6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows 11 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 3.1.1:  An implementation can generate session keys and encrypt them with the server public key immediately before sending an NKPU request via DHCP. If public-key cryptography or symmetric key generation is unavailable in the implementation's boot environment, then an implementation needs to use pre-generated session keys encrypted with the server public key.

<2> Section 3.2.1:  In Windows implementations, the key data is composed of a 16-byte MAC followed by the encrypted output of the concatenation of an implementation-specific 12-byte header of 2c 00 00 00 01 00 00 00-06 20 00 00 and the 32-byte CK ADM element.

<3> Section 3.2.1:  Windows NKPU servers always accept and reply to requests from link local addresses in Ipv6, regardless of the contents of an Ipv6 allowed list.