From 8c7c642bd2cb17f5becabbe32256d4d12b595585 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:43:06 -0500
Subject: [PATCH 01/19] PDE Updates Post Release
---
.../configure-pde-in-intune.md | 152 +++++++++++++++---
.../personal-data-encryption/faq-pde.yml | 43 ++---
.../includes/pde-description.md | 11 +-
.../personal-data-encryption/overview-pde.md | 151 +++++++++++------
4 files changed, 259 insertions(+), 98 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 4375ada864..103b574958 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -3,16 +3,17 @@ title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/07/2022
---
+
# Configure Personal Data Encryption (PDE) policies in Intune
@@ -20,104 +21,205 @@ ms.date: 09/22/2022
### Enable Personal Data Encryption (PDE)
-1. Sign into the Intune
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Templates**
+
6. Under **Template name**, select **Custom**, and then select **Create**
-7. On the ****Basics** tab:
+
+7. On the **Basics** tab:
+
1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
+ 2. Next to **Description**, enter a description
+
8. Select **Next**
+
9. On the **Configuration settings** tab, select **Add**
+
10. In the **Add Row** window:
+
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
+
11. Select **Save**, and then select **Next**
+
12. On the **Assignments** tab:
+
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
+
13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
+
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable Winlogon automatic restart sign-on (ARSO)
+### Disable Winlogon automatic restart sign-on (ARSO)
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Templates**
+
6. Under **Template name**, select **Administrative templates**, and then select **Create**
-7. On the ****Basics** tab:
+
+7. On the **Basics** tab:
+
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
+
8. Select **Next**
+
9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+
10. Select **Sign-in and lock last interactive user automatically after a restart**
+
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+
12. Select **Next**
+
13. On the **Scope tags** tab, configure if necessary and then select **Next**
-12. On the **Assignments** tab:
+
+14. On the **Assignments** tab:
+
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
-13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-## Recommended prerequisites
+15. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable crash dumps
+## Security hardening recommendations
+
+### Disable kernel-mode crash dumps and live dumps
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
+
+6. On the **Basics** tab:
+
+ 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description
+
7. Select **Next**
+
8. On the **Configuration settings** tab, select **Add settings**
+
9. In the **Settings picker** windows, select **Memory Dump**
+
10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
+
12. On the **Scope tags** tab, configure if necessary and then select **Next**
+
13. On the **Assignments** tab:
+
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the crash dumps policy should be deployed to
+ 2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
+
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-#### Disable hibernation
+### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
+
3. Select **Create profile**
+
4. Under **Platform**, select **Windows 10 and later**
+
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
+
+6. On the **Basics** tab:
+
+ 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
2. Next to **Description**, enter a description
+
7. Select **Next**
+
8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
+
+9. In the **Settings picker** windows, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
+
+10. When the settings appear in the lower pane, under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+11. Change both **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
+
12. On the **Scope tags** tab, configure if necessary and then select **Next**
+
13. On the **Assignments** tab:
+
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the hibernation policy should be deployed to
+ 2. Select the groups that the disable WER dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
+
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Disable hibernation
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Navigate to **Devices** > **Configuration Profiles**
+
+3. Select **Create profile**
+
+4. Under **Platform**, select **Windows 10 and later**
+
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+
+6. On the **Basics** tab:
+
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+
+7. Select **Next**
+
+8. On the **Configuration settings** tab, select **Add settings**
+
+9. In the **Settings picker** windows, select **Power**
+
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+
+13. On the **Assignments** tab:
+
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the disable hibernation policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
+
- [Personal Data Encryption (PDE)](overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
\ No newline at end of file
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index 744161659e..e0ad44cf6d 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -5,13 +5,16 @@ metadata:
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
- ms.reviewer: rafals
+ ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
- ms.date: 09/22/2022
+ ms.date: 12/07/2022
+
+# Max 5963468 OS 32516487
+# Max 6946251
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -28,45 +31,49 @@ sections:
answer: |
No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- - question: Can an IT admin specify which files should be encrypted?
+ - question: How are files protected by PDE selected?
answer: |
- Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+ [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files are protected using PDE.
- - question: Do I need to use OneDrive as my backup provider?
+ - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
- No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
+ No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
- During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
+ During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect files.
- - question: Can a file be encrypted with both PDE and EFS at the same time?
+ - question: Can a file be protected with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
+ - question: Can PDE protected files be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No. Accessing PDE encrypted files over RDP isn't currently supported.
+ No. Accessing PDE protected files over RDP isn't currently supported.
- - question: Can PDE encrypted files be access via a network share?
+ - question: Can PDE protected files be accessed via a network share?
answer: |
- No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ No. PDE protected files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: How can it be determined if a file is encrypted with PDE?
+ - question: How can it be determined if a file is protected with PDE?
answer: |
- Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
+ - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
+ 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
+ 2. Select the **Details** button.
+ 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
+ - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually.
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
- - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected files?
answer: |
- No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ No. The keys used by PDE to protect files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
- PDE uses AES-CBC with a 256-bit key to encrypt files
+ PDE uses AES-CBC with a 256-bit key to encrypt files.
additionalContent: |
## See also
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
index 7ca7334657..445e8fbb45 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -4,24 +4,25 @@ description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/07/2022
---
+
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
+Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
-> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
+> PDE can be enabled using MDM policies. The files to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect files using PDE.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index bfb7153548..54c375e13b 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -3,75 +3,104 @@ title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
-ms.reviewer: rafals
+ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 09/22/2022
+ms.date: 12/07/2022
---
+
# Personal Data Encryption (PDE)
-(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
+**Applies to:**
+
+- Windows 11, version 22H2 and later Enterprise and Education editions
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
## Prerequisites
### **Required**
- - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- - Windows 11, version 22H2 and later Enterprise and Education editions
+
+- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
+- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+- Windows 11, version 22H2 and later Enterprise and Education editions
### **Not supported with PDE**
- - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- - Remote Desktop connections
+
+- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+- Remote Desktop connections
+
+### **Security hardening recommendations**
+
+- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
+
+ Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
+
+- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
+
+ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
+
+- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+
+ Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+
+- [Disable allowing users to select when a password is required when resuming from connected standby](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
+ - When this policy is not configured on-premises Active Directory joined devices. However, this policy is enabled by default on Azure AD joined devices. For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
### **Highly recommended**
- - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- - Backup solution such as [OneDrive](/onedrive/onedrive)
- - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+
+- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+
+ Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
+
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
+
+ In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect files will be lost. In such scenarios, any file protected with PDE will no longer be accessible. The only way to recover such files would be from backup.
+
+- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+
+ Destructive PIN resets will cause keys used by PDE to protect files to be lost. The destructive PIN reset will make any file protected with PDE no longer accessible after a destructive PIN reset. Files protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+
+ Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses AES-CBC with a 256-bit key to protect files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
-| Data is accessible when user is signed in | Yes | Yes |
-| Data is accessible when user has locked their device | Yes | No |
-| Data is accessible after user signs out | No | No |
-| Data is accessible when device is shut down | No | No |
-| Decryption keys discarded | After user signs out | After user locks device or signs out |
+| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
+| PDE protected data is accessible after user signs out of Windows | No | No |
+| PDE protected data is accessible when device is shut down | No | No |
+| PDE protected data is accessible via UNC paths | No | No |
+| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| PDE protected data is accessible via Remote Desktop session | No | No |
+| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
-## PDE encrypted files accessibility
+## PDE protected files accessibility
-When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
+When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE protected file, they'll be denied access to the file.
