updates

2025-05-12 13:27:23 +00:00 · 2023-08-11 12:16:59 -04:00 · 2023-08-11 12:16:59 -04:00 · 076fbcffed
commit 076fbcffed
parent 55f2f142a8
2 changed files with 44 additions and 104 deletions
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@ -11,84 +11,31 @@ This article describes the Personal Data Encryption (PDE) settings and how to co
 > [!NOTE]
 > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
-
+>
-> [!NOTE]
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 ### Security hardening recommendations
 - [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
 - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
 - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
 - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
  - On-premises Active Directory joined devices:
    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
    - A password is required immediately after the screen turns off.
    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
  - Workgroup devices, including Azure AD joined devices:
    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
 ### Highly recommended
 - [BitLocker Drive Encryption](../bitlocker/index.md) enabled
   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
 - Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
 - [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
 ## PDE settings list
-The following table lists the required and suggested settings to use with PDE.
+The following table lists the required settings to enable PDE.
-| Setting name | Description | Required? |
+| Setting name | Description |
-|-|-|-|
+|-|-|
-|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.|
+|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.|
+|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
 |Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
 |Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.||
 |Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.||
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-## Enable Personal Data Encryption (PDE) in Intune
+## PDE hardening recommendations
-**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
+The following table lists the recommended settings to improve PDE's security.
-**Data type**, select **Integer**
+
-**Value**, enter in **1**
+| Setting name | Description |
 |-|-|
 |Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
 |Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
 |Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
 |Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
 ### Configure PDE with Microsoft Intune
@ -112,37 +59,18 @@ Settings Catalog:
 Category: `Administrative Templates`
 `Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart`
 ## Disable kernel-mode crash dumps and live dumps\
 ## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
 ## Disable hibernation
 ## Disable allowing users to select when a password is required when resuming from connected standby for PDE
 When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
 - On-premises Active Directory joined devices:
  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
  - A password is required immediately after the screen turns off
    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
 - Workgroup devices, including Azure AD joined devices:
  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
 Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
 ## Disable allowing users to select when a password is required when resuming from connected standby in Intune
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 | Category | Setting name | Value |
 |--|--|--|
-|`Memory Dump`|`Allow Live Dump`|Block||
+|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption|
-|`Memory Dump`|`Allow Crash Dump`|Block||
+|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled|
-|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:** <br>&emsp;- **Disabled**|
+|**Memory Dump**|**Allow Live Dump**|Block||
-|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option|
+|**Memory Dump**|**Allow Crash Dump**|Block||
-|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option|
+|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled|
 |**Power**|**Allow Hibernate**|Block|
 |**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**|
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
@ -155,7 +83,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic
 | **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
 | **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 ## Disable PDE and decrypt content
 Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@ -24,17 +24,15 @@ Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release
 To use PDE, the following prerequisites must be met:
 - The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
  - Domain-joined and hybrid Azure AD joined devices aren't supported
 - Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
  - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported
 - Windows 11, version 22H2 and later
 - The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
 - Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 ## PDE protection levels
-PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 | Item | Level 1 | Level 2 |
 |---|---|---|
@ -86,14 +84,29 @@ For EFS protected files, under **Users who can access this file:**, there will b
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 ### Recommendations for using PDE
 The following are recommendations for using PDE:
 - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
 - Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive
 - [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 ## Windows out of box applications that support PDE
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
- Mail
+| App name | Details |
-  - Supports protecting both email bodies and attachments
+|-|-|
 | Mail | Supports protecting both email bodies and attachments|
 ## Next steps
 - Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
 - Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
 <!--links used in this document-->
 [AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
 [AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key