From 777af751f8c72b639840800a18313d2ed53577a6 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 12:07:53 +0200
Subject: [PATCH 01/24] PDE initial export

---
 .../personal-data-encryption/configure.md     | 37 +++++++++++++++++++
 .../personal-data-encryption/toc.yml          |  4 +-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
new file mode 100644
index 0000000000..228d8faf26
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -0,0 +1,37 @@
+---
+title: PDE settings and configuration
+description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
+ms.topic: how-to
+ms.date: 03/13/2023
+---
+
+# PDE settings and configuration
+
+This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
+
+## PDE settings list
+
+## PDE configuration
+
+### Configure PDE with Microsoft Intune
+
+To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**:
+
+Assign the policy to a security group that contains as members the devices or users that you want to configure.  
+
+### Configure PDE with CSP
+
+Alternatively, you can configure devices using a [custom policy][MEM-2] with the [Name CSP][CSP-1].\
+
+The policy settings are located under: `./Device/Vendor/MSFT/`.
+
+|Setting|
+| - |
+| **Setting name**: Title<br>**Policy CSP name**: `Setting Name`|
+
+<!--links used in this document-->
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+
+[MEM-1]: /mem/intune/configuration/settings-catalog
+[MEM-2]: /mem/intune/configuration/custom-settings-windows-10
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index 0bb7c66820..72bc8d3dce 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,7 +1,9 @@
 items:
 - name: Overview
   href: index.md
-- name: Configure PDE with Intune
+- name: Configure PD`E
+  href: configure.md
+- name: (Old) Configure PDE with Intune
   href: configure-pde-in-intune.md
 - name: Enable Personal Data Encryption (PDE)
   href: intune-enable-pde.md

From f29b6870af539b6cc3398660012d3e1126233b8e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 12:09:30 +0200
Subject: [PATCH 02/24] removed include file

---
 .../includes/pde-description.md               | 20 -------------------
 .../personal-data-encryption/index.md         | 14 ++++++++++++-
 2 files changed, 13 insertions(+), 21 deletions(-)
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
deleted file mode 100644
index b34908147d..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-ms.topic: include
-ms.date: 03/13/2023
----
-
-<!-- Max 5963468 OS 32516487 -->
-<!-- Max 6946251 -->
-
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
-
-PDE differs from BitLocker in that it  encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 83e0433698..617cf005e1 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -7,7 +7,19 @@ ms.date: 03/13/2023
 
 # Personal Data Encryption (PDE)
 
-[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
+
+PDE differs from BitLocker in that it  encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
+
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+
+> [!NOTE]
+> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 

From 2324a12d483b9e23cf1a2923568659b75ce8d14f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 12:42:59 +0200
Subject: [PATCH 03/24] articles merge

---
 .../configure-pde-in-intune.md                |  30 ---
 .../personal-data-encryption/configure.md     | 251 ++++++++++++++++++
 .../{faq-pde.yml => faq.yml}                  |   0
 .../intune-disable-arso.md                    |  63 -----
 .../intune-disable-hibernation.md             |  62 -----
 .../intune-disable-memory-dumps.md            |  61 -----
 ...tune-disable-password-connected-standby.md |  76 ------
 .../intune-disable-wer.md                     |  64 -----
 .../intune-enable-pde.md                      |  70 -----
 .../personal-data-encryption/toc.yml          |  20 +-
 10 files changed, 254 insertions(+), 443 deletions(-)
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
 rename windows/security/operating-system-security/data-protection/personal-data-encryption/{faq-pde.yml => faq.yml} (100%)
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
 delete mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
deleted file mode 100644
index fe2fb5b3e9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configure Personal Data Encryption (PDE) in Intune
-description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-<!-- Max 5963468 OS 32516487 -->
-<!-- Max 6946251 -->
-
-# Configure Personal Data Encryption (PDE) policies in Intune
-
-The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
-
-## Required prerequisites
-
-1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-## Security hardening recommendations
-
-1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-1. [Disable hibernation](intune-disable-hibernation.md)
-1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## See also
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 228d8faf26..bcf0f04760 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -9,10 +9,71 @@ ms.date: 03/13/2023
 
 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
 
+
+
+The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
+
+## Required prerequisites
+
+1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
+
+## Security hardening recommendations
+
+1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
+1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
+1. [Disable hibernation](intune-disable-hibernation.md)
+1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
+
+
 ## PDE settings list
 
 ## PDE configuration
 
+### Enable Personal Data Encryption (PDE)
+
+By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled.  This can be done via a custom OMA-URI policy assigned to the device.
+
+> [!NOTE]
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+## Enable Personal Data Encryption (PDE) in Intune
+
+To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Templates**
+   1. When the templates appears, under **Template name**, select **Custom**
+   1. Select **Create** to close the **Create profile** window
+1. The **Custom** screen will open. In the **Basics** page:
+   1. Next to **Name**, enter **Personal Data Encryption**
+   1. Next to **Description**, enter a description
+   1. Select **Next**
+1. In **Configuration settings** page:
+   1. Next to **OMA-URI Settings**, select **Add**
+   1. In the **Add Row** window that opens:
+     1. Next to **Name**, enter **Personal Data Encryption**
+     1. Next to **Description**, enter a description
+     1. Next to **OMA-URI**, enter in:
+        **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
+     1. Next to **Data type**, select **Integer**
+     1. Next to **Value**, enter in **1**
+     1. Select **Save** to close the **Add Row** window
+   1. Select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Applicability Rules**, configure if necessary and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
 ### Configure PDE with Microsoft Intune
 
 To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**:
@@ -29,6 +90,196 @@ The policy settings are located under: `./Device/Vendor/MSFT/`.
 | - |
 | **Setting name**: Title<br>**Policy CSP name**: `Setting Name`|
 