-Scenarios where a user will be denied access to a PDE encrypted file include:
+Scenarios where a user will be denied access to a PDE protected file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If specified via level 2 protection, when the device is locked.
+- If protected via level 2 protection, when the device is locked.
- When trying to access files on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
-- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected files.
## How to enable PDE
@@ -85,55 +114,77 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any files. To protect files via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which files to protect and at what level to protect the files. Additionally, the PDE APIs can't be used to protect files until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
+PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. This is why using them together offers better security.
+
| Item | PDE | BitLocker |
|--|--|--|
-| Release of key | At user sign-in via Windows Hello for Business | At boot |
-| Keys discarded | At user sign-out | At reboot |
-| Files encrypted | Individual specified files | Entire volume/drive |
-| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
-| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
+| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
+| Files protected | Individual specified files | Entire volume/drive |
+| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign in |
## Differences between PDE and EFS
-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
+The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
-To see if a file is encrypted with PDE or EFS:
+To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
-For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
-For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the command line [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
## Disable PDE and decrypt files
-Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
+Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **0**
+
+Disabling PDE doesn't decrypt any PDE protected files. It only prevents the PDE API from being able to protect any additional files. PDE protected files can be manually decrypted using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
-> [!Important]
-> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
+PDE protected files can also be decrypted using [`cipher.exe`](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on a large number of devices.
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+ `cipher.exe /d /s:**`
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+ `cipher.exe /d **`
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- - Supports encrypting both email bodies and attachments
+ - Supports protecting both email bodies and attachments
## See also
+
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
From bc88fff33cee994eba2ad72b97628e77e123f3fc Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 7 Dec 2022 17:28:12 -0500
Subject: [PATCH 02/19] PDE Updates Post Release 2
---
.../configure-pde-in-intune.md | 37 ++++++++++++++
.../personal-data-encryption/overview-pde.md | 51 ++++++++++++++-----
2 files changed, 75 insertions(+), 13 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 103b574958..2f25906802 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -219,6 +219,43 @@ ms.date: 12/07/2022
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+### Disable allowing users to select when a password is required when resuming from connected standby
+
+1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
+2. Navigate to **Devices** > **Configuration Profiles**
+
+3. Select **Create profile**
+
+4. Under **Platform**, select **Windows 10 and later**
+
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+
+6. On the **Basics** tab:
+
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+
+7. Select **Next**
+
+8. On the **Configuration settings** tab, select **Add settings**
+
+9. In the **Settings picker** windows, select **Power**
+
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+
+13. On the **Assignments** tab:
+
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the disable hibernation policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 54c375e13b..24c2d69d39 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -25,13 +25,13 @@ ms.date: 12/07/2022
## Prerequisites
-### **Required**
+### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
-### **Not supported with PDE**
+### Not supported with PDE
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
@@ -40,7 +40,7 @@ ms.date: 12/07/2022
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
-### **Security hardening recommendations**
+### Security hardening recommendations
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
@@ -55,9 +55,28 @@ ms.date: 12/07/2022
Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- [Disable allowing users to select when a password is required when resuming from connected standby](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
- - When this policy is not configured on-premises Active Directory joined devices. However, this policy is enabled by default on Azure AD joined devices. For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
-### **Highly recommended**
+ When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
+
+ - On-premises Active Directory joined devices:
+
+ - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
+
+ - A password is required immediately after the screen turns off.
+
+ The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
+
+ - Workgroup devices, including native Azure AD joined devices:
+
+ - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
+
+ - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
+
+ Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices.
+
+ For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
+
+### Highly recommended
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
@@ -120,14 +139,14 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption
## Differences between PDE and BitLocker
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. This is why using them together offers better security.
+PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
| Files protected | Individual specified files | Entire volume/drive |
-| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign in |
+| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
@@ -143,7 +162,7 @@ For PDE protected files, under **Protection status:** there will be an item list
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used to protect the file can be obtained with the command line [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
## Disable PDE and decrypt files
@@ -161,18 +180,24 @@ Disabling PDE doesn't decrypt any PDE protected files. It only prevents the PDE
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
-PDE protected files can also be decrypted using [`cipher.exe`](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
+PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on a large number of devices.
To decrypt files on a device using `cipher.exe`:
-- Decrypt all files under a directory including subdirectories:
- `cipher.exe /d /s:**`
+- Decrypt all files under a directory including subdirectories:
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
- `cipher.exe /d **`
+ ```cmd
+ cipher.exe /d /s:
+ ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+ ```cmd
+ cipher.exe /d
+ ```
> [!IMPORTANT]
> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
From dbf58834cb91ecc961afca5c6b01c7200ffb2f52 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 7 Dec 2022 19:33:03 -0500
Subject: [PATCH 03/19] PDE Updates Post Release 3
---
.../configure-pde-in-intune.md | 87 ++++++++++---------
.../personal-data-encryption/overview-pde.md | 4 +-
2 files changed, 46 insertions(+), 45 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 2f25906802..1ed273ae37 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -33,16 +33,16 @@ ms.date: 12/07/2022
6. Under **Template name**, select **Custom**, and then select **Create**
-7. On the **Basics** tab:
+7. In **Basics**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
8. Select **Next**
-9. On the **Configuration settings** tab, select **Add**
+9. In **Configuration settings**, select **Add**
-10. In the **Add Row** window:
+10. In **Add Row**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
@@ -52,16 +52,16 @@ ms.date: 12/07/2022
11. Select **Save**, and then select **Next**
-12. On the **Assignments** tab:
+12. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
-13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
+13. In **Applicability Rules**, configure if necessary and then select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Winlogon automatic restart sign-on (ARSO)
@@ -77,14 +77,14 @@ ms.date: 12/07/2022
6. Under **Template name**, select **Administrative templates**, and then select **Create**
-7. On the **Basics** tab:
+7. In **Basics**:
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
8. Select **Next**
-9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart**
@@ -92,16 +92,16 @@ ms.date: 12/07/2022
12. Select **Next**
-13. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. In **Scope tags**, configure if necessary and then select **Next**
-14. On the **Assignments** tab:
+14. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
-15. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## Security hardening recommendations
@@ -117,31 +117,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the **Basics** tab:
+6. In **Basics**:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
+8. In **Configuration settings**, select **Add settings**
-9. In the **Settings picker** windows, select **Memory Dump**
+9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
-10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. In **Scope tags**, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
@@ -155,31 +155,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the **Basics** tab:
+6. In **Basics**:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
2. Next to **Description**, enter a description
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
+8. In **Configuration settings**, select **Add settings**
-9. In the **Settings picker** windows, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
+9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
-10. When the settings appear in the lower pane, under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change both **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
+11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. In **Scope tags**, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable WER dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable hibernation
@@ -193,31 +193,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the **Basics** tab:
+6. In **Basics**:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
+8. In **Configuration settings**, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
+9. In the **Settings picker** window, under **Browse by category**, select **Power**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. In **Scope tags**, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable allowing users to select when a password is required when resuming from connected standby
@@ -231,31 +231,32 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the **Basics** tab:
+6. In **Basics**:
- 1. Next to **Name**, enter **Disable Hibernation**
+ 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
2. Next to **Description**, enter a description
7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
+8. In **Configuration settings**, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
+9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
+11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. In **Scope tags**, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
+13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable hibernation policy should be deployed to
+ 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
3. Select **Select**
4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 24c2d69d39..0c628956e8 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -54,7 +54,7 @@ ms.date: 12/07/2022
Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
-- [Disable allowing users to select when a password is required when resuming from connected standby](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
+- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
@@ -72,7 +72,7 @@ ms.date: 12/07/2022
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
- Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices.
+ Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
From 7edf5d8aeb4ec77769351c01fdb60d145d98c6aa Mon Sep 17 00:00:00 2001
From: robinharwood <19212983+robinharwood@users.noreply.github.com>
Date: Tue, 6 Dec 2022 14:26:21 +0000
Subject: [PATCH 04/19] Updated privacy text to reference Azure Edition changes
---
.../privacy/changes-to-windows-diagnostic-data-collection.md | 2 ++
.../configure-windows-diagnostic-data-in-your-organization.md | 4 +++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 48eab123cc..c06da47c28 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -30,6 +30,8 @@ In Windows 10, version 1903 and later, you'll see taxonomy updates in both the *
Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
+Prior to December 7 2022, the default setting for Windows Server 2022 Datacenter: Azure Edition images deployed using Azure Marketplace was **Diagnostic data off**. Beginning December 7 2022, all newly deployed images are set to **Required diagnostic data** to align with all other Windows releases. All other Windows releases and existing installations remain unchanged.
+
## Taxonomy changes
Starting in Windows 10, version 1903 and later, both the **Out-of-Box-Experience** (OOBE) and the **Diagnostics & feedback** privacy setting pages will reflect the following changes:
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 4e4656fc55..87b36690fb 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -164,6 +164,8 @@ Here’s a summary of the types of data that is included with each setting:
This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure.
+This was the default setting for Windows Server 2022 Datacenter: Azure Edition prior to December 7, 2022.
+
>[!NOTE]
> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@@ -171,7 +173,7 @@ This setting was previously labeled as **Security**. When you configure this set
Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version.
-This is the default setting for current releases of Windows, Windows 10, version 1903.
+This is the default setting for current releases of Windows, Windows 10, version 1903. Beginning December 7, 2022, it is also the default setting for Windows Server 2022 Datacenter: Azure Edition.
Required diagnostic data includes:
From 4cf11ed29aed77a8473759ec35f366155729b0b1 Mon Sep 17 00:00:00 2001
From: robinharwood <19212983+robinharwood@users.noreply.github.com>
Date: Fri, 9 Dec 2022 10:00:34 +0000
Subject: [PATCH 05/19] Updated Azure Edition dates
---
.../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +-
.../configure-windows-diagnostic-data-in-your-organization.md | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index c06da47c28..34066bed6d 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -30,7 +30,7 @@ In Windows 10, version 1903 and later, you'll see taxonomy updates in both the *
Additionally, starting in Windows 11 and Windows Server 2022, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. We’re also clarifying the Security diagnostic data level to reflect its behavior more accurately by changing it to **Diagnostic data off**. All these changes are explained in the section named **Behavioral changes**.
-Prior to December 7 2022, the default setting for Windows Server 2022 Datacenter: Azure Edition images deployed using Azure Marketplace was **Diagnostic data off**. Beginning December 7 2022, all newly deployed images are set to **Required diagnostic data** to align with all other Windows releases. All other Windows releases and existing installations remain unchanged.
+Prior to December 13 2022, the default setting for Windows Server 2022 Datacenter: Azure Edition images deployed using Azure Marketplace was **Diagnostic data off**. Beginning December 13 2022, all newly deployed images are set to **Required diagnostic data** to align with all other Windows releases. All other Windows releases and existing installations remain unchanged.
## Taxonomy changes
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 87b36690fb..ac1febdc26 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -164,7 +164,7 @@ Here’s a summary of the types of data that is included with each setting:
This setting was previously labeled as **Security**. When you configure this setting, no Windows diagnostic data is sent from your device. This is only available on Windows Server, Windows Enterprise, and Windows Education editions. If you choose this setting, devices in your organization will still be secure.
-This was the default setting for Windows Server 2022 Datacenter: Azure Edition prior to December 7, 2022.
+This was the default setting for Windows Server 2022 Datacenter: Azure Edition prior to December 13, 2022.
>[!NOTE]
> If your organization relies on Windows Update, the minimum recommended setting is **Required diagnostic data**. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@@ -173,7 +173,7 @@ This was the default setting for Windows Server 2022 Datacenter: Azure Edition p
Required diagnostic data, previously labeled as **Basic**, gathers a limited set of data that’s critical for understanding the device and its configuration. This data helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version.
-This is the default setting for current releases of Windows, Windows 10, version 1903. Beginning December 7, 2022, it is also the default setting for Windows Server 2022 Datacenter: Azure Edition.
+This is the default setting for current releases of Windows, Windows 10, version 1903. Beginning December 13, 2022, it is also the default setting for Windows Server 2022 Datacenter: Azure Edition.
Required diagnostic data includes:
From 17c23d00f99bcffb9677069765cbb32eee7ef74a Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 9 Dec 2022 16:11:38 -0500
Subject: [PATCH 06/19] Update 2 CSPs
---
.../mdm/policy-csp-clouddesktop.md | 9 +++--
.../mdm/policy-csp-windowslogon.md | 38 +++++++++++++++++--
2 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index c0907eacb8..28e62cff3d 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/22/2022
+ms.date: 12/09/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -36,7 +36,11 @@ ms.topic: reference
-This policy is used by IT admin to set the configuration mode of cloud PC.
+
+This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well.
+This policy supports the below options:
+1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
+2. Enable Boot to Cloud Desktop: User will see that configured Cloud PC Provider application gets launched automatically once the sign-in operation finishes they seamlessly gets connected to a Cloud PC that is provisioned.
@@ -51,7 +55,6 @@ This policy is used by IT admin to set the configuration mode of cloud PC.
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
-| Dependency [OverrideShellProgramDependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsLogon/OverrideShellProgram`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 33e709f97a..ccfd17f1ae 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/29/2022
+ms.date: 12/09/2022
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -43,6 +43,7 @@ ms.topic: reference
+
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
This only occurs if the last interactive user didn’t sign out before the restart or shutdown.
@@ -70,6 +71,9 @@ If you disable this policy setting, the device does not configure automatic sign
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -105,6 +109,7 @@ If you disable this policy setting, the device does not configure automatic sign
+
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy, then automatic sign on will not occur and this policy does not need to be configured.
If you enable this policy setting, you can choose one of the following two options:
@@ -132,6 +137,9 @@ If you disable or don’t configure this setting, automatic sign on will default
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -166,6 +174,7 @@ If you disable or don’t configure this setting, automatic sign on will default
+
This policy setting allows you to prevent app notifications from appearing on the lock screen.
If you enable this policy setting, no app notifications are displayed on the lock screen.
@@ -187,6 +196,9 @@ If you disable or do not configure this policy setting, users can choose which a
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -222,6 +234,7 @@ If you disable or do not configure this policy setting, users can choose which a
+
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.
If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.
@@ -243,6 +256,9 @@ If you disable or don't configure this policy setting, any user can disconnect t
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -304,7 +320,8 @@ Here's an example to enable this policy:
-This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in.
+
+This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in.
