diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 9a07d9ac68..471c829ed5 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -9169,6 +9169,16 @@
"source_path": "windows/security/threat-protection/security-policy-settings/user-rights-assignment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/user-rights-assignment",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/cloud-security/index.md",
+ "redirect_url": "/windows/security/cloud-services",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md",
+ "redirect_url": "/windows/security/identity-protection/hello-for-business/dual-enrollment",
+ "redirect_document_id": false
}
]
}
diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md
index bea07c4d0b..1c973e2035 100644
--- a/education/windows/windows-11-se-settings-list.md
+++ b/education/windows/windows-11-se-settings-list.md
@@ -2,7 +2,7 @@
title: Windows 11 SE settings list
description: Windows 11 SE automatically configures settings in the operating system. Learn more about the settings you can control and manage, and the settings you can't change.
ms.topic: reference
-ms.date: 08/18/2023
+ms.date: 05/06/2024
appliesto:
- ✅ Windows 11 SE
ms.collection:
diff --git a/windows/security/cloud-security/index.md b/windows/security/cloud-services/index.md
similarity index 77%
rename from windows/security/cloud-security/index.md
rename to windows/security/cloud-services/index.md
index 9fde8b8939..9124be688f 100644
--- a/windows/security/cloud-security/index.md
+++ b/windows/security/cloud-services/index.md
@@ -1,18 +1,18 @@
---
-title: Windows and cloud security
-description: Get an overview of cloud security features in Windows.
-ms.date: 08/02/2023
+title: Windows and cloud services
+description: Get an overview of cloud-based services in Windows.
+ms.date: 05/06/2024
ms.topic: overview
author: paolomatarazzo
ms.author: paoloma
---
-# Windows and cloud security
+# Windows and cloud services
Today's workforce has more freedom and mobility than ever before, and the risk of data exposure is also at its highest. We're focused on getting customers to the cloud to benefit from modern hybrid workstyles while improving security management. Built on zero-trust principles, Windows works with Microsoft cloud services to safeguard sensitive information while controlling access and mitigating threats.
From identity and device management to Office apps and data storage, Windows and integrated cloud services can help improve productivity, security, and resilience anywhere.
-Learn more about cloud security features in Windows.
+Learn more about cloud-based services in Windows.
[!INCLUDE [cloud-services](../includes/sections/cloud-services.md)]
diff --git a/windows/security/cloud-security/toc.yml b/windows/security/cloud-services/toc.yml
similarity index 100%
rename from windows/security/cloud-security/toc.yml
rename to windows/security/cloud-services/toc.yml
diff --git a/windows/security/identity-protection/hello-for-business/dual-enrollment.md b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
new file mode 100644
index 0000000000..7dd1507298
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/dual-enrollment.md
@@ -0,0 +1,72 @@
+---
+title: Dual enrollment
+description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
+ms.date: 05/06/2024
+ms.topic: how-to
+---
+
+# Dual enrollment
+
+[!INCLUDE [intro](deploy/includes/intro.md)]
+- **Deployment type:** [!INCLUDE [tooltip-deployment-onpremises](deploy/includes/tooltip-deployment-onpremises.md)], [!INCLUDE [tooltip-deployment-hybrid](deploy/includes/tooltip-deployment-hybrid.md)]
+- **Trust type:** [!INCLUDE [tooltip-cert-trust](deploy/includes/tooltip-trust-cert.md)]
+- **Join type:** [!INCLUDE [tooltip-join-domain](deploy/includes/tooltip-join-domain.md)], [!INCLUDE [tooltip-join-hybrid](deploy/includes/tooltip-join-hybrid.md)]
+---
+
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages organizations to use the Privileged Access Workstations for their privileged credential users. Organizations can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature can't be used. To learn more, see [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations).
+
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their nonprivileged and privileged credentials on their device.
