From cc1fd44c0de98837628f26d1e76118299e6c35b6 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 21 Sep 2022 10:39:09 -0400
Subject: [PATCH] PDE Updates 4

---
 .../personal-data-encryption/faq-pde.yml           |  6 +++---
 .../personal-data-encryption/overview-pde.md       | 14 +++++++-------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index 7d64c51861..c1a2be4053 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -34,11 +34,11 @@ sections:
 
       - question: Do I need to use OneDrive as my backup provider?
         answer: |
-          No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+          No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt are lost. OneDrive is a recommended backup provider.
 
       - question: What is the relation between Windows Hello for Business and PDE?
         answer: |
-          Windows Hello for Business unlocks PDE encryption keys during user sign-on.
+          Windows Hello for Business unlocks the keys that PDE uses to decrypt files during user sign on.
 
       - question: Can a file be encrypted with both PDE and EFS at the same time?
         answer: |
@@ -62,7 +62,7 @@ sections:
 
       - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
         answer: |
-          No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No. The decryption keys used by PDE are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
 
       - question: What encryption method and strength does PDE use?
         answer: |
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 5d471de4e5..401279e851 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -40,19 +40,19 @@ ms.date: 09/22/2022
   - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
     - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
   - Backup solution such as [OneDrive](/onedrive/onedrive)
-    - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
+    - In certain scenarios such as TPM resets or destructive PIN resets, the decryption keys used by PDE can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
   - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-    - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+    - Destructive PIN resets will cause decryption keys used by PDE to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
   - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
     - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
   - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
-    - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+    - Crash dumps can potentially cause the decryption keys used by PDE to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
   - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-    - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+    - Hibernation files can potentially cause the decryption keys used by PDE to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
 
 ## PDE protection levels
 
-PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
@@ -95,14 +95,14 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption
 | Item | PDE | BitLocker |
 |--|--|--|
 | Release of key | At user sign in via Windows Hello for Business | At boot |
-| Encryption keys discarded | At user sign out | At reboot |
+| Keys discarded | At user sign out | At reboot |
 | Files encrypted | Individual specified files | Entire volume/drive |
 | Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
 | Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
 
 ## Differences between PDE and EFS
 
-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
 
 To see if a file is encrypted with PDE or EFS: