deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

PDE content move

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-06-01 07:44:12 -04:00
parent 7d90d6d095
commit 6a49032278
16 changed files with 237 additions and 506 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
windows/security/docfx.json
View File

@ -76,6 +76,7 @@
"application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
"identity-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms"
},
@ -83,6 +84,7 @@
"application-security/application-control/user-account-control/*.md": "paoloma",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
"identity-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly"
},
@ -123,6 +125,16 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/data-protection/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/data-protection/personal-data-encryption/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
],
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@ -136,16 +148,17 @@
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith"
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda"
},
"ms.collection": {
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/bitlocker/*.md": "tier1",
"information-protection/personal-data-encryption/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"threat-protection/windows-defender-application-control/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"operating-system-security/network-security/windows-firewall/*.md": "tier3"
}
},

1
windows/security/identity-protection/hello-for-business/toc.yml
View File

@ -1,3 +1,4 @@
items:
- name: Windows Hello for Business documentation
href: index.yml
- name: Concepts

2
windows/security/operating-system-security/data-protection/configure-s-mime.md
View File

@ -3,8 +3,6 @@ title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows.
ms.topic: how-to
ms.date: 05/31/2023
author: paolomatarazzo
ms.author: paoloma
---

16
windows/security/information-protection/encrypted-hard-drive.md → windows/security/operating-system-security/data-protection/encrypted-hard-drive.md
View File

@ -1,11 +1,6 @@
---
title: Encrypted Hard Drive
description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
ms.reviewer:
manager: aaroncz
ms.author: frankroj
ms.prod: windows-client
author: frankroj
ms.date: 11/08/2022
ms.technology: itpro-security
ms.topic: conceptual
@ -13,15 +8,6 @@ ms.topic: conceptual
# Encrypted Hard Drive
*Applies to:*
- Windows 10
- Windows 11
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Azure Stack HCI
Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
@ -48,7 +34,7 @@ Encrypted hard drives are supported natively in the operating system through the
If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)).
[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)]
[!INCLUDE [encrypted-hard-drive](../../../../includes/licensing/encrypted-hard-drive.md)]
## System Requirements

23
windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md → windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
View File

@ -1,14 +1,7 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -21,19 +14,15 @@ The various required and recommended policies needed for Personal Data Encryptio
## Required prerequisites
1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md)
1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md)
1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md)
1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
1. [Disable hibernation](intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also

7
windows/security/information-protection/personal-data-encryption/faq-pde.yml → windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
View File

@ -3,14 +3,7 @@
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
# Max 5963468 OS 32516487

14
windows/security/information-protection/personal-data-encryption/includes/pde-description.md → windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
View File

@ -1,22 +1,14 @@
---
title: Personal Data Encryption (PDE) description
description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: include
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.

32
windows/security/information-protection/personal-data-encryption/overview-pde.md → windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
View File

@ -1,14 +1,8 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -17,28 +11,24 @@ ms.date: 03/13/2023
# Personal Data Encryption (PDE)
**Applies to:**
- Windows 11, version 22H2 and later Enterprise and Education editions
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)]
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## Prerequisites
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- [Windows Hello for Business](identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
- [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@ -46,15 +36,15 @@ ms.date: 03/13/2023
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md).
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md).
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md).
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
@ -76,11 +66,11 @@ ms.date: 03/13/2023
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md).
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
@ -88,7 +78,7 @@ ms.date: 03/13/2023
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- [Windows Hello for Business PIN reset service](identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
@ -137,7 +127,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md).
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
## Differences between PDE and BitLocker

97
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
View File

@ -1,15 +1,8 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
@ -20,81 +13,51 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal
To disable ARSO using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appear, under **Template name**, select **Administrative templates**.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable ARSO**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable ARSO**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. On the left pane of the page, make sure **Computer Configuration** is selected.
1. Under **Setting name**, scroll down and select **Windows Components**.
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option.
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**.
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. On the left pane of the page, make sure **Computer Configuration** is selected
1. Under **Setting name**, scroll down and select **Windows Components**
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

92
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
View File

@ -1,14 +1,7 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,79 +13,50 @@ Hibernation files can potentially cause the keys used by Personal Data Encryptio
To disable hibernation using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Hibernation**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable Hibernation**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. select **Add settings**.
1. select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Power**.
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, scroll down and select **Power**
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

87
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
View File

@ -1,14 +1,7 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,77 +13,49 @@ Kernel-mode crash dumps and live dumps can potentially cause the keys used by Pe
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**.
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Memory Dump**.
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, scroll down and select **Memory Dump**
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

110
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
View File

@ -1,14 +1,7 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -17,18 +10,12 @@ ms.date: 03/13/2023
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- A password is required immediately after the screen turns off
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
@ -36,83 +23,54 @@ Because of this undesired outcome, it's recommended to explicitly disable this p
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**.
1. Next to **Description**, enter a description.
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **System**
1. Under **System**, scroll down and select **Logon**
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
1. select **Next**
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **System**.
1. Under **System**, scroll down and select **Logon**.
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**.
1. select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

98
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
View File

@ -1,14 +1,7 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -20,83 +13,52 @@ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode cras
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Settings catalog**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**.
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**.
1. Under **Administrative Templates**, scroll down and expand **Windows Components**.
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it.
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window.
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option.
1. Select **Next**.
1. In the **Scope tags** page, configure if necessary and then select **Next**.
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **Windows Components**
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

102
windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md → windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
View File

@ -1,14 +1,7 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 03/13/2023
---
@ -24,89 +17,54 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane.
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**.
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**.
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**.
1. Under **Profile type**, select **Templates**.
1. When the templates appears, under **Template name**, select **Custom**.
1. Select **Create** to close the **Create profile** window.
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appears, under **Template name**, select **Custom**
1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Select **Next**.
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Select **Next**
1. In **Configuration settings** page:
1. Next to **OMA-URI Settings**, select **Add**.
1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
1. Next to **Name**, enter **Personal Data Encryption**.
1. Next to **Description**, enter a description.
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
1. Next to **Data type**, select **Integer**.
1. Next to **Value**, enter in **1**.
1. Select **Save** to close the **Add Row** window.
1. Select **Next**.
1. Next to **Data type**, select **Integer**
1. Next to **Value**, enter in **1**
1. Select **Save** to close the **Add Row** window
1. Select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**.
1. Under **Included groups**, select **Add groups**
> [!NOTE]
>
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window.
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**.
1. In **Applicability Rules**, configure if necessary and then select **Next**.
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Applicability Rules**, configure if necessary and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Required prerequisites
### Prerequisites
- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md)
- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md)
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](../overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml)
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

19
windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml Normal file
View File

@ -0,0 +1,19 @@
items:
- name: Overview
href: index.md
- name: Configure PDE with Intune
href: configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: intune-disable-wer.md
- name: Disable hibernation for PDE
href: intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: intune-disable-password-connected-standby.md
- name: PDE frequently asked questions (FAQ)
href: faq-pde.yml

24
windows/security/operating-system-security/data-protection/toc.yml
View File

@ -76,29 +76,9 @@ items:
- name: Decode Measured Boot logs to track PCR changes
href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes
- name: Encrypted Hard Drive
href: ../../information-protection/encrypted-hard-drive.md
href: encrypted-hard-drive.md
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: ../../information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) frequently asked questions (FAQ)
href: ../../information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
items:
- name: Configure Personal Data Encryption (PDE) in Intune
href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md
- name: Disable hibernation for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md
href: personal-data-encryption/toc.yml
- name: Configure S/MIME for Windows
href: configure-s-mime.md
- name: Windows Information Protection (WIP)