If you enable this policy setting, Microsoft account users will see the opt-in prompt for services, and users with other accounts will see the sign-in animation.
@@ -374,6 +391,7 @@ Note: The first sign-in animation will not be shown on Server, so this policy wi
+
This policy controls the configuration under which winlogon sends MPR notifications in the system.
If you enable this setting or do not configure it, winlogon sends MPR notifications if a credential manager is configured.
@@ -395,6 +413,9 @@ If you disable this setting, winlogon does not send MPR notifications.
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -430,6 +451,7 @@ If you disable this setting, winlogon does not send MPR notifications.
+
This policy setting allows local users to be enumerated on domain-joined computers.
If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers.
@@ -451,6 +473,9 @@ If you disable or do not configure this policy setting, the Logon UI will not en
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
@@ -486,6 +511,7 @@ If you disable or do not configure this policy setting, the Logon UI will not en
+
This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager.
If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied.
@@ -554,7 +580,12 @@ If you disable or do not configure this policy setting, the Switch User interfac
-This policy is used by IT admin to override the registry based shell program.
+
+OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program.
+The policy currently supports below options:
+1. Not Configured: Default shell will be launched.
+2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell.
+If you disable or do not configure this policy setting, then the default shell will be launched.
@@ -569,6 +600,7 @@ This policy is used by IT admin to override the registry based shell program.
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
+| Dependency [BootToCloudModeDependencyGroup] | Dependency Type: `DependsOn`
Dependency URI: `Device/Vendor/MSFT/Policy/Config/CloudDesktop/BootToCloudMode`
Dependency Allowed Value: `[1]`
Dependency Allowed Value Type: `Range`
|
From 4e2d62260ad48c35e30265cdaa3d9f49ae8163a2 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 9 Dec 2022 16:25:24 -0500
Subject: [PATCH 07/19] Minor changes
---
windows/client-management/mdm/policy-csp-clouddesktop.md | 2 ++
windows/client-management/mdm/policy-csp-windowslogon.md | 3 +++
2 files changed, 5 insertions(+)
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index 28e62cff3d..b150214dd9 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -38,7 +38,9 @@ ms.topic: reference
This policy allows the user to configure the boot to cloud mode. Boot to Cloud mode enables users to seamlessly sign-in to a Cloud PC that is provisioned for them by an IT Admin. For using boot to cloud mode, users need to install and configure a Cloud Provider application (eg: Win365) on their PC and need to have a Cloud PC provisioned to them. For successful use of this policy, OverrideShellProgram policy needs to be configured as well.
+
This policy supports the below options:
+
1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
2. Enable Boot to Cloud Desktop: User will see that configured Cloud PC Provider application gets launched automatically once the sign-in operation finishes they seamlessly gets connected to a Cloud PC that is provisioned.
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index ccfd17f1ae..15d68c57a4 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -582,9 +582,12 @@ If you disable or do not configure this policy setting, the Switch User interfac
OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program.
+
The policy currently supports below options:
+
1. Not Configured: Default shell will be launched.
2. Apply Lightweight Shell: Lightweight shell does not have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell.
+
If you disable or do not configure this policy setting, then the default shell will be launched.
From 87d1b3268cd96cb9581c63fb7b70a2ba284da4a6 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 9 Dec 2022 16:59:27 -0500
Subject: [PATCH 08/19] Updating reviewer in VAMT docs
---
.../volume-activation/activate-forest-by-proxy-vamt.md | 1 +
windows/deployment/volume-activation/activate-forest-vamt.md | 1 +
...ctivate-using-active-directory-based-activation-client.md | 4 +++-
.../activate-using-key-management-service-vamt.md | 5 ++++-
.../volume-activation/activate-windows-10-clients-vamt.md | 3 ++-
.../active-directory-based-activation-overview.md | 1 +
.../deployment/volume-activation/add-manage-products-vamt.md | 1 +
.../volume-activation/add-remove-computers-vamt.md | 1 +
.../volume-activation/add-remove-product-key-vamt.md | 1 +
...information-sent-to-microsoft-during-activation-client.md | 3 ++-
.../volume-activation/configure-client-computers-vamt.md | 1 +
.../deployment/volume-activation/import-export-vamt-data.md | 1 +
.../deployment/volume-activation/install-configure-vamt.md | 1 +
.../volume-activation/install-kms-client-key-vamt.md | 1 +
.../deployment/volume-activation/install-product-key-vamt.md | 1 +
windows/deployment/volume-activation/install-vamt.md | 2 ++
windows/deployment/volume-activation/introduction-vamt.md | 1 +
windows/deployment/volume-activation/kms-activation-vamt.md | 1 +
.../deployment/volume-activation/local-reactivation-vamt.md | 1 +
.../deployment/volume-activation/manage-activations-vamt.md | 1 +
.../deployment/volume-activation/manage-product-keys-vamt.md | 1 +
windows/deployment/volume-activation/manage-vamt-data.md | 1 +
.../volume-activation/monitor-activation-client.md | 3 ++-
.../deployment/volume-activation/online-activation-vamt.md | 1 +
.../volume-activation/plan-for-volume-activation-client.md | 3 ++-
.../deployment/volume-activation/proxy-activation-vamt.md | 1 +
windows/deployment/volume-activation/remove-products-vamt.md | 1 +
.../volume-activation/scenario-kms-activation-vamt.md | 1 +
.../volume-activation/scenario-online-activation-vamt.md | 1 +
.../volume-activation/scenario-proxy-activation-vamt.md | 1 +
.../volume-activation/update-product-status-vamt.md | 1 +
.../use-the-volume-activation-management-tool-client.md | 3 ++-
.../volume-activation/use-vamt-in-windows-powershell.md | 1 +
windows/deployment/volume-activation/vamt-known-issues.md | 1 +
windows/deployment/volume-activation/vamt-requirements.md | 1 +
windows/deployment/volume-activation/vamt-step-by-step.md | 1 +
.../volume-activation/volume-activation-management-tool.md | 2 ++
.../volume-activation/volume-activation-windows-10.md | 3 ++-
38 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
index b5ccb893f4..b00e515b54 100644
--- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md
@@ -2,6 +2,7 @@
title: Activate by Proxy an Active Directory Forest (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate by proxy an Active Directory (AD) forest.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md
index 70940f40ec..dc8833d2f8 100644
--- a/windows/deployment/volume-activation/activate-forest-vamt.md
+++ b/windows/deployment/volume-activation/activate-forest-vamt.md
@@ -2,6 +2,7 @@
title: Activate an Active Directory Forest Online (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) Active Directory-Based Activation (ADBA) function to activate an Active Directory (AD) forest online.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 3892da1105..73f32edf78 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,6 +1,8 @@
---
title: Activate using Active Directory-based activation
description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.reviewer:
+ - nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
@@ -14,7 +16,7 @@ ms.collection: highpri
# Activate using Active Directory-based activation
-*Applies to:*
+**Applies to:**
- Windows
- Windows Server
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index e136dd82b5..0e54567f4c 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -1,5 +1,8 @@
---
title: Activate using Key Management Service (Windows 10)
+description: Learn how to use Key Management Service (KMS) to activate Windows.
+ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
description: How to activate using Key Management Service in Windows 10.