+## Disable Winlogon automatic restart sign-on (ARSO)
+
+Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
+
+To disable ARSO using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Templates**
+   1. When the templates appear, under **Template name**, select **Administrative templates**
+   1. Select **Create** to close the **Create profile** window.
+1. The **Create profile** screen will open. In the **Basics** page:
+   1. Next to **Name**, enter **Disable ARSO**
+   1. Next to **Description**, enter a description
+   1. Select **Next**
+1. In the **Configuration settings** page:
+   1. On the left pane of the page, make sure **Computer Configuration** is selected
+   1. Under **Setting name**, scroll down and select **Windows Components**
+   1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
+   1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
+   1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+   1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## Additional PDE configurations in Intune
+## Disable kernel-mode crash dumps and live dumps for PDE
+
+Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
+
+To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Settings catalog**
+   1. Select **Create** to close the **Create profile** window
+1. The **Create profile** screen will open. In the **Basics** page:
+   1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
+   1. Next to **Description**, enter a description.
+   1. Select **Next**
+1. In the **Configuration settings** page:
+   1. Select **Add settings**
+   1. In the **Settings picker** window that opens:
+      1. Under **Browse by category**, scroll down and select **Memory Dump**
+      1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+   1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
+
+Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
+
+To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Settings catalog**
+   1. Select **Create** to close the **Create profile** window
+1. The **Create profile** screen will open. In the **Basics** page:
+   1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
+   1. Next to **Description**, enter a description
+   1. Select **Next**
+1. In the **Configuration settings** page:
+   1. Select **Add settings**
+   1. In the **Settings picker** window that opens:
+      1. Under **Browse by category**, expand **Administrative Templates**
+      1. Under **Administrative Templates**, scroll down and expand **Windows Components**
+      1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
+      1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+   1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
+   1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+
+## Disable hibernation for PDE
+
+Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
+
+To disable hibernation using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Settings catalog**
+   1. Select **Create** to close the **Create profile** window
+1. The **Create profile** screen will open. In the **Basics** page:
+   1. Next to **Name**, enter **Disable Hibernation**
+   1. Next to **Description**, enter a description
+   1. Select **Next**
+1. In the **Configuration settings** page:
+   1. select **Add settings**
+   1. In the **Settings picker** window that opens:
+      1. Under **Browse by category**, scroll down and select **Power**
+      1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+   1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
+   1. Select **Next**
+1. In the **Scope tags** page, configure if necessary and then select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## Disable allowing users to select when a password is required when resuming from connected standby for PDE
+
+When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
+
+- On-premises Active Directory joined devices:
+  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
+  - A password is required immediately after the screen turns off
+    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
+- Workgroup devices, including Azure AD joined devices:
+  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
+  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
+
+Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
+
+## Disable allowing users to select when a password is required when resuming from connected standby in Intune
+
+To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
+
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. In the **Home** screen, select **Devices** in the left pane
+1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
+1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
+1. In the **Create profile** window that opens:
+   1. Under **Platform**, select **Windows 10 and later**
+   1. Under **Profile type**, select **Settings catalog**
+   1. Select **Create** to close the **Create profile** window
+1. The **Create profile** screen will open. In the **Basics** page:
+    1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
+    1. Next to **Description**, enter a description
+    1. Select **Next**.
+
+1. In the **Configuration settings** page:
+   1. Select **Add settings**
+   1. In the **Settings picker** window that opens:
+      1. Under **Browse by category**, expand **Administrative Templates**
+      1. Under **Administrative Templates**, scroll down and expand **System**
+      1. Under **System**, scroll down and select **Logon**
+      1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+   1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
+   1. select **Next**
+
+1. In the **Scope tags** page, configure if necessary and then select **Next**
+1. In the **Assignments** page:
+   1. Under **Included groups**, select **Add groups**
+        > [!NOTE]
+        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
+   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
+   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
+1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
similarity index 100%
rename from windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml
rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
deleted file mode 100644
index 9fda445c43..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
-ms.topic: how-to
-ms.date: 06/01/2023
----
-
-# Disable Winlogon automatic restart sign-on (ARSO) for PDE
-
-Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
-
-## Disable Winlogon automatic restart sign-on (ARSO) in Intune
-
-To disable ARSO using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appear, under **Template name**, select **Administrative templates**
-   1. Select **Create** to close the **Create profile** window.
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable ARSO**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. On the left pane of the page, make sure **Computer Configuration** is selected
-   1. Under **Setting name**, scroll down and select **Windows Components**
-   1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
-   1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
-   1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
deleted file mode 100644
index ef18936b1b..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Disable hibernation for PDE in Intune
-description: Disable hibernation for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable hibernation for PDE
-
-Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
-
-## Disable hibernation in Intune
-
-To disable hibernation using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Hibernation**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Power**
-      1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
deleted file mode 100644
index 66a238e3c9..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable kernel-mode crash dumps and live dumps for PDE
-
-Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
-
-## Disable kernel-mode crash dumps and live dumps in Intune
-
-To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
-   1. Next to **Description**, enter a description.
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Memory Dump**
-      1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
deleted file mode 100644
index 4cf442e308..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
-  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
-  - A password is required immediately after the screen turns off
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
-  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
-  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
-
-To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-    1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
-    1. Next to **Description**, enter a description
-    1. Select **Next**.
-
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **System**
-      1. Under **System**, scroll down and select **Logon**
-      1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
-   1. select **Next**
-
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
deleted file mode 100644
index 39fe957317..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
-
-To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **Windows Components**
-      1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
-      1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
deleted file mode 100644
index 795504237c..0000000000
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Enable Personal Data Encryption (PDE) in Intune
-description: Enable Personal Data Encryption (PDE) in Intune
-ms.topic: how-to
-ms.date: 03/13/2023
----
-
-# Enable Personal Data Encryption (PDE)
-
-By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled.  This can be done via a custom OMA-URI policy assigned to the device.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-## Enable Personal Data Encryption (PDE) in Intune
-
-To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appears, under **Template name**, select **Custom**
-   1. Select **Create** to close the **Create profile** window
-1. The **Custom** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Personal Data Encryption**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In **Configuration settings** page:
-   1. Next to **OMA-URI Settings**, select **Add**
-   1. In the **Add Row** window that opens:
-     1. Next to **Name**, enter **Personal Data Encryption**
-     1. Next to **Description**, enter a description
-     1. Next to **OMA-URI**, enter in:
-        **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-     1. Next to **Data type**, select **Integer**
-     1. Next to **Value**, enter in **1**
-     1. Select **Save** to close the **Add Row** window
-   1. Select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Applicability Rules**, configure if necessary and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Additional PDE configurations in Intune
-
-The following PDE configurations can also be configured using Intune:
-
-### Prerequisites
-
-- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-### Security hardening recommendations
-
-- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-- [Disable hibernation](intune-disable-hibernation.md)
-- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-## More information
-
-- [Personal Data Encryption (PDE)](index.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
index 72bc8d3dce..f526600bd4 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml
@@ -1,21 +1,7 @@
 items:
-- name: Overview
+- name: PDE overview
   href: index.md
-- name: Configure PD`E
+- name: Configure PDE
   href: configure.md
-- name: (Old) Configure PDE with Intune
-  href: configure-pde-in-intune.md
-- name: Enable Personal Data Encryption (PDE)
-  href: intune-enable-pde.md
-- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
-  href: intune-disable-arso.md
-- name: Disable kernel-mode crash dumps and live dumps for PDE
-  href: intune-disable-memory-dumps.md
-- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-  href: intune-disable-wer.md
-- name: Disable hibernation for PDE
-  href: intune-disable-hibernation.md
-- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
-  href: intune-disable-password-connected-standby.md
 - name: PDE frequently asked questions (FAQ)
-  href: faq-pde.yml
\ No newline at end of file
+  href: faq.yml
\ No newline at end of file

From 5b9280f71bcbf391763ac103517e97dea015a69e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 13:29:02 +0200
Subject: [PATCH 04/24] updates

---
 .../personal-data-encryption/configure.md     | 66 ++++---------------
 1 file changed, 12 insertions(+), 54 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index bcf0f04760..da0f067521 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -9,13 +9,9 @@ ms.date: 03/13/2023
 
 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
 
+## Prerequisites
 
-
-The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
-
-## Required prerequisites
-
-1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
+1. [Enable PDE](#enable-personal-data-encryption-pde)
 1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
 
 ## Security hardening recommendations
@@ -28,51 +24,23 @@ The various required and recommended policies needed for Personal Data Encryptio
 
 ## PDE settings list
 
-## PDE configuration
+The following table lists the available settings for PDE.
 
