PDE Updates Post Release 2

2025-05-16 23:37:22 +00:00 · 2022-12-16 10:27:43 -05:00 · 2022-12-16 10:27:43 -05:00 · 62fb2e10fc
commit 62fb2e10fc
parent f2b13ead69
3 changed files with 31 additions and 31 deletions
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@ -25,15 +25,15 @@ sections:
    questions:
      - question: Can PDE encrypt entire volumes or drives?
        answer: |
-          No. PDE only encrypts specified files.
+          No. PDE only encrypts specified files and content.
      - question: Is PDE a replacement for BitLocker?
        answer: |
          No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
-      - question: How are files protected by PDE selected?
+      - question: How are files and content protected by PDE selected?
        answer: |
-          [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files are protected using PDE.
+          [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
      - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
        answer: |
@ -41,19 +41,19 @@ sections:
      - question: What is the relation between Windows Hello for Business and PDE?
        answer: |
-          During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect files.
+          During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
      - question: Can a file be protected with both PDE and EFS at the same time?
        answer: |
          No. PDE and EFS are mutually exclusive.
-      - question: Can PDE protected files be accessed after signing on via a Remote Desktop connection (RDP)?
+      - question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
        answer: |
-          No. Accessing PDE protected files over RDP isn't currently supported.
+          No. Accessing PDE protected content over RDP isn't currently supported.
-      - question: Can PDE protected files be accessed via a network share?
+      - question: Can PDE protected content be accessed via a network share?
        answer: |
-          No. PDE protected files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+          No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
      - question: How can it be determined if a file is protected with PDE?
        answer: |
@ -67,13 +67,13 @@ sections:
        answer: |
          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
-      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected files?
+      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
        answer: |
-          No. The keys used by PDE to protect files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
      - question: What encryption method and strength does PDE use?
        answer: |
-          PDE uses AES-CBC with a 256-bit key to encrypt files.
+          PDE uses AES-CBC with a 256-bit key to encrypt content.
 additionalContent: |
  ## See also
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@ -16,13 +16,13 @@ ms.date: 12/13/2022
 <!-- Max 5963468 OS 32516487 -->
 <!-- Max 6946251 -->
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it  encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it  encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
 Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
 > [!NOTE]
-> PDE can be enabled using MDM policies. The files to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect files using PDE.
+> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@ -44,15 +44,15 @@ ms.date: 12/13/2022
 - [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
+   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
 - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
+   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
 - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-   Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
 - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
@ -70,7 +70,7 @@ ms.date: 12/13/2022
    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
+    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
    Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
@ -84,11 +84,11 @@ ms.date: 12/13/2022
 - Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect files will be lost. In such scenarios, any file protected with PDE will no longer be accessible. The only way to recover such files would be from backup.
+   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
 - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-   Destructive PIN resets will cause keys used by PDE to protect files to be lost. The destructive PIN reset will make any file protected with PDE no longer accessible after a destructive PIN reset. Files protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+   Destructive PIN resets will cause keys used by PDE to protect content to be lost. The destructive PIN reset will make any content protected with PDE no longer accessible after a destructive PIN reset. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
@ -96,7 +96,7 @@ ms.date: 12/13/2022
 ## PDE protection levels
-PDE uses AES-CBC with a 256-bit key to protect files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 | Item | Level 1 | Level 2 |
 |---|---|---|
@ -109,17 +109,17 @@ PDE uses AES-CBC with a 256-bit key to protect files and offers two levels of pr
 | PDE protected data is accessible via Remote Desktop session | No | No |
 | Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
-## PDE protected files accessibility
+## PDE protected content accessibility
-When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE protected file, they'll be denied access to the file.
+When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
-Scenarios where a user will be denied access to a PDE protected file include:
+Scenarios where a user will be denied access to PDE protected content include:
 - User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
 - If protected via level 2 protection, when the device is locked.
- When trying to access files on the device remotely. For example, UNC network paths.
+- When trying to access content on the device remotely. For example, UNC network paths.
 - Remote Desktop sessions.
- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected files.
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
 ## How to enable PDE
@ -133,7 +133,7 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
 There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
 > [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any files. To protect files via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which files to protect and at what level to protect the files. Additionally, the PDE APIs can't be used to protect files until the PDE policy has been enabled.
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
@ -146,7 +146,7 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
 | Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
 | Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
 | Files protected | Individual specified files | Entire volume/drive |
-| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
+| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 ## Differences between PDE and EFS
@ -164,7 +164,7 @@ For EFS protected files, under **Users who can access this file:**, there will b
 Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
-## Disable PDE and decrypt files
+## Disable PDE and decrypt content
 Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
@ -173,7 +173,7 @@ Once PDE is enabled, it isn't recommended to disable it. However if PDE does nee
 - Data type: **Integer**
 - Value: **0**
-Disabling PDE doesn't decrypt any PDE protected files. It only prevents the PDE API from being able to protect any additional files. PDE protected files can be manually decrypted using the following steps:
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
 1. Open the properties of the file
 2. Under the **General** tab, select **Advanced...**