@@ -14,7 +17,7 @@ ms.technology: itpro-fundamentals
# Activate using Key Management Service
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 9be66de526..3166add837 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -2,6 +2,7 @@
title: Activate clients running Windows 10 (Windows 10)
description: After you have configured Key Management Service (KMS) or Active Directory-based activation on your network, activating a client running Windows 10 is easy.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -14,7 +15,7 @@ ms.technology: itpro-fundamentals
# Activate clients running Windows 10
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
index 0fb8970234..48855f3afa 100644
--- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md
+++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md
@@ -2,6 +2,7 @@
title: Active Directory-Based Activation Overview (Windows 10)
description: Enable your enterprise to activate its computers through a connection to their domain using Active Directory-Based Activation (ADBA).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md
index 5f9bfce03d..53a1f70b1b 100644
--- a/windows/deployment/volume-activation/add-manage-products-vamt.md
+++ b/windows/deployment/volume-activation/add-manage-products-vamt.md
@@ -2,6 +2,7 @@
title: Add and Manage Products (Windows 10)
description: Add client computers into the Volume Activation Management Tool (VAMT). After you add the computers, you can manage the products that are installed on your network.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 95bad2b880..55297e1791 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -2,6 +2,7 @@
title: Add and Remove Computers (Windows 10)
description: The Discover products function on the Volume Activation Management Tool (VAMT) allows you to search the Active Directory domain or a general LDAP query.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
index 0e37c178fc..5fa51a1c12 100644
--- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md
@@ -2,6 +2,7 @@
title: Add and Remove a Product Key (Windows 10)
description: Add a product key to the Volume Activation Management Tool (VAMT) database. Also, learn how to remove the key from the database.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
index bb61a1db81..0aa4fe2fb3 100644
--- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
+++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
@@ -2,6 +2,7 @@
title: Appendix Information sent to Microsoft during activation (Windows 10)
description: Learn about the information sent to Microsoft during activation.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
author: frankroj
@@ -14,7 +15,7 @@ ms.topic: article
# Appendix: Information sent to Microsoft during activation
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 382a9b53d3..189f8488ed 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -2,6 +2,7 @@
title: Configure Client Computers (Windows 10)
description: Learn how to configure client computers to enable the Volume Activation Management Tool (VAMT) to function correctly.
ms.reviewer:
+ - nganguly
manager: aaroncz
author: frankroj
ms.author: frankroj
diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md
index 7a5aaa426b..63e839c6dd 100644
--- a/windows/deployment/volume-activation/import-export-vamt-data.md
+++ b/windows/deployment/volume-activation/import-export-vamt-data.md
@@ -2,6 +2,7 @@
title: Import and export VAMT data
description: Learn how to use the VAMT to import product-activation data from a file into SQL Server.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md
index b468f34546..833bc9a283 100644
--- a/windows/deployment/volume-activation/install-configure-vamt.md
+++ b/windows/deployment/volume-activation/install-configure-vamt.md
@@ -2,6 +2,7 @@
title: Install and Configure VAMT (Windows 10)
description: Learn how to install and configure the Volume Activation Management Tool (VAMT), and learn where to find information about the process.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
index eb28f3ff3a..ed311b84f5 100644
--- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md
+++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md
@@ -2,6 +2,7 @@
title: Install a KMS Client Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install Generic Volume License Key (GVLK), or KMS client, product keys.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md
index 350971254b..00ea59707d 100644
--- a/windows/deployment/volume-activation/install-product-key-vamt.md
+++ b/windows/deployment/volume-activation/install-product-key-vamt.md
@@ -2,6 +2,7 @@
title: Install a Product Key (Windows 10)
description: Learn to use the Volume Activation Management Tool (VAMT) to install retail, Multiple Activation Key (MAK), and KMS Host key (CSVLK).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 8cb4d09f92..1ea051c4fe 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -1,6 +1,8 @@
---
title: Install VAMT (Windows 10)
description: Learn how to install Volume Activation Management Tool (VAMT) as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
+ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 292a9965b1..1d5ba5f37c 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -2,6 +2,7 @@
title: Introduction to VAMT (Windows 10)
description: VAMT enables administrators to automate and centrally manage the Windows, Microsoft Office, and select other Microsoft products volume and retail activation process.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md
index 6cb46bb913..348a87ba6b 100644
--- a/windows/deployment/volume-activation/kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/kms-activation-vamt.md
@@ -2,6 +2,7 @@
title: Perform KMS Activation (Windows 10)
description: The Volume Activation Management Tool (VAMT) can be used to perform volume activation using the Key Management Service (KMS).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md
index e761c3c2f5..e189dd781a 100644
--- a/windows/deployment/volume-activation/local-reactivation-vamt.md
+++ b/windows/deployment/volume-activation/local-reactivation-vamt.md
@@ -2,6 +2,7 @@
title: Perform Local Reactivation (Windows 10)
description: An initially activated a computer using scenarios like MAK, retail, or CSLVK (KMS host), can be reactivated with Volume Activation Management Tool (VAMT).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md
index 80263f739c..17dfa9af6d 100644
--- a/windows/deployment/volume-activation/manage-activations-vamt.md
+++ b/windows/deployment/volume-activation/manage-activations-vamt.md
@@ -2,6 +2,7 @@
title: Manage Activations (Windows 10)
description: Learn how to manage activations and how to activate a client computer by using various activation methods.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md
index 423133a3b4..2b9594e4f6 100644
--- a/windows/deployment/volume-activation/manage-product-keys-vamt.md
+++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md
@@ -2,6 +2,7 @@
title: Manage Product Keys (Windows 10)
description: In this article, learn how to add and remove a product key from the Volume Activation Management Tool (VAMT).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md
index 5d61f42b3b..d2499a44f3 100644
--- a/windows/deployment/volume-activation/manage-vamt-data.md
+++ b/windows/deployment/volume-activation/manage-vamt-data.md
@@ -2,6 +2,7 @@
title: Manage VAMT Data (Windows 10)
description: Learn how to save, import, export, and merge a Computer Information List (CILX) file using the Volume Activation Management Tool (VAMT).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/monitor-activation-client.md b/windows/deployment/volume-activation/monitor-activation-client.md
index d811b9bb87..7205e81894 100644
--- a/windows/deployment/volume-activation/monitor-activation-client.md
+++ b/windows/deployment/volume-activation/monitor-activation-client.md
@@ -1,6 +1,7 @@
---
title: Monitor activation (Windows 10)
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
description: Understand the most common methods to monitor the success of the activation process for a computer running Windows.