-### Enable Personal Data Encryption (PDE)
+| Setting name | Description | Details |
+|-|-|-|
+|Enable PDE|By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it must be enabled.| This setting is required.|
+|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.|
+|Disable kernel-mode crash dumps and live dumps for PDE.|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
 
-By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled.  This can be done via a custom OMA-URI policy assigned to the device.
 
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
 ## Enable Personal Data Encryption (PDE) in Intune
 
-To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appears, under **Template name**, select **Custom**
-   1. Select **Create** to close the **Create profile** window
-1. The **Custom** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Personal Data Encryption**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In **Configuration settings** page:
-   1. Next to **OMA-URI Settings**, select **Add**
-   1. In the **Add Row** window that opens:
-     1. Next to **Name**, enter **Personal Data Encryption**
-     1. Next to **Description**, enter a description
-     1. Next to **OMA-URI**, enter in:
-        **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-     1. Next to **Data type**, select **Integer**
-     1. Next to **Value**, enter in **1**
-     1. Select **Save** to close the **Add Row** window
-   1. Select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Applicability Rules**, configure if necessary and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
+**Data type**, select **Integer**
+**Value**, enter in **1**
 
 ### Configure PDE with Microsoft Intune
 
@@ -92,16 +60,7 @@ The policy settings are located under: `./Device/Vendor/MSFT/`.
 
 ## Disable Winlogon automatic restart sign-on (ARSO)
 
-Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
 
-To disable ARSO using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
    1. Under **Profile type**, select **Templates**
    1. When the templates appear, under **Template name**, select **Administrative templates**
    1. Select **Create** to close the **Create profile** window.
@@ -125,10 +84,9 @@ To disable ARSO using Intune, follow the below steps:
    1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
 1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
 
-## Additional PDE configurations in Intune
 ## Disable kernel-mode crash dumps and live dumps for PDE
 
-Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
+
 
 To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
 

From 51f0bd039bec23979e5f409243c2b4cd461e709c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 13:46:54 +0200
Subject: [PATCH 05/24] update

---
 .../personal-data-encryption/configure.md     | 163 +++---------------
 1 file changed, 20 insertions(+), 143 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index da0f067521..bd5d6074b1 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -9,29 +9,17 @@ ms.date: 03/13/2023
 
 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
 
-## Prerequisites
-
-1. [Enable PDE](#enable-personal-data-encryption-pde)
-1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
-
-## Security hardening recommendations
-
-1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
-1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
-1. [Disable hibernation](intune-disable-hibernation.md)
-1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
-
-
 ## PDE settings list
 
-The following table lists the available settings for PDE.
+The following table lists the required and suggested settings to use with PDE.
 
-| Setting name | Description | Details |
+| Setting name | Description | Required? |
 |-|-|-|
-|Enable PDE|By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it must be enabled.| This setting is required.|
+|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.|
 |Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.|
-|Disable kernel-mode crash dumps and live dumps for PDE.|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
-
+|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
+|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.||
+|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.||
 
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
@@ -60,133 +48,31 @@ The policy settings are located under: `./Device/Vendor/MSFT/`.
 
 ## Disable Winlogon automatic restart sign-on (ARSO)
 
+Settings Catalog:
+Category: `Administrative Templates`
+`Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart`
 
-   1. Under **Profile type**, select **Templates**
-   1. When the templates appear, under **Template name**, select **Administrative templates**
-   1. Select **Create** to close the **Create profile** window.
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable ARSO**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. On the left pane of the page, make sure **Computer Configuration** is selected
-   1. Under **Setting name**, scroll down and select **Windows Components**
-   1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
-   1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
-   1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+## Disable kernel-mode crash dumps and live dumps\
 
-## Disable kernel-mode crash dumps and live dumps for PDE
+`Disable Kernel-Mode Crash Dumps``
 
+Category: `Memory Dump`
 
-
-To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
-   1. Next to **Description**, enter a description.
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Memory Dump**
-      1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
+`Allow Live Dump`:Block
+`Allow Crash Dump`: Block
 
 ## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
 
-Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
+**Administrative Templates**, scroll down and expand **Windows Components**
+Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
+When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
 
-To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
+## Disable hibernation
 
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **Windows Components**
-      1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
-      1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-
-## Disable hibernation for PDE
-
-Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
-
-To disable hibernation using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-   1. Next to **Name**, enter **Disable Hibernation**
-   1. Next to **Description**, enter a description
-   1. Select **Next**
-1. In the **Configuration settings** page:
-   1. select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, scroll down and select **Power**
+1. Under **Browse by category**, scroll down and select **Power**
       1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
    1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
-   1. Select **Next**
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
 
 ## Disable allowing users to select when a password is required when resuming from connected standby for PDE
 
@@ -229,15 +115,6 @@ To disable the policy **Disable allowing users to select when a password is requ
    1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
    1. select **Next**
 
-1. In the **Scope tags** page, configure if necessary and then select **Next**
-1. In the **Assignments** page:
-   1. Under **Included groups**, select **Add groups**
-        > [!NOTE]
-        > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
-   1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
-   1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
-1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
-
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions

From 00fdd02fd3078d1572f3740f26caceed094a5895 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 14:04:53 +0200
Subject: [PATCH 06/24] uppdates

---
 .../personal-data-encryption/configure.md     | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index bd5d6074b1..efff303da5 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -115,6 +115,31 @@ To disable the policy **Disable allowing users to select when a password is requ
    1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
    1. select **Next**
 
+
+!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+| Device Guard | Credential Guard | Select one of the options:<br>&emsp;- **Enabled with UEFI lock**<br>&emsp;- **Enabled without lock** |
+
+>[!IMPORTANT]
+> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**.
+
+[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+
+> [!TIP]
+> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\
+The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`.
+
+| Setting |
+|--|
+| **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
+| **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
+
+
+
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions

From 4d7de6ab88acd763c27e47fbd5dde2e1c728f62c Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 14:06:28 +0200
Subject: [PATCH 07/24] uppdates

