Demonstration and Marketing (TMP) ---------------------------------------------------------------------- TMP permits the export of strong encryption products for exhibition and demonstration purposes, subject to the following conditions: * The software may be demonstrated only in "Country Group B." As of June 1999, Country Group B included most countries, except Albania, Armenia, Azerbaijan, Belarus, Bulgaria, Cambodia, China, Cuba, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Laos, Latvia, Libya, Lithuania, Macau, Moldova, Mongolia, North Korea, Romania, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan, and Vietnam. Country Group B is described in Supplement 1 to Part 740 of the Export Administration Regulations, which is available on the Export Administration Regulations Database Web site at: http://www.access.gpo.gov/bxa/ear/ear_data.html * You must maintain ownership of the software. You, another employee, or a designated sales representative must retain effective control over the software. * The software may not be exhibited or demonstrated at any one site for more than 120 days. Note:Web addresses can change, so you may be unable to connect to the Web site mentioned here. 3.2.3 Personal Use (BAG) ---------------------------------------------------------------------- License Exception BAG authorizes persons leaving the United States either temporarily (i.e., traveling) or for a longer term (i.e., moving) to take strong encryption products to most destinations for their own personal use. Unlike TMP, under BAG, you are not required to return exports to the United States within one year; however, exports under BAG are subject to the following conditions: * The products must be personally owned by you or by someone within your immediate family. * You must be a U.S. citizen or a permanent resident. * You must maintain effective control over the software. * The software cannot be exported or re-exported as unaccompanied baggage. * The software cannot be exported or re-exported to Cuba, Federal Republic of Yugoslavia (Serbia and government of Montenegro only), Iran, Iraq, Libya, North Korea, Sudan, or Syria. ---------------------------------------------------------------------- 3.3 Exports to Canada ---------------------------------------------------------------------- U.S. export law permits export of strong encryption products to Canada without an export license. Users should not re-export these products from Canada without an export license, except back to the United States. ---------------------------------------------------------------------- 3.4 Exports to U.S. Territories, Dependencies, and Possessions ---------------------------------------------------------------------- Distribution of strong encryption products to U.S. territories, dependencies, and possessions is not considered an export. Users in Guam, Puerto Rico, the U.S. Virgin Islands, and other U.S. territories and possessions can obtain strong encryption products from the United States without an export license. ---------------------------------------------------------------------- 3.5 Exports Under License Exception GOV ---------------------------------------------------------------------- Strong encryption products may be exported without an export license to personnel and agencies of the U.S. government, wherever located, including military agencies or personnel. Items must be consigned directly to an eligible government agency or to eligible personnel and must be intended for official use. License Exception GOV does not permit the re-distribution of 128-bit Microsoft Internet Explorer outside U.S. government or military agencies or to personnel overseas. ---------------------------------------------------------------------- 3.6 Exports Under License Exception ENC ---------------------------------------------------------------------- U.S. export regulations published on December 31, 1998, created a new License Exception ENC that permits many customers to receive and deploy strong encryption products outside the United States and Canada without a U.S. export license. Eligible customers include foreign branches and subsidiaries of U.S. multinationals, many banks and financial institutions, health and medical organizations, and online merchants. Under these new regulations, there are restrictions on who is eligible and what you can do with strong encryption products. In general, License Exception ENC is limited to companies based in 46 preferred countries or regions. These countries or regions include: Anguilla, Antigua and Barbuda, Argentina, Aruba, Australia, Austria, The Bahamas, Barbados, Belgium, Brazil, Canada, Croatia, Czech Republic, Denmark, Dominica, Ecuador, Finland, France, Germany, Greece, Hong Kong S.A.R., Hungary, Iceland, Ireland, Italy, Japan, Kenya, Luxembourg, Monaco, The Netherlands, New Zealand, Norway, Poland, Portugal, Seychelles, Singapore, Spain, St. Kitts and Nevis, St. Vincent and the Grenadines, Sweden, Switzerland, Trinidad and Tobago, Turkey, the United Kingdom, the