+
+By design, Windows doesn't enumerate all Windows Hello for Business users from within a user's session. Using the group policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+
+With this setting, administrative users can sign in to Windows using their nonprivileged Windows Hello credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using `runas.exe` combined with the `/smartcard` argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and nonprivileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+## Configure Windows Hello for Business dual enrollment
+
+Here are the steps to enable dual enrollment:
+
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure dual enrollment using Group Policy
+
+### Configure Active Directory to support Domain Administrator enrollment
+
+The designed Windows Hello for Business configuration gives the `Key Admins` group read and write permissions to the `msDS-KeyCredentialsLink` attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses `AdminSDHolder` to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account might receive the permissions but they disappear from the user object unless you give the `AdminSDHolder` read and write permissions to the `msDS-KeyCredential` attribute.
+
+Sign in to a domain controller or management workstation with access equivalent to *domain administrator*.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the `Key Admins` group on the `AdminSDHolder` object
+
+ ```cmd
+ dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink
+ ```
+
+ where `DC=domain,DC=com` is the LDAP path of your Active Directory domain and `domainName\keyAdminGroup` is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+
+ ```cmd
+ dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink
+ ```
+
+1. To trigger security descriptor propagation, open `ldp.exe`
+1. Select **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and select **OK**
+1. Select **Connection** and select **Bind...** Select **OK** to bind as the currently signed-in user
+1. Select **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type `1`. Select **Enter** to add this to the **Entry List**
+1. Select **Run** to start the task
+1. Close LDP
+
+### Configure dual enrollment with group policy
+
+You configure Windows to support dual enrollment using the computer configuration portion of a Group Policy object:
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users
+1. Edit the Group Policy object from step 1
+1. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**
+1. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC
+1. Restart computers targeted by this Group Policy object
+
+The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the nonprivileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
deleted file mode 100644
index 276e763252..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Dual Enrollment
-description: Learn how to configure Windows Hello for Business dual enrollment and how to configure Active Directory to support Domain Administrator enrollment.
-ms.date: 07/05/2023
-ms.topic: how-to
----
-
-# Dual Enrollment
-
-**Requirements**
-
-- Hybrid and On-premises Windows Hello for Business deployments
-- Enterprise joined or Hybrid Azure joined devices
-- Certificate trust
-
-> [!IMPORTANT]
-> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-
-Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
-
-By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
-
-With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
-
-> [!IMPORTANT]
-> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
-
-## Configure Windows Hello for Business Dual Enrollment
-
-In this task, you will
-
-* Configure Active Directory to support Domain Administrator enrollment
-* Configure Dual Enrollment using Group Policy
-
-### Configure Active Directory to support Domain Administrator enrollment
-
-The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
-
-Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
-
-Sign in to a domain controller or management workstation with access equivalent to _domain administrator_.
-
-1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
-```dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /g "[domainName\keyAdminGroup]":RPWP;msDS-KeyCredentialLink```
-where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
-```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net" /g "mstepdemo\Key Admins":RPWP;msDS-KeyCredentialLink```
-2. To trigger security descriptor propagation, open **ldp.exe**.
-3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
-4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
-5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
-6. Click **Run** to start the task.
-7. Close LDP.
-
-### Configuring Dual Enrollment using Group Policy
-
-You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object.
-
-1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
-4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
-5. Restart computers targeted by this Group Policy object.
-
-The computer is ready for dual enrollment. Sign in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign out and sign in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 946281222c..a9067a5752 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -20,7 +20,7 @@ items:
- name: Configure PIN reset
href: pin-reset.md
- name: Configure dual enrollment
- href: hello-feature-dual-enrollment.md
+ href: dual-enrollment.md
- name: Configure dynamic lock
href: hello-feature-dynamic-lock.md
- name: Configure multi-factor unlock
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
new file mode 100644
index 0000000000..223d0bc3b6
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
index a8446d34d2..c7613a0f46 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -29,6 +29,10 @@ The following list provides examples of common events that cause a device to ent
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
- Moving a BitLocker-protected drive into a new computer
- On devices with TPM 1.2, changing the BIOS or firmware boot device order
+- Exceeding the maximum allowed number of failed sign-in attempts
+
+ > [!NOTE]
+ > To take advantage of this functionality, you must configure the policy setting **Interactive logon: Machine account lockout threshold** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options**. Alternatively, use the [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) **MaxFailedPasswordAttempts** policy setting, or the [DeviceLock Configuration Service Provider (CSP)](/windows/client-management/mdm/policy-csp-devicelock#accountlockoutpolicy).
