From 076fbcffed9f1d9e24f46070f3ada58f5406f0ff Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 12:16:59 -0400
Subject: [PATCH] updates

---
 .../personal-data-encryption/configure.md     | 119 ++++--------------
 .../personal-data-encryption/index.md         |  29 +++--
 2 files changed, 44 insertions(+), 104 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 6e9dd3a346..885fad8a2a 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -11,84 +11,31 @@ This article describes the Personal Data Encryption (PDE) settings and how to co
 
 > [!NOTE]
 > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
-   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
-   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
-   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
-    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-  - On-premises Active Directory joined devices:
-
-    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
-    - A password is required immediately after the screen turns off.
-
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
-  - Workgroup devices, including Azure AD joined devices:
-
-    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
-    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
-    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
-   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
-   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
-   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+>
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
 ## PDE settings list
 
-The following table lists the required and suggested settings to use with PDE.
+The following table lists the required settings to enable PDE.
 
-| Setting name | Description | Required? |
-|-|-|-|
-|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.|
-|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.|
-|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
-|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.||
-|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.||
+| Setting name | Description |
+|-|-|
+|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
 
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
-## Enable Personal Data Encryption (PDE) in Intune
+## PDE hardening recommendations
 
-**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-**Data type**, select **Integer**
-**Value**, enter in **1**
+The following table lists the recommended settings to improve PDE's security.
+
+| Setting name | Description |
+|-|-|
+|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
 
 ### Configure PDE with Microsoft Intune
 
@@ -112,37 +59,18 @@ Settings Catalog:
 Category: `Administrative Templates`
 `Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart`
 
-## Disable kernel-mode crash dumps and live dumps\
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-## Disable hibernation
-
-## Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
-  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
-  - A password is required immediately after the screen turns off
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
-  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
-  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
-|`Memory Dump`|`Allow Live Dump`|Block||
-|`Memory Dump`|`Allow Crash Dump`|Block||
-|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:** <br>&emsp;- **Disabled**|
-|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option|
-|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option|
+|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled|
+|**Memory Dump**|**Allow Live Dump**|Block||
+|**Memory Dump**|**Allow Crash Dump**|Block||
+|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled|
+|**Power**|**Allow Hibernate**|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
@@ -155,7 +83,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic
 | **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
 | **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 
-
 ## Disable PDE and decrypt content
 
 Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index f522dc5930..7afed4f153 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -24,17 +24,15 @@ Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release
 
 To use PDE, the following prerequisites must be met:
 
-- The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
-  - Domain-joined and hybrid Azure AD joined devices aren't supported
-- Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
-  - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported
 - Windows 11, version 22H2 and later
+- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
 ## PDE protection levels
 
-PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
@@ -86,14 +84,29 @@ For EFS protected files, under **Users who can access this file:**, there will b
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
+### Recommendations for using PDE
+
+The following are recommendations for using PDE:
+
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
+
 ## Windows out of box applications that support PDE
 
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
 
-- Mail
-  - Supports protecting both email bodies and attachments
+| App name | Details |
+|-|-|
+| Mail | Supports protecting both email bodies and attachments|
 
 ## Next steps
 
 - Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
 - Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+<!--links used in this document-->
+
+[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
+[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key