United States, and Uruguay. For additional information about these regulations and eligible Microsoft strong encryption products, visit the Exporting Microsoft Products Web site at: http://www.microsoft.com/exporting/enc.htm 3.6.1 Deployments by U.S. Firms and Their Foreign Subsidiaries ---------------------------------------------------------------------- License Exception ENC allows exports of strong encryption products to subsidiaries of U.S. companies for internal proprietary use. These exports are permitted worldwide, except to countries subject to U.S. embargo or restriction. As of March 1999, these countries include Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Redistribution to anyone outside a U.S. company or its foreign subsidiaries requires an approved U.S. export license or applicable license exception. 3.6.2 Deployments by Banks and Financial Institutions ---------------------------------------------------------------------- License Exception ENC allows exports of strong encryption products to eligible banks and financial institutions based in the 46 preferred countries or regions and to their branches and subsidiaries worldwide, except to countries subject to U.S. embargo or restriction. As of March 1999, these countries include Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. Eligible customers include banks, insurance companies, regulated broker/dealers, investment firms and advisers, and other financial institutions identified in the U.S. regulations. For additional information, visit the Exporting Microsoft Products Web site at: http://www.microsoft.com/products/exporting/enc.htm Strong encryption products may be used to secure financial transactions or communications (1) within the bank or financial institution; (2) between banks and/or financial institutions; and (3), on a limited basis, between the bank or financial institution and its customers. There are several important limitations. For the most part, these strong security products cannot be provided to a bank's or a financial institution's customers. No voice communications and no customer-to-customer communications or transactions may be secured with strong encryption products. 3.6.3 Deployments by Health and Medical Organizations ---------------------------------------------------------------------- License Exception ENC allows exports of strong encryption products to eligible health and medical organizations based in the 46 preferred countries. Unlike the treatment given the banking, financial, and insurance sectors, this relief does not include branches or affiliates outside the 46 countries or regions, and this license exception does not include export to biochemical firms, pharmaceutical firms, or military agencies. Strong encryption products cannot be redistributed to patients or other end-users without an additional U.S. export license. In addition, unlike exports made to other customers, the exporter must closely track exports to health and medical organizations in order to comply with Commerce Department reporting requirements. ---------------------------------------------------------------------- 3.7 Additional Information About U.S. Export Laws ---------------------------------------------------------------------- For additional information about the new U.S. export regulations and U.S. export laws in general, visit the following Web sites: * The U.S. Department of Commerce Commercial Encryption Export Controls Web site at: http://www.bxa.doc.gov/encryption/default.htm * The U.S. Department of Commerce Bureau of Export Administration (BXA) Web site at: http://www.bxa.doc.gov/ * The U.S. Export Administration Regulations Online (15 CFR 730-744) Web site at: http://www.access.gpo.gov/bxa/ Note:Web addresses can change, so you may be unable to connect to the Web sites mentioned here. ---------------------------------------------------------------------- 3.8 Additional Information About Exporting Microsoft Products ---------------------------------------------------------------------- For additional information about exporting Microsoft products, including Microsoft strong encryption products eligible for export under License Exception ENC, visit the Exporting Microsoft Products Web site at: http://www.microsoft.com/exporting/ ---------------------------------------------------------------------- 3.9 Additional Resources for Information About U.S. Encryption Policy ---------------------------------------------------------------------- For additional information about U.S. encryption policy and export controls, the following online sources are recommended: * The Americans for Computer Privacy (ACP) Web site at: http://www.computerprivacy.org/ * The Business Software Alliance (BSA) Web site at: http://www.bsa.org/ * The Center for Democracy and Technology (CDT) Web site at: http://www.cdt.org/crypto/ * The Electronic Privacy Information Center (EPIC) Web site at: http://www.epic.org/ Note: Web addresses can change, so you may be unable to connect to the Web sites mentioned here.