As part of the [BitLocker recovery process](recovery-process.md), it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.
@@ -40,6 +44,23 @@ For planned scenarios, such as a known hardware or firmware upgrades, initiating
> [!TIP]
> Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
+## Windows RE and BitLocker recovery
+
+Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by BitLocker. If a device is unable to boot after two failures, *Startup Repair* starts automatically.
+
+When Startup Repair is launched automatically due to boot failures, it only executes operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. On devices that support specific TPM measurements for PCR[7], the TPM validates that Windows RE is a trusted operating environment and unlocks any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM is disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically, and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
+
+Windows RE will also ask for your BitLocker recovery key when you start a *Remove everything* reset from Windows RE on a device that uses the **TPM + PIN** or **Password for OS drive** protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
+
+The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key:
+
+- To activate the narrator during BitLocker recovery in Windows RE, press WIN + CTRL + Enter
+- To activate the on-screen keyboard, tap on a text input control
+
+:::image type="content" source="images/bl-narrator.png" alt-text="Screenshot of Windows RE and narrator.":::
+
+If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
+
## BitLocker recovery options
In a recovery scenario, the following options to restore access to the drive might be available, depending on the policy settings applied to the devices:
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index dc6e715410..02b20cfc2d 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -2,7 +2,7 @@
title: PDE settings and configuration
description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
---
# PDE settings and configuration
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 6d9ebee1ad..cc6278f590 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
- ms.date: 08/11/2023
+ ms.date: 05/06/2024
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
@@ -15,19 +15,19 @@ sections:
questions:
- question: Can PDE encrypt entire volumes or drives?
answer: |
- No. PDE only encrypts specified files and content.
+ No, PDE only encrypts specified files and content.
- question: How are files and content protected by PDE selected?
answer: |
[PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
- Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
+ Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
- question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
- No. Accessing PDE protected content over RDP isn't currently supported.
+ No, it's not supported to access PDE-protected content over RDP.
- question: Can PDE protected content be accessed via a network share?
answer: |
- No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+ No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-CBC with a 256-bit key to encrypt content.
@@ -39,13 +39,13 @@ sections:
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
- No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: Can a file be protected with both PDE and EFS at the same time?
answer: |
- No. PDE and EFS are mutually exclusive.
+ No, PDE and EFS are mutually exclusive.
- question: Is PDE a replacement for BitLocker?
answer: |
- No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+ No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
- No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+ No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 14df705407..f0f3e1f99f 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,7 +2,7 @@
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
ms.topic: how-to
-ms.date: 08/11/2023
+ms.date: 05/06/2024
---
# Personal Data Encryption (PDE)
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index d87edf7174..c2a7ae57a8 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: how-to
---
@@ -9,11 +9,11 @@ ms.topic: how-to
In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
-- Encryption Algorithm: DES3
-- Integrity, Hash Algorithm: SHA1
+- Encryption Algorithm: DES3
+- Integrity, Hash Algorithm: SHA1
- Diffie Hellman Group (Key Size): DH2
-These settings aren't secure for IKE exchanges.
+These settings aren't secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
@@ -42,27 +42,27 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName
## IKEv2 Crypto Settings Example
-The following commands configure the IKEv2 cryptographic settings to:
+The following commands configure the IKEv2 cryptographic settings to:
-- Encryption Algorithm: AES128
-- Integrity, Hash Algorithm: SHA256
-- Diffie Hellman Group (Key Size): DH14
+- Encryption Algorithm: AES128
+- Integrity, Hash Algorithm: SHA256
+- Diffie Hellman Group (Key Size): DH14
-### IKEv2 VPN Server
+### IKEv2 VPN Server
```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
+Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -SALifeTimeSeconds 28800 -MMSALifeTimeSeconds 86400 -SADataSizeForRenegotiationKilobytes 1024000
restart-service RemoteAccess -PassThru
```
If you need to switch back to the default IKEv2 settings, use this command:
```powershell
-Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
+Set-VpnServerConfiguration -TunnelType IKEv2 -RevertToDefault
restart-service RemoteAccess -PassThru
```
-### IKEv2 VPN Client
+### IKEv2 VPN Client
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PfsGroup PFS2048 -Force
@@ -74,5 +74,5 @@ If you need to switch back to the default IKEv2 settings, use this command:
Set-VpnConnectionIPsecConfiguration -ConnectionName -RevertToDefault -Force
```
-> [!TIP]
-> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.
