From 7f90ab43baab2d9b782cb0f4fc2d8b1b8c7b4389 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Wed, 21 Sep 2022 10:51:32 -0400 Subject: [PATCH] PDE Updates 5 --- .../personal-data-encryption/faq-pde.yml | 6 +++--- .../personal-data-encryption/overview-pde.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml index c1a2be4053..8d4417d227 100644 --- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml @@ -34,11 +34,11 @@ sections: - question: Do I need to use OneDrive as my backup provider? answer: | - No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt are lost. OneDrive is a recommended backup provider. + No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider. - question: What is the relation between Windows Hello for Business and PDE? answer: | - Windows Hello for Business unlocks the keys that PDE uses to decrypt files during user sign on. + During user sign on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files. - question: Can a file be encrypted with both PDE and EFS at the same time? answer: | @@ -62,7 +62,7 @@ sections: - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files? answer: | - No. The decryption keys used by PDE are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. + No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. - question: What encryption method and strength does PDE use? answer: | diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index 401279e851..9ee231bc18 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -40,15 +40,15 @@ ms.date: 09/22/2022 - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it. - Backup solution such as [OneDrive](/onedrive/onedrive) - - In certain scenarios such as TPM resets or destructive PIN resets, the decryption keys used by PDE can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup. + - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup. - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) - - Destructive PIN resets will cause decryption keys used by PDE to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump) - - Crash dumps can potentially cause the decryption keys used by PDE to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps). + - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - - Hibernation files can potentially cause the decryption keys used by PDE to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). ## PDE protection levels