---
 includes/configure/gpo-settings-1.md              |  6 ++++++
 includes/configure/gpo-settings-2.md              |  6 ++++++
 includes/configure/intune-custom-settings-1.md    | 13 +++++++++++++
 includes/configure/intune-custom-settings-2.md    |  9 +++++++++
 includes/configure/intune-custom-settings-info.md |  6 ++++++
 includes/configure/intune-settings-catalog-1.md   |  6 ++++++
 includes/configure/intune-settings-catalog-2.md   |  6 ++++++
 includes/configure/tab-intro.md                   |  6 ++++++
 8 files changed, 58 insertions(+)
 create mode 100644 includes/configure/gpo-settings-1.md
 create mode 100644 includes/configure/gpo-settings-2.md
 create mode 100644 includes/configure/intune-custom-settings-1.md
 create mode 100644 includes/configure/intune-custom-settings-2.md
 create mode 100644 includes/configure/intune-custom-settings-info.md
 create mode 100644 includes/configure/intune-settings-catalog-1.md
 create mode 100644 includes/configure/intune-settings-catalog-2.md
 create mode 100644 includes/configure/tab-intro.md

diff --git a/includes/configure/gpo-settings-1.md b/includes/configure/gpo-settings-1.md
new file mode 100644
index 0000000000..2859223cc7
--- /dev/null
+++ b/includes/configure/gpo-settings-1.md
@@ -0,0 +1,6 @@
+---
+ms.date: 06/21/2023
+ms.topic: include
+---
+
+To configure devices using group policy, [create a group policy object (GPO)](/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object) and use the settings located under
\ No newline at end of file
diff --git a/includes/configure/gpo-settings-2.md b/includes/configure/gpo-settings-2.md
new file mode 100644
index 0000000000..cc0cad6c72
--- /dev/null
+++ b/includes/configure/gpo-settings-2.md
@@ -0,0 +1,6 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+The policy settings can be configured locally by using the Local Group Policy Editor (`gpedit.msc`), linked to the domain or organizational units, and filtered to security groups.
\ No newline at end of file
diff --git a/includes/configure/intune-custom-settings-1.md b/includes/configure/intune-custom-settings-1.md
new file mode 100644
index 0000000000..d911751e75
--- /dev/null
+++ b/includes/configure/intune-custom-settings-1.md
@@ -0,0 +1,13 @@
+---
+ms.date: 02/22/2022
+ms.topic: include
+---
+
+To configure devices with Microsoft Intune, use a custom policy:
+
+1. Go to the <a href="https://intune.microsoft.com" target="_blank"><b>Microsoft Intune admin center</b></a>
+2. Select **Devices > Configuration profiles > Create profile**
+3. Select **Platform > Windows 10 and later** and **Profile type > Templates > Custom**
+4. Select **Create**
+5. Specify a **Name** and, optionally, a **Description > Next**
+6. Add the following settings:
\ No newline at end of file
diff --git a/includes/configure/intune-custom-settings-2.md b/includes/configure/intune-custom-settings-2.md
new file mode 100644
index 0000000000..1a601acaa7
--- /dev/null
+++ b/includes/configure/intune-custom-settings-2.md
@@ -0,0 +1,9 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+7. Select **Next**
+8. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**
+9. Under **Applicability Rules**, select **Next**
+10. Review the policy configuration and select **Create**
\ No newline at end of file
diff --git a/includes/configure/intune-custom-settings-info.md b/includes/configure/intune-custom-settings-info.md
new file mode 100644
index 0000000000..8ff9da4294
--- /dev/null
+++ b/includes/configure/intune-custom-settings-info.md
@@ -0,0 +1,6 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+For more information about how to create custom settings using Intune, see [Use custom settings for Windows devices in Intune](/mem/intune/configuration/custom-settings-windows-10).
\ No newline at end of file
diff --git a/includes/configure/intune-settings-catalog-1.md b/includes/configure/intune-settings-catalog-1.md
new file mode 100644
index 0000000000..713555d40b
--- /dev/null
+++ b/includes/configure/intune-settings-catalog-1.md
@@ -0,0 +1,6 @@
+---
+ms.date: 06/21/2023
+ms.topic: include
+---
+
+To configure devices using Microsoft Intune, [create a *Settings catalog policy*](/mem/intune/configuration/settings-catalog) and use the following settings:
\ No newline at end of file
diff --git a/includes/configure/intune-settings-catalog-2.md b/includes/configure/intune-settings-catalog-2.md
new file mode 100644
index 0000000000..ebd6a2e1ef
--- /dev/null
+++ b/includes/configure/intune-settings-catalog-2.md
@@ -0,0 +1,6 @@
+---
+ms.date: 11/08/2022
+ms.topic: include
+---
+
+Assign the policy to a group that contains as members the devices or users that you want to configure.
\ No newline at end of file
diff --git a/includes/configure/tab-intro.md b/includes/configure/tab-intro.md
new file mode 100644
index 0000000000..e195a9281a
--- /dev/null
+++ b/includes/configure/tab-intro.md
@@ -0,0 +1,6 @@
+---
+ms.date: 02/22/2022
+ms.topic: include
+---
+
+The following instructions provide details how to configure your devices. Select the option that best suits your needs.
\ No newline at end of file

From 5be1e046be3ea436cf2fb4c761c35941115530f3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 14:14:13 +0200
Subject: [PATCH 08/24] includes

---
 .../data-protection/personal-data-encryption/configure.md     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index efff303da5..1099161dc6 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -116,7 +116,7 @@ To disable the policy **Disable allowing users to select when a password is requ
    1. select **Next**
 
 
-!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
@@ -125,7 +125,7 @@ To disable the policy **Disable allowing users to select when a password is requ
 >[!IMPORTANT]
 > If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**.
 
-[!INCLUDE [intune-settings-catalog-2](../../../../includes/configure/intune-settings-catalog-2.md)]
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
 > [!TIP]
 > You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).

From b8f2ca5f3b9ba2ab1fbcbd7df5799c4ea819a57e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 9 Aug 2023 14:32:12 +0200
Subject: [PATCH 09/24] updates

---
 .../personal-data-encryption/configure.md     | 55 ++-----------------
 1 file changed, 6 insertions(+), 49 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 1099161dc6..76a1e5431d 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -54,26 +54,10 @@ Category: `Administrative Templates`
 
 ## Disable kernel-mode crash dumps and live dumps\
 
-`Disable Kernel-Mode Crash Dumps``
-
-Category: `Memory Dump`
-
-`Allow Live Dump`:Block
-`Allow Crash Dump`: Block
-
 ## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
 
-**Administrative Templates**, scroll down and expand **Windows Components**
-Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
-When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
-
 ## Disable hibernation
 
-1. Under **Browse by category**, scroll down and select **Power**
-      1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
-
 ## Disable allowing users to select when a password is required when resuming from connected standby for PDE
 
 When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
@@ -90,47 +74,20 @@ Because of this undesired outcome, it's recommended to explicitly disable this p
 