\ No newline at end of file
+> [!TIP]
+> If you're configuring a all-user VPN connection or a Device Tunnel you must use the `-AllUserConnection` parameter in the `Set-VpnConnectionIPsecConfiguration` command.
\ No newline at end of file
diff --git a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index a3bf98bb64..daf7f89f5d 100644
--- a/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,7 +1,7 @@
---
title: How to use single sign-on (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable single sign-on (SSO) to on-premises domain resources over WiFi or VPN connections.
-ms.date: 12/12/2023
+ms.date: 05/06/2024
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
index 60dd8c3517..539eeaeda6 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
@@ -1,7 +1,7 @@
---
-title: VPN authentication options
+title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: concept-article
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
index 5e6ac3a460..85b51dd4d1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
@@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: how-to
---
@@ -32,7 +32,7 @@ For more information, see [Traffic filters](vpn-security-features.md#traffic-fil
## Name-based trigger
-You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
+You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
Name-based auto-trigger can be configured using the `VPNv2//DomainNameInformationList/dniRowId/AutoTrigger` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
There are four types of name-based triggers:
@@ -56,7 +56,7 @@ When a device has multiple profiles with Always On triggers, the user can specif
## Preserving user Always On preference
-Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
+Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
If a management tool removes or adds the same profile name back and set **AlwaysOn** to **true**, Windows doesn't check the box if the profile name exists in the following registry value, in order to preserve user preference.
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
index 20c906ac63..8fa4ab6725 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
@@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Microsoft Entra connected apps.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: how-to
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
index a58cace67e..7199978f6c 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
@@ -1,7 +1,7 @@
---
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: concept-article
---
@@ -30,7 +30,7 @@ Tunneling protocols:
Using the UWP platform, non-Microsoft VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
-There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
+There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, SonicWall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
## Configure connection type
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
index 8243496ddd..3233517baa 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-guide.md
@@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: overview
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
index 82260ba0a4..666f60d6c1 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
@@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: concept-article
---
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
index 21b3797cf1..aced17dd8e 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
@@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 05/06/2024
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
@@ -70,7 +70,7 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
-#
+#
# THIS SAMPLE CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
# WHETHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
@@ -113,7 +113,7 @@ To check a VPN profile XML file:
Update-VPN-Profile-Office365-Exclusion-Routes.ps1 -VPNprofilefile [FULLPATH AND NAME OF XML FILE]
"@
-
+
# Check if filename has been provided #
if ($VPNprofilefile -eq "")
{
@@ -335,7 +335,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
# Clear variables to allow re-run testing #
$ARRVPN=$null # Array to hold VPN addresses from the XML file #
$In_Opt_Only=$null # Variable to hold IP Addresses that only appear in optimize list #
- $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
+ $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*'
@@ -542,12 +542,12 @@ $ProfileXML = '
104.146.128.0
17
true
-
+
150.171.40.0
22
true
-
+
13.107.60.1
32
@@ -568,9 +568,9 @@ $ProfileXML = '
14
true
-
- http://webproxy.corp.contoso.com/proxy.pac
-
+
+ http://webproxy.corp.contoso.com/proxy.pac
+
'
<#-- Convert ProfileXML to Escaped Format --#>
@@ -625,7 +625,7 @@ try
$session.CreateInstance($namespaceName, $newInstance, $options)
$Message = "Created $ProfileName profile."