@@ -14,7 +15,7 @@ ms.date: 11/07/2022
# Monitor activation
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md
index 4e3c76dae1..f1dcda98ce 100644
--- a/windows/deployment/volume-activation/online-activation-vamt.md
+++ b/windows/deployment/volume-activation/online-activation-vamt.md
@@ -2,6 +2,7 @@
title: Perform Online Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to enable client products to be activated online.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 43a1c717d5..97cdedeb4f 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -2,6 +2,7 @@
title: Plan for volume activation (Windows 10)
description: Product activation is the process of validating software with the manufacturer after it has been installed on a specific computer.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -14,7 +15,7 @@ ms.date: 11/07/2022
# Plan for volume activation
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md
index 65f7e79d8d..2410bc8ba2 100644
--- a/windows/deployment/volume-activation/proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/proxy-activation-vamt.md
@@ -2,6 +2,7 @@
title: Perform Proxy Activation (Windows 10)
description: Perform proxy activation by using the Volume Activation Management Tool (VAMT) to activate client computers that don't have Internet access.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md
index 231f5081c2..b8118e73e2 100644
--- a/windows/deployment/volume-activation/remove-products-vamt.md
+++ b/windows/deployment/volume-activation/remove-products-vamt.md
@@ -2,6 +2,7 @@
title: Remove Products (Windows 10)
description: Learn how you must delete products from the product list view so you can remove products from the Volume Activation Management Tool (VAMT).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
index 2985a6bc04..85a3fe5222 100644
--- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md
@@ -2,6 +2,7 @@
title: Scenario 3 KMS Client Activation (Windows 10)
description: Learn how to use the Volume Activation Management Tool (VAMT) to activate Key Management Service (KMS) client keys or Generic Volume License Keys (GVLKs).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 68ca97def3..c234aa5c7d 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -2,6 +2,7 @@
title: Scenario 1 Online Activation (Windows 10)
description: Achieve network access by deploying the Volume Activation Management Tool (VAMT) in a Core Network environment.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index ccb63b5311..223ef377b2 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -2,6 +2,7 @@
title: Scenario 2 Proxy Activation (Windows 10)
description: Use the Volume Activation Management Tool (VAMT) to activate products that are installed on workgroup computers in an isolated lab environment.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md
index eb5553920d..be82deed6b 100644
--- a/windows/deployment/volume-activation/update-product-status-vamt.md
+++ b/windows/deployment/volume-activation/update-product-status-vamt.md
@@ -2,6 +2,7 @@
title: Update Product Status (Windows 10)
description: Learn how to use the Update license status function to add the products that are installed on the computers.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index b733a5046e..a381b30b76 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -2,6 +2,7 @@
title: Use the Volume Activation Management Tool (Windows 10)
description: The Volume Activation Management Tool (VAMT) provides several useful features, including the ability to track and monitor several types of product keys.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -14,7 +15,7 @@ ms.technology: itpro-fundamentals
# Use the Volume Activation Management Tool
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 71e97c1a03..e965f4be1c 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -2,6 +2,7 @@
title: Use VAMT in Windows PowerShell (Windows 10)
description: Learn how to use Volume Activation Management Tool (VAMT) PowerShell cmdlets to perform the same functions as the Vamt.exe command-line tool.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 0507f060c7..4c29fd57a4 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -2,6 +2,7 @@
title: VAMT known issues (Windows 10)
description: Find out the current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md
index a304218987..47e54481c4 100644
--- a/windows/deployment/volume-activation/vamt-requirements.md
+++ b/windows/deployment/volume-activation/vamt-requirements.md
@@ -2,6 +2,7 @@
title: VAMT Requirements (Windows 10)
description: In this article, learn about the product key and system requierements for Volume Activation Management Tool (VAMT).
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md
index 880a8cf474..2378579069 100644
--- a/windows/deployment/volume-activation/vamt-step-by-step.md
+++ b/windows/deployment/volume-activation/vamt-step-by-step.md
@@ -2,6 +2,7 @@
title: VAMT Step-by-Step Scenarios (Windows 10)
description: Learn step-by-step instructions on implementing the Volume Activation Management Tool (VAMT) in typical environments.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 9771f187cd..d767dbeb7b 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -1,6 +1,8 @@
---
title: VAMT technical reference
description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation.
+ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md
index 3cc524e10f..3bc4621e7a 100644
--- a/windows/deployment/volume-activation/volume-activation-windows-10.md
+++ b/windows/deployment/volume-activation/volume-activation-windows-10.md
@@ -2,6 +2,7 @@
title: Volume Activation for Windows 10
description: Learn how to use volume activation to deploy & activate Windows 10. Includes details for orgs that have used volume activation for earlier versions of Windows.
ms.reviewer:
+ - nganguly
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
@@ -14,7 +15,7 @@ ms.technology: itpro-fundamentals
# Volume Activation for Windows 10
-*Applies to:*
+**Applies to:**
- Windows 10
- Windows 8.1
From 0ebb6cdefb67e2eeb9a3ddc90e60de1937c1daeb Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 9 Dec 2022 17:14:06 -0500
Subject: [PATCH 09/19] Updating reviewer in VAMT docs 2
---
.../activate-using-key-management-service-vamt.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 0e54567f4c..c9d04453fb 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -5,7 +5,6 @@ ms.reviewer:
- nganguly
manager: aaroncz
ms.author: frankroj
-description: How to activate using Key Management Service in Windows 10.
ms.prod: windows-client
author: frankroj
ms.localizationpriority: medium
From 2ffa9a76ae92d40fc1e657032f3d68e57fb95a16 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 9 Dec 2022 18:49:22 -0500
Subject: [PATCH 10/19] Minor update
---
windows/client-management/mdm/policy-csp-clouddesktop.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-clouddesktop.md b/windows/client-management/mdm/policy-csp-clouddesktop.md
index b150214dd9..f8bcc48c1b 100644
--- a/windows/client-management/mdm/policy-csp-clouddesktop.md
+++ b/windows/client-management/mdm/policy-csp-clouddesktop.md
@@ -42,7 +42,7 @@ This policy allows the user to configure the boot to cloud mode. Boot to Cloud m
This policy supports the below options:
1. Not Configured: Machine will not trigger the Cloud PC connection automatically.
-2. Enable Boot to Cloud Desktop: User will see that configured Cloud PC Provider application gets launched automatically once the sign-in operation finishes they seamlessly gets connected to a Cloud PC that is provisioned.
+2. Enable Boot to Cloud Desktop: The user will see that configured Cloud PC Provider application launches automatically. Once the sign-in operation finishes, the user is seamlessly connected to a provisioned Cloud PC.
From 77ee9bf0e3eeb4354da9d73cd3518d7b0f0a4365 Mon Sep 17 00:00:00 2001
From: rlianmsft <112862018+rlianmsft@users.noreply.github.com>
Date: Mon, 12 Dec 2022 08:24:13 +0000
Subject: [PATCH 11/19] Update windows-autopatch-wqu-reports-overview.md
@tiaraquan - Corrected a couple of typos.
---
.../operate/windows-autopatch-wqu-reports-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
index 739953b809..2e61770efe 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md
@@ -98,9 +98,9 @@ Within each 24-hour reporting period, devices that are ineligible are updated wi
| Low Connectivity | Devices must have a steady internet connection, and access to [Windows update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Out of Disk Space | Devices must have more than one GB (GigaBytes) of free storage space. |
| Not Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
-| Not On Supported on Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Not On Supported Windows Edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Not On Supported Windows Build | Devices must be on a Windows build supported by Windows Autopatch. For more information, see [prerequisites](../prepare/windows-autopatch-prerequisites.md). |
-| Intune Sync Older Than 5 Days | Devices must have checked with Intune within the last five days. |
+| Intune Sync Older Than 5 Days | Devices must have checked in with Intune within the last five days. |
## Data export
From ef7662fb1868ff47ca4587e5b8da4db1494e1a13 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Mon, 12 Dec 2022 08:16:35 -0800
Subject: [PATCH 12/19] Updates to roles and responsibilities.