 ## Disable allowing users to select when a password is required when resuming from connected standby in Intune
 
-To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
-
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
-1. In the **Home** screen, select **Devices** in the left pane
-1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
-1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
-1. In the **Create profile** window that opens:
-   1. Under **Platform**, select **Windows 10 and later**
-   1. Under **Profile type**, select **Settings catalog**
-   1. Select **Create** to close the **Create profile** window
-1. The **Create profile** screen will open. In the **Basics** page:
-    1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
-    1. Next to **Description**, enter a description
-    1. Select **Next**.
-
-1. In the **Configuration settings** page:
-   1. Select **Add settings**
-   1. In the **Settings picker** window that opens:
-      1. Under **Browse by category**, expand **Administrative Templates**
-      1. Under **Administrative Templates**, scroll down and expand **System**
-      1. Under **System**, scroll down and select **Logon**
-      1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-   1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
-   1. select **Next**
-
-
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
-| Device Guard | Credential Guard | Select one of the options:<br>&emsp;- **Enabled with UEFI lock**<br>&emsp;- **Enabled without lock** |
-
->[!IMPORTANT]
-> If you want to be able to turn off Windows Defender Credential Guard remotely, choose the option **Enabled without lock**.
+|`Memory Dump`|`Allow Live Dump`|Block||
+|`Memory Dump`|`Allow Crash Dump`|Block||
+|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:** <br>&emsp;- **Disabled**|
+|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option|
+|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-> [!TIP]
-> You can also configure Credential Guard by using an *account protection* profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\
 
-Alternatively, you can configure devices using a [custom policy][INT-1] with the [DeviceGuard Policy CSP][CSP-1].\
 The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`.
 
 | Setting |

From 0989666354505ad79c23d8a1f90e79ebf4105530 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 08:16:23 -0400
Subject: [PATCH 10/24] updates:q

---
 .../data-protection/personal-data-encryption/configure.md     | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 76a1e5431d..20945120ed 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -2,7 +2,7 @@
 title: PDE settings and configuration
 description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
 ms.topic: how-to
-ms.date: 03/13/2023
+ms.date: 08/11/2023
 ---
 
 # PDE settings and configuration
@@ -95,8 +95,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic
 | **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
 | **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 
-
-
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions

From 55f2f142a83bc27acb46c485fc4fd75adb15090e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 10:52:45 -0400
Subject: [PATCH 11/24] updates

---
 .../personal-data-encryption/configure.md     | 107 ++++++++++-
 .../personal-data-encryption/faq.yml          |  14 --
 .../personal-data-encryption/index.md         | 172 +++---------------
 3 files changed, 134 insertions(+), 159 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 20945120ed..6e9dd3a346 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -9,6 +9,66 @@ ms.date: 08/11/2023
 
 This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
 
+> [!NOTE]
+> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
+
+> [!NOTE]
+> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
+
+### Security hardening recommendations
+
+- [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
+
+   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
+
+- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
+
+   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
+
+- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+
+   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
+
+- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
+
+    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
+
+  - On-premises Active Directory joined devices:
+
+    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
+
+    - A password is required immediately after the screen turns off.
+
+    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
+
+  - Workgroup devices, including Azure AD joined devices:
+
+    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
+
+    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
+
+    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
+
+   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
+
+### Highly recommended
+
+- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
+
+   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
+
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
+
+   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
+
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+
+   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+
+   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+
 ## PDE settings list
 
 The following table lists the required and suggested settings to use with PDE.
@@ -95,9 +155,54 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic
 | **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
 | **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 
+
+## Disable PDE and decrypt content
+
+Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **0**
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. Uncheck the option **Encrypt contents to secure data**
+4. Select **OK**, and then **OK** again
+
+PDE protected files can also be decrypted using [WINS-1]. Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
+
+- Decrypting a large number of files on a device
+- Decrypting files on a large number of devices.
+
+To decrypt files on a device using `cipher.exe`:
+
+- Decrypt all files under a directory including subdirectories:
+
+    ```cmd
+    cipher.exe /d /s:<path_to_directory>
+    ```
+
+- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
+
+    ```cmd
+    cipher.exe /d <path_to_file_or_directory>
+    ```
+
+> [!IMPORTANT]
+> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+
+## Next steps
+
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
 
 [MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/configuration/custom-settings-windows-10
\ No newline at end of file
+[MEM-2]: /mem/intune/configuration/custom-settings-windows-10
+
+[WINS-1]: /windows-server/administration/windows-commands/cipher
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 0429e74204..1e069f5f47 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -45,14 +45,6 @@ sections:
         answer: |
           No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
 
-      - question: How can it be determined if a file is protected with PDE?
-        answer: |
-          - Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
-            1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
-            2. Select the **Details** button.
-            3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
-          - [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
-
       - question: Can users manually encrypt and decrypt files with PDE?
         answer: |
           Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
@@ -64,9 +56,3 @@ sections:
       - question: What encryption method and strength does PDE use?
         answer: |
           PDE uses AES-CBC with a 256-bit key to encrypt content.
-
-additionalContent: |
-  ## See also
-    - [Personal Data Encryption (PDE)](index.md)
-    - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
-    
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 617cf005e1..f522dc5930 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -2,101 +2,39 @@
 title: Personal Data Encryption (PDE)
 description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
 ms.topic: how-to
-ms.date: 03/13/2023
+ms.date: 08/11/2023
 ---
 
 # Personal Data Encryption (PDE)
 
-Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
+Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
 
-PDE differs from BitLocker in that it  encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs in to the device.
 
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+The use of Windows Hello for Business offers the following advantages:
 
-Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
+- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
+- The accessibility features available when using Windows Hello for Business extend to PDE protected content
 
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
-
-
-[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
+PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
 
 ## Prerequisites
 
-### Required
+To use PDE, the following prerequisites must be met:
 
-- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
-- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/index.md)
-- Windows 11, version 22H2 and later Enterprise and Education editions
+- The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
+  - Domain-joined and hybrid Azure AD joined devices aren't supported
+- Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
+  - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported
+- Windows 11, version 22H2 and later
 
-### Not supported with PDE
-
-- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
-  - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
-- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md)
-- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
-- Remote Desktop connections
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
-   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
-   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
-   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
-    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-  - On-premises Active Directory joined devices:
-
-    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
-    - A password is required immediately after the screen turns off.
-
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
-  - Workgroup devices, including Azure AD joined devices:
-
-    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
-    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
-    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
-   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
-   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
-   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
 ## PDE protection levels
 
-PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
@@ -115,27 +53,11 @@ When a file is protected with PDE, its icon will show a padlock. If the user has
 
 Scenarios where a user will be denied access to PDE protected content include:
 
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If protected via level 2 protection, when the device is locked.
-- When trying to access content on the device remotely. For example, UNC network paths.
-- Remote Desktop sessions.
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
-
-## How to enable PDE
-
-To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **1**
-
-There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
+- If protected via level 2 protection, when the device is locked
+- When trying to access content on the device remotely. For example, UNC network paths
+- Remote Desktop sessions
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
 
 ## Differences between PDE and BitLocker
 
@@ -155,52 +77,14 @@ The main difference between protecting files with PDE instead of EFS is the meth
 To see if a file is protected with PDE or with EFS:
 
 1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. In the **Advanced Attributes** windows, select **Details**
+1. Under the **General** tab, select **Advanced...**
+1. In the **Advanced Attributes** windows, select **Details**
 
 For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
 
 For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
 
-Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
-
-## Disable PDE and decrypt content
-
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
-
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
-
-PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
-
-- Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
-
-To decrypt files on a device using `cipher.exe`:
-
-- Decrypt all files under a directory including subdirectories:
-
-    ```cmd
-    cipher.exe /d /s:<path_to_directory>
-    ```
-
-- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
-
-    ```cmd
-    cipher.exe /d <path_to_file_or_directory>
-    ```
-
-> [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
 ## Windows out of box applications that support PDE
 