Write-Host "$Message"
- Write-Host "$ProfileName profile summary:"
+ Write-Host "$ProfileName profile summary:"
$session.EnumerateInstances($namespaceName, $className, $options)
}
catch [Exception]
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
index 1975863b9a..4fdbb86971 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
@@ -1,7 +1,7 @@
---
-title: VPN profile options
+title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: how-to
---
@@ -43,16 +43,16 @@ The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN prof
The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.
```xml
-
- TestVpnProfile
-
- testServer.VPN.com
- IKEv2
-
-
-
- Eap
-
+
+ TestVpnProfile
+
+ testServer.VPN.com
+ IKEv2
+
+
+
+ Eap
+
@@ -118,95 +118,95 @@ The following sample is a sample Native VPN profile. This blob would fall under
-
-
-
+
+
+
- SplitTunnel
- true
-
-
- 192.168.0.0
- 24
-
-
- 10.10.0.0
- 16
-
-
+ SplitTunnel
+ true
+
+
+ 192.168.0.0
+ 24
+
+
+ 10.10.0.0
+ 16
+
+
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
-
-
-
- C:\windows\system32\ping.exe
-
-
-
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+
+
+
+ C:\windows\system32\ping.exe
+
+
+
-
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
- 6
- 10,20-50,100-200
- 20-50,100-200,300
- 30.30.0.0/16,10.10.10.10-20.20.20.20
- ForceTunnel
-
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
-
- 3.3.3.3/32,1.1.1.1-2.2.2.2
-
-
+
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+ 6
+ 10,20-50,100-200
+ 20-50,100-200,300
+ 30.30.0.0/16,10.10.10.10-20.20.20.20
+ ForceTunnel
+
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ 3.3.3.3/32,1.1.1.1-2.2.2.2
+
+
-
- hrsite.corporate.contoso.com
- 1.2.3.4,5.6.7.8
- 5.5.5.5
- true
-
-
- .corp.contoso.com
- 10.10.10.10,20.20.20.20
- 100.100.100.100
-
-
+
+ hrsite.corporate.contoso.com
+ 1.2.3.4,5.6.7.8
+ 5.5.5.5
+ true
+
+
+ .corp.contoso.com
+ 10.10.10.10,20.20.20.20
+ 100.100.100.100
+
+
- corp.contoso.com
- true
-
+ corp.contoso.com
+ true
+
- false
- corp.contoso.com
- contoso.com
-
-
- HelloServer
-
- Helloworld.Com
-
-
+ false
+ corp.contoso.com
+ contoso.com
+
+
+ HelloServer
+
+ Helloworld.Com
+
+
-
- true
-
- true
- This is my Eku
- This is my issuer hash
-
-
-
+
+ true
+
+ true
+ This is my Eku
+ This is my issuer hash
+
+
+
```
## Sample plug-in VPN profile
-The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
+The following sample is a sample plug-in VPN profile. This blob would fall under the ProfileXML node.
```xml
@@ -279,7 +279,7 @@ The following sample is a sample plug-in VPN profile. This blob would fall under
Helloworld.Com
-
+
```
## Apply ProfileXML using Intune
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
index 1f3e5a3784..e5f0bc3f68 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-routing.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/03/2023
+ms.date: 05/06/2024
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: concept-article
@@ -23,7 +23,7 @@ For each route item in the list, you can configure the following options:
With Windows VPN, you can specify exclusion routes that shouldn't go over the physical interface.
-Routes can also be added at connect time through the server for UWP VPN apps.
+Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration
diff --git a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
index a299f51731..0ca87d7370 100644
--- a/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
+++ b/windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
@@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
-ms.date: 08/03/2023
+ms.date: 05/06/2024
ms.topic: concept-article
---
diff --git a/windows/security/toc.yml b/windows/security/toc.yml
index 68377b8378..6fbbd83941 100644
--- a/windows/security/toc.yml
+++ b/windows/security/toc.yml
@@ -16,6 +16,6 @@ items:
- name: Identity protection
href: identity-protection/toc.yml
- name: Cloud security
- href: cloud-security/toc.yml
+ href: cloud-services/toc.yml
- name: Windows Privacy 🔗
href: /windows/privacy
\ No newline at end of file