deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

PDE Updates Post Release 3

Browse Source
This commit is contained in:
Frank Rojas 2022-12-07 19:33:03 -05:00
parent bc88fff33c
commit dbf58834cb
2 changed files with 46 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
View File

@ -33,16 +33,16 @@ ms.date: 12/07/2022
6. Under **Template name**, select **Custom**, and then select **Create** 6. Under **Template name**, select **Custom**, and then select **Create**
7. On the **Basics** tab: 7. In **Basics**:
1. Next to **Name**, enter **Personal Data Encryption** 1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
8. Select **Next** 8. Select **Next**
9. On the **Configuration settings** tab, select **Add** 9. In **Configuration settings**, select **Add**
10. In the **Add Row** window: 10. In **Add Row**:
1. Next to **Name**, enter **Personal Data Encryption** 1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
@ -52,16 +52,16 @@ ms.date: 12/07/2022
11. Select **Save**, and then select **Next** 11. Select **Save**, and then select **Next**
12. On the **Assignments** tab: 12. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to 2. Select the groups that the PDE policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
13. On the **Applicability Rules** tab, configure if necessary and then select **Next** 13. In **Applicability Rules**, configure if necessary and then select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Winlogon automatic restart sign-on (ARSO) ### Disable Winlogon automatic restart sign-on (ARSO)
@ -77,14 +77,14 @@ ms.date: 12/07/2022
6. Under **Template name**, select **Administrative templates**, and then select **Create** 6. Under **Template name**, select **Administrative templates**, and then select **Create**
7. On the **Basics** tab: 7. In **Basics**:
1. Next to **Name**, enter **Disable ARSO** 1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
8. Select **Next** 8. Select **Next**
9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** 9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart** 10. Select **Sign-in and lock last interactive user automatically after a restart**
@ -92,16 +92,16 @@ ms.date: 12/07/2022
12. Select **Next** 12. Select **Next**
13. On the **Scope tags** tab, configure if necessary and then select **Next** 13. In **Scope tags**, configure if necessary and then select **Next**
14. On the **Assignments** tab: 14. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to 2. Select the groups that the ARSO policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
15. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## Security hardening recommendations ## Security hardening recommendations
@ -117,31 +117,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create** 5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the **Basics** tab: 6. In **Basics**:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
7. Select **Next** 7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings** 8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** windows, select **Memory Dump** 9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window 10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next** 11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next** 12. In **Scope tags**, configure if necessary and then select **Next**
13. On the **Assignments** tab: 13. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable crash dumps policy should be deployed to 2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps ### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
@ -155,31 +155,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create** 5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the **Basics** tab: 6. In **Basics**:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
7. Select **Next** 7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings** 8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** windows, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting** 9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
10. When the settings appear in the lower pane, under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window 10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Disable Windows Error Reporting** to **Enabled**, and then select **Next** 11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next** 12. In **Scope tags**, configure if necessary and then select **Next**
13. On the **Assignments** tab: 13. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable WER dumps policy should be deployed to 2. Select the groups that the disable WER dumps policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable hibernation ### Disable hibernation
@ -193,31 +193,31 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create** 5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the **Basics** tab: 6. In **Basics**:
1. Next to **Name**, enter **Disable Hibernation** 1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
7. Select **Next** 7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings** 8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** windows, select **Power** 9. In the **Settings picker** window, under **Browse by category**, select **Power**
10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window 10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next** 11. Change **Allow Hibernate** to **Block**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next** 12. In **Scope tags**, configure if necessary and then select **Next**
13. On the **Assignments** tab: 13. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable hibernation policy should be deployed to 2. Select the groups that the disable hibernation policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable allowing users to select when a password is required when resuming from connected standby ### Disable allowing users to select when a password is required when resuming from connected standby
@ -231,31 +231,32 @@ ms.date: 12/07/2022
5. Under **Profile type**, select **Settings catalog**, and then select **Create** 5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the **Basics** tab: 6. In **Basics**:
1. Next to **Name**, enter **Disable Hibernation** 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
2. Next to **Description**, enter a description 2. Next to **Description**, enter a description
7. Select **Next** 7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings** 8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** windows, select **Power** 9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window 10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next** 11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next** 12. In **Scope tags**, configure if necessary and then select **Next**
13. On the **Assignments** tab: 13. In **Assignments**:
1. Under **Included groups**, select **Add groups** 1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable hibernation policy should be deployed to 2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
3. Select **Select** 3. Select **Select**
4. Select **Next** 4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** 14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also ## See also
- [Personal Data Encryption (PDE)](overview-pde.md) - [Personal Data Encryption (PDE)](overview-pde.md)

4
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -54,7 +54,7 @@ ms.date: 12/07/2022
Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- [Disable allowing users to select when a password is required when resuming from connected standby](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different: When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
@ -72,7 +72,7 @@ ms.date: 12/07/2022
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome. - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices. Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby). For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).