netwrix · toniop-netwrix · May 7, 2026 · May 4, 2026 · May 4, 2026 · May 4, 2026
@@ -6,32 +6,6 @@ sidebar_position: 70
 
 # Command Line Interface
 
-## Silent Installation
-
-Replace _version_ with the complete version and build number of the **msi** file. For example,
-11.2.0.148.
-
-Install only PPE Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureServerPPE
-/q
-
-Install only Console: msiexec /i Netwrix_PPE_Server_**version**_x64.msi ADDLOCAL=FeatureConsole /q
-
-Install only Mailer Server: msiexec /i Netwrix_PPE_Server_**version**_x64.msi
-ADDLOCAL=FeaturePPEMailerServer /q
-
-Install all 3 components:
-
-msiexec /i Netwrix_PPE_Server_**version**_x64.msi
-ADDLOCAL=FeaturePPEMailerServer,FeatureConsole,FeatureServerPPE /q
-
-By default Console only installed: msiexec /i Netwrix_PPE_Server_**version**_x64.msi /q
-
-Uninstall all: msiexec /uninstall Netwrix_PPE_Server_**version**_x64.msi /q
-
-Uninstall only particular feature: msiexec /i _path_to_your_msi_file.msi_ REMOVE=_FeatureName_ /qn
-
-If a reboot wasn't done, add **/forcerestart** at the end
-
 ## Mailer
 
 You can run the Password Policy Enforcer Mailer from the command line to deliver email immediately,

@@ -12,7 +12,7 @@ The check can be scheduled to run at any time to verify existing passwords again
 
 :::note
 Create the **Compromised Passwords Base** file before enabling the Compromised Password
-Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for instructions.
+Check. See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for instructions.
 :::
 
 
@@ -32,7 +32,7 @@ Click the **Compromised Password Check** toggle to enable/disable the feature.
 ![Compromised Password Check](/images/passwordpolicyenforcer/11.2/administration/compromisedpasswords.webp)
 
 - **Compromised Passwords Base** specify the database to use when checking for compromised
-  passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) to create this database.
+  passwords. Netwrix recommends using the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) to create this database.
   Click **Browse** to navigate to the folder. Default is **C:\HIBP\DB**
 - **Domain Controller (FQDN)** specify the fully qualified domain controller name where you want to
   run the password check. Click **Browse** and select from the list.

@@ -1,7 +1,7 @@
 ---
 title: "HIBP Updater"
 description: "HIBP Updater"
-sidebar_position: 90
+sidebar_position: 20
 ---
 
 # HIBP Updater
@@ -27,17 +27,17 @@ If the HIBP database is copied to and stored local on the Domain Controllers:
 
 - The HIBP database takes up additional space on the machine where it is copied. (Aproximetly 13GB but subject to change)
 - If doing local the database needs to be on every Domain Controller in the same location as specified in the Rule.
-- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database
+- A network connection doesn't come into play and possibly affect performance of checking the password against the HIBP database
 - The pending password candidate is checked against the archived hash file at the local level. If a password hash is matched, the pending password change is rejected.
 
 
 If the HIBP database is kept on a Network Share:
 
-- The database takes up space only on the Network Share, not on each Domain Controller. 
-- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check:
+- The database takes up space only on the Network Share, not on each Domain Controller. 
+- Requires a working network connection from the Domain Controllers to the Network Share with Read permissions to check:
 - The pending password candidate from Domain Controller against the HIBP Database stored on the Network Share, this could affect LSASS/Password Change performance depending on the environment.
 - HIBP database space isn't required on the domain controllers but on one Network Location.
-- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted.
+- At the time of a password change, if the Network Share isn't available, the Domain Controller must assume the hash is okay and the possibility of a known compromised password being accepted.
 
 ## Installation and Configuration
 
@@ -58,7 +58,7 @@ Only run this from one server.
 
 ### Passwords Hash Database
 
-Password Policy Enforcer uses the Passwords Hash database to check if users’ new and pending
+Password Policy Enforcer uses the Passwords Hash database to check if users' new and pending
 password (i.e. during a password reset) matches the hash of a compromised password from a data
 breach.
 
@@ -83,7 +83,7 @@ size of the hash file, this download takes up a significant amount of CPU and do
 
 - Update Type:
 
-    - Full Download – Download all data from the HIBP database hosted on the Netwrix website
+    - Full Download – Download all data from the HIBP database hosted on the Netwrix website
     - Incremental Update – Download updates from the HIBP database hosted on the Netwrix website
       instead of downloading the full HIBP database. This option is enabled after a full download of
       the HIBP database has completed.

@@ -22,5 +22,5 @@ degrades performance, and could jeopardize security.
 :::
 
 
-See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/installation/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP)
+See the [HIBP Updater](/docs/passwordpolicyenforcer/11.2/admin/hibpupdater.md) topic for the information about the Have I Been Pwnd (HIBP)
 database usage.
@@ -1,19 +1,19 @@
 ---
 title: "Enforce Password Reset with Azure Password Writeback"
 description: "Enforce Password Reset with Azure Password Writeback"
-sidebar_position: 100
+sidebar_position: 85
 ---
 
 # Enforce Password Reset with Azure Password Writeback
 
 You can use Password Policy Enforcer to enforce password policies for passwords reset from Microsoft
-Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the
+Entra ID and O365 by enabling password writeback in Microsoft Entra ID. See the
 [How does self-service password reset writeback work in Microsoft Entra ID?](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-writeback)
 Microsoft knowledge base article for additional information on password writeback in Microsoft Entra
-ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises
+ID. Password writeback sends all new passwords from Microsoft Entra ID to an available, on-premises
 domain controller to check with Password Policy Enforcer. This happens while the user is resetting
 their password. See the
 [Tutorial: Enable Microsoft Entra self-service password reset writeback to an on-premises environment](https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback)
 and
-[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft
+[How it works: Microsoft Entra self-service password reset](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks#how-it-works-microsoft-entra-self-service-password-reset) Microsoft
 knowledge base articles for additional information on password writeback for Microsoft Entra ID.
@@ -37,7 +37,7 @@ The Configuration Console has some additional requirements:
 This component sends email from Password Policy Enforcer to your mail server. Although not required, this component supports several PPE features, so you'll most likely want to install it on one server in the domain. This component requires the [.NET Desktop Runtime 10.0 or later](https://aka.ms/dotnet/10.0/windowsdesktop-runtime-win-x64.exe).
 