@@ -209,7 +93,7 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
 - Mail
   - Supports protecting both email bodies and attachments
 
-## See also
+## Next steps
 
-- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
-- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
+- Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
+- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)

From 076fbcffed9f1d9e24f46070f3ada58f5406f0ff Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 12:16:59 -0400
Subject: [PATCH 12/24] updates

---
 .../personal-data-encryption/configure.md     | 119 ++++--------------
 .../personal-data-encryption/index.md         |  29 +++--
 2 files changed, 44 insertions(+), 104 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 6e9dd3a346..885fad8a2a 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -11,84 +11,31 @@ This article describes the Personal Data Encryption (PDE) settings and how to co
 
 > [!NOTE]
 > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
-### Security hardening recommendations
-
-- [Kernel-mode crash dumps  and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
-
-   Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
-
-- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
-
-   Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
-
-- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
-
-   Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
-
-- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
-
-    When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-  - On-premises Active Directory joined devices:
-
-    - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
-
-    - A password is required immediately after the screen turns off.
-
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
-
-  - Workgroup devices, including Azure AD joined devices:
-
-    - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
-
-    - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
-
-    Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-   For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
-
-### Highly recommended
-
-- [BitLocker Drive Encryption](../bitlocker/index.md) enabled
-
-   Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
-
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
-
-   In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
-
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
-
-   Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
-
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
-
-   Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+>
+> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
 ## PDE settings list
 
-The following table lists the required and suggested settings to use with PDE.
+The following table lists the required settings to enable PDE.
 
-| Setting name | Description | Required? |
-|-|-|-|
-|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.| This setting is required.|
-|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.| This setting is required.|
-|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|This setting is recommended.|
-|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.||
-|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.||
+| Setting name | Description |
+|-|-|
+|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
 
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
-## Enable Personal Data Encryption (PDE) in Intune
+## PDE hardening recommendations
 
-**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
-**Data type**, select **Integer**
-**Value**, enter in **1**
+The following table lists the recommended settings to improve PDE's security.
+
+| Setting name | Description |
+|-|-|
+|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
 
 ### Configure PDE with Microsoft Intune
 
@@ -112,37 +59,18 @@ Settings Catalog:
 Category: `Administrative Templates`
 `Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart`
 
-## Disable kernel-mode crash dumps and live dumps\
-
-## Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
-
-## Disable hibernation
-
-## Disable allowing users to select when a password is required when resuming from connected standby for PDE
-
-When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
-
-- On-premises Active Directory joined devices:
-  - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
-  - A password is required immediately after the screen turns off
-    The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
-- Workgroup devices, including Azure AD joined devices:
-  - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
-  - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
-
-Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
-
-## Disable allowing users to select when a password is required when resuming from connected standby in Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
 | Category | Setting name | Value |
 |--|--|--|
-|`Memory Dump`|`Allow Live Dump`|Block||
-|`Memory Dump`|`Allow Crash Dump`|Block||
-|`Administrative Templates`| `System > Logon` | Select **Allow users to select when a password is required when resuming from connected standby:** <br>&emsp;- **Disabled**|
-|**Power**|**Allow Hibernate**|Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option|
-|`Administrative Templates`| **Windows Components > Windows Error Reporting** | Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option|
+|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled|
+|**Memory Dump**|**Allow Live Dump**|Block||
+|**Memory Dump**|**Allow Crash Dump**|Block||
+|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled|
+|**Power**|**Allow Hibernate**|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
@@ -155,7 +83,6 @@ The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/Devic
 | **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
 | **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 
-
 ## Disable PDE and decrypt content
 
 Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index f522dc5930..7afed4f153 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -24,17 +24,15 @@ Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release
 
 To use PDE, the following prerequisites must be met:
 
-- The devices must be [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
-  - Domain-joined and hybrid Azure AD joined devices aren't supported
-- Users must sign in with [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
-  - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) isn't supported
 - Windows 11, version 22H2 and later
+- The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
 ## PDE protection levels
 
-PDE uses **AES-CBC** with a **256-bit key** to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
@@ -86,14 +84,29 @@ For EFS protected files, under **Users who can access this file:**, there will b
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
+### Recommendations for using PDE
+
+The following are recommendations for using PDE:
+
+- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
+
 ## Windows out of box applications that support PDE
 
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
 
-- Mail
-  - Supports protecting both email bodies and attachments
+| App name | Details |
+|-|-|
+| Mail | Supports protecting both email bodies and attachments|
 
 ## Next steps
 
 - Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
 - Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
+
+<!--links used in this document-->
+
+[AAD-1]: /azure/active-directory/devices/concept-azure-ad-join
+[AAD-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key

From 93beb633694c5527a10c7c304db27a580dc9c26e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 12:27:43 -0400
Subject: [PATCH 13/24] updates

---
 .../personal-data-encryption/configure.md            | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 885fad8a2a..5dcd799c92 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -76,12 +76,14 @@ Category: `Administrative Templates`
 
 Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\
 
-The policy settings are located under: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/`.
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`</disabled>`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`</disabled>`|
 
-| Setting |
-|--|
-| **Setting name**: Turn On Virtualization Based Security<br>**Policy CSP name**: `EnableVirtualizationBasedSecurity` |
-| **Setting name**: Credential Guard Configuration<br>**Policy CSP name**: `LsaCfgFlags` |
 
 ## Disable PDE and decrypt content
 

From d6423fdd3880ed77caf406da42ca18f236ef797d Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 14:02:40 -0400
Subject: [PATCH 14/24] update

---
 .../personal-data-encryption/configure.md     | 109 ++++++++++++++++++
 1 file changed, 109 insertions(+)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 5dcd799c92..c2db39d5c6 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -74,6 +74,115 @@ Category: `Administrative Templates`
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
+
+> [!TIP]
+> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
+
+```msgraph-interactive
+POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
+Content-Type: application/json
+
+{
+    "id": "00-0000-0000-0000-000000000000",
+    "name": "_MSLearn_PDE",
+    "description": "",
+    "platforms": "windows10",
+    "technologies": "mdm",
+    "roleScopeTagIds": [
+      "0"
+    ],
+    "settings": [
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "user_vendor_msft_pde_enablepersonaldataencryption_1",
+            "children": []
+          }
+        }
+      },
+      {
+        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
+        "settingInstance": {
+          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
+          "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate",
+          "choiceSettingValue": {
+            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
+            "value": "device_vendor_msft_policy_config_power_allowhibernate_0",
+            "children": []
+          }
+        }
+      }
+    ]
+  }
+```
+
+<sup><a name="footnote1"></a>1</sup> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+
+
 Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\
 
 |OMA-URI|Format|Value|

From d0f7be37db472f824adbbe96e382ec3fd192d7ec Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 14:25:44 -0400
Subject: [PATCH 15/24] joined lines for POST

