diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index d2d1fa36bd..53b5503c72 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -162,7 +162,21 @@ - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) href: information-protection/personal-data-encryption/faq-pde.yml - name: Configure Personal Data Encryption (PDE) in Intune - href: information-protection/personal-data-encryption/configure-pde-in-intune.md + items: + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md + - name: Enable Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md + - name: Disable Winlogon automatic restart sign-on (ARSO) + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md + - name: Disable kernel-mode crash dumps and live dumps + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md + - name: Disable Windows Error Reporting (WER)/Disable user-mode crash dumps + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md + - name: Disable hibernation + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md + - name: Disable allowing users to select when a password is required when resuming from connected standby + href: information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md - name: Configure S/MIME for Windows href: identity-protection/configure-s-mime.md - name: Network security diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md index 7f2563f0db..4c21c312f0 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -17,357 +17,23 @@ ms.date: 03/10/2023 # Configure Personal Data Encryption (PDE) policies in Intune +The various required and recommended polices needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instruction son how to configure these policies in Intune. + ## Required prerequisites -### Enable Personal Data Encryption (PDE) +1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md) -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appears, under **Template name**, select **Custom**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Custom** screen: - - 1. Next to **Name**, enter **Personal Data Encryption**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In **Configuration settings** page: - - 1. Select **Add**. - - 1. In the **Add Row** pane: - - 1. Next to **Name**, enter **Personal Data Encryption**. - 1. Next to **Description**, enter a description. - 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. - 1. Next to **Data type**, select **Integer**. - 1. Next to **Value**, enter in **1**. - 1. Select **Save**. - - 1. Select **Next** - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Applicability Rules**, configure if necessary and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable Winlogon automatic restart sign-on (ARSO) - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appears, under **Template name**, select **Administrative templates**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable ARSO**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. At the top of the page, make sure **Computer Configuration** is selected. - - 1. Under **Setting name**, scroll down and select **Windows Components**. - - 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. - - 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. - - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** - - 1. Select **Next** - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. +1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md) ## Security hardening recommendations -### Disable kernel-mode crash dumps and live dumps +1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md) -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md) -1. In the **Home** screen, select **Devices**. +1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md) -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - 1. In the **Settings picker** pane: - - 1. Under **Browse by category**, scroll down and select **Memory Dump**. - - 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. - - 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. - - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. - - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. - - 1. select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable hibernation - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable Hibernation**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, scroll down and select **Power**. - - 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. - - 1. Select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. - -### Disable allowing users to select when a password is required when resuming from connected standby - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices**. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles screen**, select **Create profile**. - -1. In the **Create profile** window: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create**. - -1. In the **Basics** page of the **Create profile** screen: - - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - -1. In the **Configuration settings** page: - - 1. Select **Add settings**. - - 1. In the **Settings picker** window: - - 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. - - 1. Under **Administrative Templates**, scroll down and expand **System**. - - 1. Under **System**, scroll down and select **Logon**. - - 1. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. - - 1. select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - -1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - - > [!NOTE] - > - > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. - - 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. +1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md) ## See also diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md index 12709e8d35..10b6a7e163 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -9,7 +9,7 @@ ms.topic: how-to ms.prod: windows-client ms.technology: itpro-security ms.localizationpriority: medium -ms.date: 12/13/2022 +ms.date: 03/10/2023 --- @@ -35,7 +35,7 @@ ms.date: 12/13/2022 - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md). - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - Remote Desktop connections @@ -44,19 +44,19 @@ ms.date: 12/13/2022 - [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) - Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps). + Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md). - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps). + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](pde-in-intune/intune-disable-wer.md). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md). - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different: + When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - On-premises Active Directory joined devices: @@ -66,15 +66,15 @@ ms.date: 12/13/2022 The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. - - Workgroup devices, including native Azure AD joined devices: + - Workgroup devices, including Azure AD joined devices: - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. - Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured. + Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby). + For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md). ### Highly recommended @@ -135,7 +135,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde). +For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md). ## Differences between PDE and BitLocker diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md new file mode 100644 index 0000000000..539e53bc24 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md @@ -0,0 +1,73 @@ +--- +title: Disable ARSO in Intune +description: Disable ARSO in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable Winlogon automatic restart sign-on (ARSO) in Intune + +Winlogon automatic restart sign-on (ARSO) is not supported for use in conjunction with Personal Data Encryption (PDE). To disable ARSO