---
...indows-autopatch-roles-responsibilities.md | 27 ++++++++++++-------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index b4cfe7780b..8f0a6a0e39 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -14,7 +14,7 @@ msreviewer: hathind
# Roles and responsibilities
-This article outlines your and Windows Autopatch's responsibilities when:
+This article outlines your responsibilities and Windows Autopatch's responsibilities when:
- [Preparing to enroll into the Windows Autopatch service](#prepare)
- [Deploying the service](#deploy)
@@ -25,8 +25,10 @@ This article outlines your and Windows Autopatch's responsibilities when:
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
| Review the [prerequisites](../prepare/windows-autopatch-prerequisites.md) | :heavy_check_mark: | :x: |
+| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
+| [Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: |
| [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: |
| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: |
@@ -39,13 +41,11 @@ This article outlines your and Windows Autopatch's responsibilities when:
| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
-| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
-| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
-| Resolve any conflicting and [unsupported Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365 policies](../references/windows-autopatch-microsoft-365-policies.md) | :heavy_check_mark: | :x: |
+| Educate users on the Windows Autopatch end user update experience- [Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)
- [Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)
- [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
- [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
+| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
-| [Run on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
| [Remediate devices displayed in the **Not registered** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
| [Populate the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
@@ -57,9 +57,14 @@ This article outlines your and Windows Autopatch's responsibilities when:
| Task | Your responsibility | Windows Autopatch |
| ----- | :-----: | :-----: |
| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
+| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
+| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
+| [Run on-going check to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
-| [Evaluate updates](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: |
+| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: |
+| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: |
| [Define and implement release schedule](../operate/windows-autopatch-wqu-overview.md) | :x: | :heavy_check_mark: |
+| Communicate the update [release schedule](../operate/windows-autopatch-wqu-communications.md) | :x: | :heavy_check_mark: |
| Release updates (as scheduled)- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases)
- [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)
- [Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)
- [Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)
| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../operate/windows-autopatch-wqu-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
| [Deploy updates to devices](../operate/windows-autopatch-update-management.md) | :x: | :heavy_check_mark: |
@@ -67,10 +72,11 @@ This article outlines your and Windows Autopatch's responsibilities when:
| Review [update reports](../operate/windows-autopatch-wqu-reports-overview.md) | :heavy_check_mark: | :x: |
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: |
-| Educate users on the Windows Autopatch end user update experience- [Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)
- [Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)
- [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
- [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
-| [Device not up to date (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
-| [Ineligible Devices (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
-| [Raise, manage and resolve an incident if devices aren't meeting the Service Level Objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
+| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
+| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
+| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
+| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
+| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
@@ -81,3 +87,4 @@ This article outlines your and Windows Autopatch's responsibilities when:
| [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
| [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
+| Review the [What’s new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |
From 7043ad939f300abdc2e4c207036b4d1a2b3836a4 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Mon, 12 Dec 2022 08:24:44 -0800
Subject: [PATCH 13/19] Tweak
---
.../overview/windows-autopatch-roles-responsibilities.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 8f0a6a0e39..8d876a312c 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -28,7 +28,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
-| [Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
+| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: |
| [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: |
| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: |
From d2d0af5e348d6ff17f7af5fdf4a7198ee085fb08 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Mon, 12 Dec 2022 08:44:34 -0800
Subject: [PATCH 14/19] Tweaks.
---
.../overview/windows-autopatch-roles-responsibilities.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index 8d876a312c..cfe770a361 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -40,10 +40,10 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| ----- | :-----: | :-----: |
| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
-| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience- [Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)
- [Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)
- [Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)
- [Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)
| :heavy_check_mark: | :x: |
| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
+| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
| [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: |
| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
@@ -60,6 +60,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| [Run on-going check to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
+| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: |
From f9d2b798dd7acb5241524f7859eaf3d9544ec3b0 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Mon, 12 Dec 2022 08:59:56 -0800
Subject: [PATCH 15/19] Tweak
---
.../overview/windows-autopatch-roles-responsibilities.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
index cfe770a361..ec8c9d7ece 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
@@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
-ms.date: 12/09/2022
+ms.date: 12/12/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -59,8 +59,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Maintain contacts in the Microsoft Endpoint Manager admin center](../deploy/windows-autopatch-admin-contacts.md) | :heavy_check_mark: | :x: |
| [Maintain and manage the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :x: | :heavy_check_mark: |
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
-| [Run on-going check to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
-| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
+| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: |
@@ -74,6 +73,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
+| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
From 391bd230de03ce2f72a905f5561ff9fd8f274457 Mon Sep 17 00:00:00 2001
From: Thomas Raya
Date: Mon, 12 Dec 2022 09:54:43 -0800
Subject: [PATCH 16/19] Update configure-pde-in-intune.md
---
.../configure-pde-in-intune.md | 222 ++++--------------
1 file changed, 41 insertions(+), 181 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 1ed273ae37..8153b55d0a 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -3,17 +3,16 @@ title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
-ms.reviewer: rhonnegowda
+ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/07/2022
+ms.date: 09/22/2022
---
-
# Configure Personal Data Encryption (PDE) policies in Intune
@@ -21,243 +20,104 @@ ms.date: 12/07/2022
### Enable Personal Data Encryption (PDE)
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
+1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
-
3. Select **Create profile**
-
4. Under **Platform**, select **Windows 10 and later**
-
5. Under **Profile type**, select **Templates**
-
6. Under **Template name**, select **Custom**, and then select **Create**
-
-7. In **Basics**:
-
+7. On the ****Basics** tab:
1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
-
+ 2. Next to **Description**, enter a description
8. Select **Next**
-
-9. In **Configuration settings**, select **Add**
-
-10. In **Add Row**:
-
+9. On the **Configuration settings** tab, select **Add**
+10. In the **Add Row** window:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
-
11. Select **Save**, and then select **Next**
-
-12. In **Assignments**:
-
+12. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
+13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-13. In **Applicability Rules**, configure if necessary and then select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable Winlogon automatic restart sign-on (ARSO)
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+#### Disable Winlogon automatic restart sign-on (ARSO)
+1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
-
3. Select **Create profile**
-
4. Under **Platform**, select **Windows 10 and later**
-
5. Under **Profile type**, select **Templates**
-
6. Under **Template name**, select **Administrative templates**, and then select **Create**
-
-7. In **Basics**:
-
+7. On the ****Basics** tab:
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
-
8. Select **Next**
-
-9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
-
+9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart**
-
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-
12. Select **Next**
-
-13. In **Scope tags**, configure if necessary and then select **Next**
-
-14. In **Assignments**:
-
+13. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
+13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+## Recommended prerequisites
-## Security hardening recommendations
-
-### Disable kernel-mode crash dumps and live dumps
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+#### Disable crash dumps
+1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
-
3. Select **Create profile**
-
4. Under **Platform**, select **Windows 10 and later**
-
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
-
-10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable crash dumps policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
- 2. Next to **Description**, enter a description
-
-7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
-
-10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable WER dumps policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable hibernation
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-2. Navigate to **Devices** > **Configuration Profiles**
-
-3. Select **Create profile**
-
-4. Under **Platform**, select **Windows 10 and later**
-
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
+6. On the ****Basics** tab:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
-
7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, select **Power**
-
-10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Memory Dump**
+10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable hibernation policy should be deployed to
+ 2. Select the groups that the crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Disable allowing users to select when a password is required when resuming from connected standby
-
-1. Sign into [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+#### Disable hibernation
+1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
-
3. Select **Create profile**
-
4. Under **Platform**, select **Windows 10 and later**
-
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-
-6. In **Basics**:
-
- 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
-
7. Select **Next**
-
-8. In **Configuration settings**, select **Add settings**
-
-9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
-
-10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-
-11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
-
-12. In **Scope tags**, configure if necessary and then select **Next**
-
-13. In **Assignments**:
-
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Power**
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
+ 2. Select the groups that the hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
-
-14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
-
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
From bece8242d442a92d7027eb60f6a7c580ad2cba1d Mon Sep 17 00:00:00 2001
From: Thomas Raya
Date: Mon, 12 Dec 2022 09:55:26 -0800
Subject: [PATCH 17/19] Update faq-pde.yml
---
.../personal-data-encryption/faq-pde.yml | 45 ++++++++-----------
1 file changed, 19 insertions(+), 26 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index e0ad44cf6d..d9a2dbaff7 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -5,16 +5,13 @@ metadata:
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
- ms.reviewer: rhonnegowda
+ ms.reviewer: rafals
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
- ms.date: 12/07/2022
-
-# Max 5963468 OS 32516487
-# Max 6946251
+ ms.date: 09/22/2022
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -31,51 +28,47 @@ sections:
answer: |
No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- - question: How are files protected by PDE selected?