---
 .../personal-data-encryption/configure.md     | 97 +------------------
 1 file changed, 1 insertion(+), 96 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index c2db39d5c6..9ed0735375 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -82,102 +82,7 @@ Category: `Administrative Templates`
 POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
 Content-Type: application/json
 
-{
-    "id": "00-0000-0000-0000-000000000000",
-    "name": "_MSLearn_PDE",
-    "description": "",
-    "platforms": "windows10",
-    "technologies": "mdm",
-    "roleScopeTagIds": [
-      "0"
-    ],
-    "settings": [
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "user_vendor_msft_pde_enablepersonaldataencryption_1",
-            "children": []
-          }
-        }
-      },
-      {
-        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting",
-        "settingInstance": {
-          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
-          "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate",
-          "choiceSettingValue": {
-            "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
-            "value": "device_vendor_msft_policy_config_power_allowhibernate_0",
-            "children": []
-          }
-        }
-      }
-    ]
-  }
+{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
 ```
 
 <sup><a name="footnote1"></a>1</sup> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.

From 6112e325a2fd32b536cedf490bbde51158ed8ff1 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 15:05:48 -0400
Subject: [PATCH 16/24] updates

---
 .../personal-data-encryption/configure.md     | 69 ++++++++-----------
 1 file changed, 28 insertions(+), 41 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 9ed0735375..5afc65aba5 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -1,13 +1,13 @@
 ---
 title: PDE settings and configuration
-description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
+description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
 ms.date: 08/11/2023
 ---
 
 # PDE settings and configuration
 
-This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or configuration Service Provider (CSP).
+This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 
 > [!NOTE]
 > PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
@@ -37,28 +37,7 @@ The following table lists the recommended settings to improve PDE's security.
 |Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
 |Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
 
-### Configure PDE with Microsoft Intune
-
-To configure devices using Microsoft Intune, [create a **Settings catalog** policy][MEM-1], and use the settings listed under the category **`Local Policies Security Options`**:
-
-Assign the policy to a security group that contains as members the devices or users that you want to configure.  
-
-### Configure PDE with CSP
-
-Alternatively, you can configure devices using a [custom policy][MEM-2] with the [Name CSP][CSP-1].\
-
-The policy settings are located under: `./Device/Vendor/MSFT/`.
-
-|Setting|
-| - |
-| **Setting name**: Title<br>**Policy CSP name**: `Setting Name`|
-
-## Disable Winlogon automatic restart sign-on (ARSO)
-
-Settings Catalog:
-Category: `Administrative Templates`
-`Windows Components > Windows Logon Options\Sign-in and lock last interactive user automatically after a restart`
-
+## Configure PDE with Microsoft Intune
 
 [!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
 
@@ -66,17 +45,18 @@ Category: `Administrative Templates`
 |--|--|--|
 |**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption|
 |**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled|
-|**Memory Dump**|**Allow Live Dump**|Block||
-|**Memory Dump**|**Allow Crash Dump**|Block||
+|**Memory Dump**|**Allow Live Dump**|Block|
+|**Memory Dump**|**Allow Crash Dump**|Block|
 |**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled|
 |**Power**|**Allow Hibernate**|Block|
 |**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
-
 > [!TIP]
-> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags. <sup>[1](#footnote1)</sup>
+> Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
+>
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
@@ -85,10 +65,9 @@ Content-Type: application/json
 { "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
 ```
 
-<sup><a name="footnote1"></a>1</sup> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+## Configure PDE with CSP
 
-
-Alternatively, you can configure devices using a [custom policy][INT-1] with the [Policy CSP][CSP-1].\
+Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
 
 |OMA-URI|Format|Value|
 |-|-|-|
@@ -98,15 +77,25 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
 |`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`</disabled>`|
 |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`</disabled>`|
 
-
 ## Disable PDE and decrypt content
 
-Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
+Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps:
 
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **0**
+### Disable PDE with a settings catalog policy in Intune
+
+[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
+
+| Category | Setting name | Value |
+|--|--|--|
+|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
+
+[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
+
+### Disable PDE with CSP
+
+|OMA-URI|Format|Value|
+|-|-|-|
+|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
 
 Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
 
@@ -144,8 +133,6 @@ To decrypt files on a device using `cipher.exe`:
 <!--links used in this document-->
 
 [CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+[CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
 
-[MEM-1]: /mem/intune/configuration/settings-catalog
-[MEM-2]: /mem/intune/configuration/custom-settings-windows-10
-
-[WINS-1]: /windows-server/administration/windows-commands/cipher
\ No newline at end of file
+[WINS-1]: /windows-server/administration/windows-commands/cipher

From 2ef6ca10755586da5773fc8f687db9229b9e36d2 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 15:34:52 -0400
Subject: [PATCH 17/24] updates

---
 .../personal-data-encryption/configure.md     | 64 ++++++++++---------
 1 file changed, 35 insertions(+), 29 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 5afc65aba5..521c299687 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -20,8 +20,8 @@ The following table lists the required settings to enable PDE.
 
 | Setting name | Description |
 |-|-|
-|Enable PDE|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
-|Disable Winlogon automatic restart sign-on (ARSO)| Winlogon ARSO isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
+|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
+|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
 
 > [!NOTE]
 > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
@@ -32,10 +32,10 @@ The following table lists the recommended settings to improve PDE's security.
 
 | Setting name | Description |
 |-|-|
-|Disable kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
-|Disable Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
-|Disable hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
-|Allowing users to select when a password is required when resuming from connected standby disabled|When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
+|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
+|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
+|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
+|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Azure AD joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Azure AD joined devices.|
 
 ## Configure PDE with Microsoft Intune
 
@@ -43,13 +43,13 @@ The following table lists the recommended settings to improve PDE's security.
 
 | Category | Setting name | Value |
 |--|--|--|
-|**PDE**|**Enable Personal Data Encryption (User)**|Enable Personal Data Encryption|
-|**Administrative Templates > Windows Components > Windows Logon Options**|**Sign-in and lock last interactive user automatically after a restart**|Enabled|
-|**Memory Dump**|**Allow Live Dump**|Block|
-|**Memory Dump**|**Allow Crash Dump**|Block|
-|**Administrative Templates > System > Logon** | **Allow users to select when a password is required when resuming from connected standby** | Disabled|
-|**Power**|**Allow Hibernate**|Block|
-|**Administrative Templates > Windows Components > Windows Error Reporting** | **Disable Windows Error Reporting** | **Enabled**|
+|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
+|**Memory Dump**|Allow Live Dump|Block|
+|**Memory Dump**|Allow Crash Dump|Block|
+|**Administrative Templates > Windows Components > Windows Error Reporting** | Disable Windows Error Reporting | Enabled|
+|**Power**|Allow Hibernate|Block|
+|**Administrative Templates > System > Logon** | Allow users to select when a password is required when resuming from connected standby | Disabled|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
@@ -72,14 +72,16 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`</disabled>`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`</disabled>`|
+|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`</disabled>`|
 
-## Disable PDE and decrypt content
+## Disable PDE
 
-Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps:
+Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
 
