Update notes on PSRP changes

Author: sdwheeler

reference/7.6/Microsoft.PowerShell.Core/About/about_Remote_Requirements.md

@@ -1,7 +1,7 @@
 ---
 description: Describes the system requirements and configuration requirements for running remote commands in PowerShell.
 Locale: en-US
-ms.date: 07/03/2023
+ms.date: 08/18/2025
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_remote_requirements?view=powershell-7.6&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about_Remote_Requirements
@@ -49,7 +49,7 @@ computers must have the following:
 - Windows Remote Management 2.0
 
 To be fully supported, you should be using WMF 5.1. For more information about
-WMF support, see [Windows Management Framework (WMF)][02].
+WMF support, see [Windows Management Framework (WMF)][03].
 
 You can create a remote session between a computer running Windows PowerShell
 2.0 and one running a newer version of PowerShell. However, features that run
@@ -90,7 +90,7 @@ configurations with different security descriptors. Users can use the
 different endpoints.
 
 For more information about session configurations, see
-[about_Session_Configurations][07].
+[about_Session_Configurations][08].
 
 ## Windows network locations
 
@@ -190,7 +190,11 @@ Id Name        ComputerName    State    ConfigurationName
 1  Session1    localhost       Opened   Microsoft.PowerShell
 ```
 
-If the command fails, see [about_Remote_Troubleshooting][04].
+If the command fails, see [about_Remote_Troubleshooting][05].
+
+The PowerShell Remoting Protocol (PSRP) requires a secure transport layer for
+secure data transfer. For more information, see _Secure data transfer in
+PowerShell remoting_ section of [PowerShell security features][02].
 
 ## Understand policies
 
@@ -204,21 +208,22 @@ policies on the remote computer are in effect.
 
 ## See also
 
-- [about_Remote][06]
-- [about_Remote_Variables][05]
-- [about_PSSessions][03]
-- [Invoke-Command][09]
-- [Enter-PSSession][08]
-- [New-PSSession][10]
+- [about_Remote][07]
+- [about_Remote_Variables][06]
+- [about_PSSessions][04]
+- [Invoke-Command][10]
+- [Enter-PSSession][09]
+- [New-PSSession][11]
 
 <!-- link references -->
 [01]: /powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core
-[02]: /powershell/scripting/windows-powershell/wmf/overview
-[03]: about_PSSessions.md
-[04]: about_Remote_Troubleshooting.md
-[05]: about_Remote_Variables.md
-[06]: about_Remote.md
-[07]: about_Session_Configurations.md
-[08]: xref:Microsoft.PowerShell.Core.Enter-PSSession
-[09]: xref:Microsoft.PowerShell.Core.Invoke-Command
-[10]: xref:Microsoft.PowerShell.Core.New-PSSession
+[02]: /powershell/scripting/security/security-features#secure-data-transfer-in-powershell-remoting
+[03]: /powershell/scripting/windows-powershell/wmf/overview
+[04]: about_PSSessions.md
+[05]: about_Remote_Troubleshooting.md
+[06]: about_Remote_Variables.md
+[07]: about_Remote.md
+[08]: about_Session_Configurations.md
+[09]: xref:Microsoft.PowerShell.Core.Enter-PSSession
+[10]: xref:Microsoft.PowerShell.Core.Invoke-Command
+[11]: xref:Microsoft.PowerShell.Core.New-PSSession

reference/docs-conceptual/security/security-features.md

@@ -1,6 +1,6 @@
 ---
 description: PowerShell has several features designed to improve the security of your scripting environment.
-ms.date: 05/22/2025
+ms.date: 08/18/2025
 title: PowerShell security features
 ---
 # PowerShell security features
@@ -92,6 +92,42 @@ The creation and publishing of the SBOM is the first step to modernize Federal G
 cybersecurity and enhance software supply chain security. For more information about this
 initiative, see the blog post [Generating SBOMs with SPDX at Microsoft][11].
 
+## Secure data transfer in PowerShell remoting
+
+Prior to PowerShell v7.6-preview5, a `Session_Key` is used to encrypt a **SecureString** before
+sending it a PowerShell remote session. The PowerShell Remoting Protocol (PSRP) performs a
+key exchange between client and server when a `SecureString` object needs to be
+transferred. The exchange involves the following steps:
+
+1. The client side generates a public/private key pair and sends the public key to the server.
+1. The server generates a session key for symmetric encryption.
+1. The server uses the public key to encrypt the session key and sends it to the client.
+1. Both the client and server use the new session key to encrypt a **SecureString** object.
+
+The PowerShell Remoting Protocol (PSRP) uses the `RSAEncryptionPadding.Pkcs1` during the key
+exchange. The algorithm, is **NOT** secure, therefore, the key exchange doesn't provide any extra
+security. PSRP requires a secure transport layer for secure data transfer.
+
+Beginning in PowerShell v7.6-preview5, the key exchange was deprecated. The version of PSRP was
+incremented to v2.4 and includes the following changes:
+
+- The following PSRP messages are deprecated when both client and server are v2.4 or higher:
+
+  - PUBLIC_KEY
+  - PUBLIC_KEY_REQUEST
+  - ENCRYPTED_SESSION_KEY
+
+- The encryption and decryption steps for `SecureString` are skipped when both client and server are
+  v2.4 or higher.
+
+- PSRP can use a named pipe remote sessions when both client and server are on the same machine.
+  Since it's possible for a remote client to connect to named pipe and the data is no longer
+  encrypted with a session key, the named pipe (used for `Enter-PSHostProcess`) rejects the remote
+  client.
+
+This change is backward compatible. For old clients or servers (v2.3 or lower), the key exchange is
+still used when needed.
+
 ## Security Servicing Criteria
 
 PowerShell follows the [Microsoft Security Servicing Criteria for Windows][12]. Only security