using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Templates**. + + 1. When the templates appears, under **Template name**, select **Administrative templates**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable ARSO**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. At the top of the page, make sure **Computer Configuration** is selected. + + 1. Under **Setting name**, scroll down and select **Windows Components**. + + 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. + + 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. + + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md new file mode 100644 index 0000000000..0752525499 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md @@ -0,0 +1,73 @@ +--- +title: Disable hibernation in Intune +description: Disable hibernation in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable hibernation in Intune + +Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. + +To disable hibernation using Intune: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Hibernation**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. select **Add settings**. + + 1. In the **Settings picker** window: + + 1. Under **Browse by category**, scroll down and select **Power**. + + 1. When the settings for the **Power** category appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. + + 1. Select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md new file mode 100644 index 0000000000..d81f9a7232 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md @@ -0,0 +1,70 @@ +--- +title: Disable hibernation in Intune +description: Disable hibernation in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable kernel-mode crash dumps and live dumps in Intune + +Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. + +To disable kernel-mode crash dumps and live dumps using Intune: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. Select **Add settings**. + 1. In the **Settings picker** pane: + + 1. Under **Browse by category**, scroll down and select **Memory Dump**. + + 1. When the settings for the **Memory Dump** category appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md new file mode 100644 index 0000000000..ef2e52b7ad --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md @@ -0,0 +1,93 @@ +--- +title: Disable allowing users to select when a password is required when resuming from connected standby in Intune +description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable allowing users to select when a password is required when resuming from connected standby in Intune + +When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: + +- On-premises Active Directory joined devices: + + - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. + + - A password is required immediately after the screen turns off. + + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. + +- Workgroup devices, including Azure AD joined devices: + + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. + + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. + +Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. + +To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +2. In the **Home** screen, select **Devices**. + +3. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +4. In the **Devices | Configuration profiles screen**, select **Create profile**. + +5. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 2. Under **Profile type**, select **Settings catalog**. + + 3. Select **Create**. + +6. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. + + 2. Next to **Description**, enter a description. + + 3. Select **Next**. + +7. In the **Configuration settings** page: + + 1. Select **Add settings**. + + 2. In the **Settings picker** window: + + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 2. Under **Administrative Templates**, scroll down and expand **System**. + + 3. Under **System**, scroll down and select **Logon**. + + 4. When the settings for the **Logon** subcategory appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 3. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. + + 4. select **Next**. + +8. In the **Scope tags** page, configure if necessary and then select **Next**. + +9. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 2. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 3. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +10. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md new file mode 100644 index 0000000000..3d1e664a36 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md @@ -0,0 +1,77 @@ +--- +title: Disable allowing users to select when a password is required when resuming from connected standby in Intune +description: Disable allowing users to select when a password is required when resuming from connected standby in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +# Disable Windows Error Reporting (WER)/Disable user-mode crash dumps in Intune + +Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. + +To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Settings catalog**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Create profile** screen: + + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In the **Configuration settings** page: + + 1. Select **Add settings**. + + 1. In the **Settings picker** window: + + 1. Under **Browse by category**, expand **Administrative Templates** by selecting the **>** to the left of it. + + 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. + + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. + + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. + + 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. + + 1. select **Next**. + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md new file mode 100644 index 0000000000..e07428004e --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md @@ -0,0 +1,76 @@ +--- +title: Enable Personal Data Encryption (PDE) in Intune +description: Enable Personal Data Encryption (PDE) in Intune +author: frankroj +ms.author: frankroj +ms.reviewer: rhonnegowda +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 03/10/2023 +--- + +### Enable Personal Data Encryption (PDE) in Intune + +To enable Personal Data Encryption (PDE) using Intune, follow the below steps: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. In the **Home** screen, select **Devices**. + +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. + +1. In the **Devices | Configuration profiles screen**, select **Create profile**. + +1. In the **Create profile** window: + + 1. Under **Platform**, select **Windows 10 and later**. + + 1. Under **Profile type**, select **Templates**. + + 1. When the templates appears, under **Template name**, select **Custom**. + + 1. Select **Create**. + +1. In the **Basics** page of the **Custom** screen: + + 1. Next to **Name**, enter **Personal Data Encryption**. + + 1. Next to **Description**, enter a description. + + 1. Select **Next**. + +1. In **Configuration settings** page: + + 1. Select **Add**. + + 1. In the **Add Row** pane: + + 1. Next to **Name**, enter **Personal Data Encryption**. + 1. Next to **Description**, enter a description. + 1. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**. + 1. Next to **Data type**, select **Integer**. + 1. Next to **Value**, enter in **1**. + 1. Select **Save**. + + 1. Select **Next** + +1. In the **Scope tags** page, configure if necessary and then select **Next**. + +1. In the **Assignments** page: + + 1. Under **Included groups**, select **Add groups**. + + > [!NOTE] + > + > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. + + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select**. + + 1. Under **Groups**, ensure the correct group(s) are selected, and then select **Next**. + +1. In **Applicability Rules**, configure if necessary and then select **Next**. + +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**.