 ### Disable PDE with a settings catalog policy in Intune
 
@@ -93,38 +95,42 @@ Once PDE is enabled, it isn't recommended to disable it. However if you need to
 
 ### Disable PDE with CSP
 
+You can disable PDE with CSP using the following setting:
+
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
 
-Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
+## Decrypt PDE-encrypted content
+
+Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
 
 1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
+1. Under the **General** tab, select **Advanced...**
+1. Uncheck the option **Encrypt contents to secure data**
+1. Select **OK**, and then **OK** again
 
-PDE protected files can also be decrypted using [WINS-1]. Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
+PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
 
 - Decrypting a large number of files on a device
-- Decrypting files on a large number of devices.
+- Decrypting files on multiple of devices
 
 To decrypt files on a device using `cipher.exe`:
 
 - Decrypt all files under a directory including subdirectories:
 
-    ```cmd
-    cipher.exe /d /s:<path_to_directory>
-    ```
+  ```cmd
+  cipher.exe /d /s:<path_to_directory>
+  ```
 
 - Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
 
-    ```cmd
-    cipher.exe /d <path_to_file_or_directory>
-    ```
+  ```cmd
+  cipher.exe /d <path_to_file_or_directory>
+  ```
 
 > [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
+> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
 
 ## Next steps
 
@@ -132,7 +138,7 @@ To decrypt files on a device using `cipher.exe`:
 
 <!--links used in this document-->
 
-[CSP-1]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions
+[CSP-1]: /windows/client-management/mdm/policy-configuration-service-provider
 [CSP-2]: /windows/client-management/mdm/personaldataencryption-csp
 
 [WINS-1]: /windows-server/administration/windows-commands/cipher

From b513c30ecf9cf0c74b393ffef74138fb49637efd Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 16:04:16 -0400
Subject: [PATCH 18/24] updates

---
 .../data-protection/personal-data-encryption/configure.md   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index 521c299687..bc72081ebb 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -72,12 +72,12 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
-|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`</disabled>`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`/<disabled/>`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
-|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`</disabled>`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`/<disabled/>`|
 |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
-|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`</disabled>`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`/<disabled/>`|
 
 ## Disable PDE
 

From 5b17368bf461e5572eb8ea9b525a893ab2009340 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 16:19:50 -0400
Subject: [PATCH 19/24] updates

---
 .../data-protection/personal-data-encryption/configure.md    | 5 +----
 .../data-protection/personal-data-encryption/faq.yml         | 4 ++--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index bc72081ebb..b577c577bb 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -14,7 +14,7 @@ This article describes the Personal Data Encryption (PDE) settings and how to co
 >
 > The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
 
-## PDE settings list
+## PDE settings
 
 The following table lists the required settings to enable PDE.
 
@@ -23,9 +23,6 @@ The following table lists the required settings to enable PDE.
 |Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
 |Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
 
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
-
 ## PDE hardening recommendations
 
 The following table lists the recommended settings to improve PDE's security.
diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
index 1e069f5f47..9dbd3b3def 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml
@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption (PDE)
   description: Answers to common questions regarding Personal Data Encryption (PDE).
   ms.topic: faq
-  ms.date: 03/13/2023
+  ms.date: 08/11/2023
 
 title: Frequently asked questions for Personal Data Encryption (PDE)
 summary: |
@@ -47,7 +47,7 @@ sections:
 
       - question: Can users manually encrypt and decrypt files with PDE?
         answer: |
-          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md).
+          Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content). 
 
       - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
         answer: |

From 801c35cab26eefa47d78d41372c90aa935a2be13 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 16:53:11 -0400
Subject: [PATCH 20/24] updates to OMA-URI values

---
 .../data-protection/personal-data-encryption/configure.md   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
index b577c577bb..7a7277136f 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md
@@ -69,12 +69,12 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
-|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`/<disabled/>`|
+|`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`<disabled/>`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
-|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`/<disabled/>`|
+|`./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting`|string|`<enabled/>`|
 |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
-|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`/<disabled/>`|
+|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
 
 ## Disable PDE
 

From 3a06a978a7c4fe8ee5a696082faa75410edc5720 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 17:01:30 -0400
Subject: [PATCH 21/24] redirects

---
 ...blishing.redirection.windows-security.json | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json
index 54589ae7b4..6e2684b399 100644
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@@ -7334,6 +7334,51 @@
       "source_path": "windows/security/zero-trust-windows-device-health.md",
       "redirect_url": "/windows/security/security-foundations/zero-trust-windows-device-health",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
+      "redirect_document_id": false
     }
   ]
 }

From 0ca325899fa2e4b819809fd8cf1426d95d2688a6 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 11 Aug 2023 18:19:02 -0400
Subject: [PATCH 22/24] updates

---
 .../data-protection/personal-data-encryption/index.md       | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 7afed4f153..6fe6c59028 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -84,13 +84,13 @@ For EFS protected files, under **Users who can access this file:**, there will b
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
-### Recommendations for using PDE
+## Recommendations for using PDE
 
 The following are recommendations for using PDE:
 
 - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you have to re-sync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 
 ## Windows out of box applications that support PDE

From 3f67863dd2e41e0523becf55a3f41e020930e9bb Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 21 Aug 2023 12:23:13 -0400
Subject: [PATCH 23/24] updates

---
 .../personal-data-encryption/index.md               | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
index 6fe6c59028..0608ea1a7c 100644
--- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
+++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md
@@ -10,7 +10,7 @@ ms.date: 08/11/2023
 Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
 
 PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
-When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs in to the device.
+When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
 
 The use of Windows Hello for Business offers the following advantages:
 
@@ -26,7 +26,10 @@ To use PDE, the following prerequisites must be met:
 
 - Windows 11, version 22H2 and later
 - The devices must be [Azure AD joined][AAD-1]. Domain-joined and hybrid Azure AD joined devices aren't supported
-- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md). Password and [security key][AAD-2] sign in aren't supported
+- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
+
+> [!IMPORTANT]
+> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
 
 [!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
 
@@ -64,8 +67,8 @@ PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker,
 | Item | PDE | BitLocker |
 |--|--|--|
 | Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
-| Files protected | Individual specified files | Entire volume/drive |
+| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
+| Protected content | All files in protected folders | Entire volume/drive |
 | Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 
 ## Differences between PDE and EFS
@@ -89,7 +92,7 @@ Encryption information including what encryption method is being used to protect
 The following are recommendations for using PDE:
 
 - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected concent inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
 - [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
 - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
 

From 6e7e0f50c77febcba1e33dac101afc186fd76ff2 Mon Sep 17 00:00:00 2001
From: David Strome <dstrome@microsoft.com>
Date: Fri, 25 Aug 2023 16:19:11 -0700
Subject: [PATCH 24/24] Create test.txt

---
 test.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 test.txt

diff --git a/test.txt b/test.txt
new file mode 100644
index 0000000000..c0c17bba9a
--- /dev/null
+++ b/test.txt
@@ -0,0 +1 @@
+test file to test sync