+ - question: Can an IT admin specify which files should be encrypted?
answer: |
- [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files are protected using PDE.
+ Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
- - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
+ - question: Do I need to use OneDrive as my backup provider?
answer: |
- No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+ No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
- During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect files.
+ During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
- - question: Can a file be protected with both PDE and EFS at the same time?
+ - question: Can a file be encrypted with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- - question: Can PDE protected files be accessed after signing on via a Remote Desktop connection (RDP)?
+ - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No. Accessing PDE protected files over RDP isn't currently supported.
+ No. Accessing PDE encrypted files over RDP isn't currently supported.
- - question: Can PDE protected files be accessed via a network share?
+ - question: Can PDE encrypted files be access via a network share?
answer: |
- No. PDE protected files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- - question: How can it be determined if a file is protected with PDE?
+ - question: How can it be determined if a file is encrypted with PDE?
answer: |
- - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
- 1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
- 2. Select the **Details** button.
- 3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
- - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
+ Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
+ Currently users can decrypt files manually but they can't encrypt files manually.
- - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected files?
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
answer: |
- No. The keys used by PDE to protect files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
- PDE uses AES-CBC with a 256-bit key to encrypt files.
+ PDE uses AES-CBC with a 256-bit key to encrypt files
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
+ - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
From 0020f4850706166067681d6b2371efdaebd9c7c3 Mon Sep 17 00:00:00 2001
From: Thomas Raya
Date: Mon, 12 Dec 2022 09:56:24 -0800
Subject: [PATCH 18/19] Update pde-description.md
---
.../includes/pde-description.md | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
index 445e8fbb45..7ca7334657 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -4,25 +4,24 @@ description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
-ms.reviewer: rhonnegowda
+ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/07/2022
+ms.date: 09/22/2022
---
-
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
-> PDE can be enabled using MDM policies. The files to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect files using PDE.
+> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
From 97160ebc39cb1bf26c4232c7b699191bf248e5bf Mon Sep 17 00:00:00 2001
From: Thomas Raya
Date: Mon, 12 Dec 2022 09:56:52 -0800
Subject: [PATCH 19/19] Update overview-pde.md
---
.../personal-data-encryption/overview-pde.md | 182 +++++-------------
1 file changed, 53 insertions(+), 129 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 0c628956e8..bfb7153548 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -3,123 +3,75 @@ title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
-ms.reviewer: rhonnegowda
+ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
-ms.date: 12/07/2022
+ms.date: 09/22/2022
---
-
# Personal Data Encryption (PDE)
-**Applies to:**
-
-- Windows 11, version 22H2 and later Enterprise and Education editions
+(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
## Prerequisites
-### Required
+### **Required**
+ - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
+ - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+ - Windows 11, version 22H2 and later Enterprise and Education editions
-- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
-- Windows 11, version 22H2 and later Enterprise and Education editions
+### **Not supported with PDE**
+ - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+ - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+ - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
+ - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+ - Remote Desktop connections
-### Not supported with PDE
-
-- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
-- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
-- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- Remote Desktop connections
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
- Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
- Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
- Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
- When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
-
- - On-premises Active Directory joined devices:
-
- - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
- - A password is required immediately after the screen turns off.
-
- The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
- - Workgroup devices, including native Azure AD joined devices:
-
- - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
- - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
-
- Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
-
- For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
-
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect files will be lost. In such scenarios, any file protected with PDE will no longer be accessible. The only way to recover such files would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
- Destructive PIN resets will cause keys used by PDE to protect files to be lost. The destructive PIN reset will make any file protected with PDE no longer accessible after a destructive PIN reset. Files protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+### **Highly recommended**
+ - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
+ - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
+ - Backup solution such as [OneDrive](/onedrive/onedrive)
+ - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
+ - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+ - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+ - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+ - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+ - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
+ - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+ - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+ - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to protect files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
-| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
-| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
-| PDE protected data is accessible after user signs out of Windows | No | No |
-| PDE protected data is accessible when device is shut down | No | No |
-| PDE protected data is accessible via UNC paths | No | No |
-| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
-| PDE protected data is accessible via Remote Desktop session | No | No |
-| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
+| Data is accessible when user is signed in | Yes | Yes |
+| Data is accessible when user has locked their device | Yes | No |
+| Data is accessible after user signs out | No | No |
+| Data is accessible when device is shut down | No | No |
+| Decryption keys discarded | After user signs out | After user locks device or signs out |
-## PDE protected files accessibility
+## PDE encrypted files accessibility
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE protected file, they'll be denied access to the file.
+When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
-Scenarios where a user will be denied access to a PDE protected file include:
+Scenarios where a user will be denied access to a PDE encrypted file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If protected via level 2 protection, when the device is locked.
+- If specified via level 2 protection, when the device is locked.
- When trying to access files on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
-- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected files.
+- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
## How to enable PDE
@@ -133,83 +85,55 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any files. To protect files via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which files to protect and at what level to protect the files. Additionally, the PDE APIs can't be used to protect files until the PDE policy has been enabled.
+> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
-PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
-
| Item | PDE | BitLocker |
|--|--|--|
-| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
-| Files protected | Individual specified files | Entire volume/drive |
-| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
+| Release of key | At user sign-in via Windows Hello for Business | At boot |
+| Keys discarded | At user sign-out | At reboot |
+| Files encrypted | Individual specified files | Entire volume/drive |
+| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
+| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
-The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
-To see if a file is protected with PDE or with EFS:
+To see if a file is encrypted with PDE or EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
-For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
-For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
+Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
## Disable PDE and decrypt files
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
-
-Disabling PDE doesn't decrypt any PDE protected files. It only prevents the PDE API from being able to protect any additional files. PDE protected files can be manually decrypted using the following steps:
+Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
-PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
-
-- Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
-
-To decrypt files on a device using `cipher.exe`:
-
-- Decrypt all files under a directory including subdirectories:
-
- ```cmd
- cipher.exe /d /s:
- ```
-
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
-
- ```cmd
- cipher.exe /d
- ```
-
-> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+> [!Important]
+> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- - Supports protecting both email bodies and attachments
+ - Supports encrypting both email bodies and attachments
## See also
-
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)