 ### Password Policy Client (PPC)
-The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers and virtual desktops.
+The Password Policy Client helps users to choose a compliant password by showing them the password policy rules, and also which rules they don't comply with. This component is optional, but very beneficial. It works on all operating systems listed in the System Requirements section, but you'll typically only install it on users' computers, virtual desktops, and Remote Desktop Session Hosts.
 
 ### Password Policy Enforcer Web
 Password Policy Enforcer Web is an optional component that runs on Microsoft Internet Information Services (IIS). It has similar features to the Password Policy Client, but via a web interface. Use Password Policy Enforcer Web if you prefer not to install the Password Policy Client, or if you want to integrate Active Directory password changes into your own applications.

@@ -1,51 +1,36 @@
 ---
 title: "Disable Windows Rules"
-description: "Disable Windows Rules"
-sidebar_position: 80
+description: "How to disable the Windows password policy rules to avoid conflicts with Password Policy Enforcer."
+sidebar_position: 20
 ---
 
 # Disable Windows Rules
 
-The Windows password policy rules can place restrictions on password history, age, length, and
-complexity. If you enable the Password Policy Enforcer rules and the Windows rules, then users must
-comply with both sets of rules.
+Windows has its own password policy rules for password history, age, length, and complexity. If you enable both Password Policy Enforcer (PPE) rules and Windows rules, users must comply with both the PPE and Windows rules.
 
-Password Policy Enforcer has its own history, minimum age, and maximum age, length, and complexity rules.
-See the [Rules](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/rules.md) topic for additional information. You can use the Password Policy Enforcer
-and Windows rules together. A password is only accepted if it complies with the Windows and Password
-Policy Enforcer password policies.
+PPE has its own rules for password [history](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/history_rule.md), [minimum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/minimum_age_rule.md), [maximum age](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/maximum_age_rule.md), [length](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/length_rule.md), and [complexity](/docs/passwordpolicyenforcer/11.2/admin/manage-policies/rules/complexity_rule.md). While it's possible, and sometimes beneficial, to use PPE and Windows rules together, it can also be confusing when testing PPE. It is therefore recommended to disable the Windows password policy rules while you are experimenting with and testing your PPE configuration.
 
-These steps disable the Windows password policy rules:
+To disable the Windows password policy rules:
 
-**Step 1 –** Start the Group Policy Management Console **(gpmc.msc**).
-
-**Step 2 –** Expand the forest and domain items in the left pane.
-
-**Step 3 –** Right-click the **Default Domain Policy GPO** (or whichever GPO you use to set your
-domain password policy), then click **Edit...**
-
-**Step 4 –** Expand the **Computer Configuration**, **Policies**, **Windows Settings**, **Security
-Settings**, **Account Policies**, and **Password Policy** items.
-
-**Step 5 –** Double-click **Enforce password history** in the right pane of the GPO Editor.
-
-**Step 6 –** Enter **0** in the text box, then click **OK**.
-
-**Step 7 –** Repeat the step above for the **Maximum password age**, **Minimum password age**, and
-**Minimum password length** policies.
-
-**Step 8 –** Double-click **Password must meet complexity requirements** in the right pane.
-
-**Step 9 –** Select the **Disabled** option, and then click **OK**.
-
-**Step 10 –** Close the Group Policy Management Editor.
+1. Start the Group Policy Management Console (`gpmc.msc`).
+2. Expand the **Forest** and **Domains** items, then expand your domain in the left pane.
+3. Right-click the **Default Domain Policy** GPO (or whichever GPO you use for your domain password policy), then click **Edit**.
+4. Expand **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**.
+5. Double-click **Enforce password history** in the right pane.
+6. Enter **0** in the text box, then click **OK**.
+7. Repeat step 6 for **Maximum password age**, **Minimum password age**, and **Minimum password length**.
+8. Double-click **Password must meet complexity requirements** in the right pane.
+9. Select **Disabled**, then click **OK**.
+10. Close the Group Policy Management Editor.
 
 ![installing_ppe_3](/images/passwordpolicyenforcer/11.2/evaluation/preparing_the_computer.webp)
 
+:::tip
+Don't set the Windows policies to **Not Configured** as that leaves the previously enforced value in place and doesn't disable the rule. Instead, follow the steps above to explicitly set each numeric policy to **0** and set the complexity policy to **Disabled**.
+:::
+
 :::note
-You don't have to disable all the Windows password policy rules to use Password Policy
-Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you
-like. Remember that a password is only accepted if it complies with the rules enforced by both
-Windows and Password Policy Enforcer.
+You don't have to disable the Windows password policy rules to use PPE. A password must comply with both the Windows and PPE policies to be accepted.
 
+Fine-Grained Password Policies (FGPP) override the domain password policy. If your organization uses FGPP, you'll also need to remove or modify any Password Settings Objects (PSOs) that apply to your users. To do that, open **Active Directory Administrative Center**, navigate to **System** > **Password Settings Container**, and remove or modify the relevant PSOs.
 :::