netwrix · hassaan-khan-netwrix · Jul 21, 2025 · Jul 17, 2025 · Jul 17, 2025 · Jul 18, 2025
@@ -20,8 +20,11 @@ not jeopardize network security.
 You can also use Password Policy Enforcer to ensure that passwords are compatible with other
 systems, and to synchronize passwords with other networks and applications.
 
-**NOTE:** The
+:::note
+The
 [Evaluation](/docs/passwordpolicyenforcer/10.2/evaluation/evaluation_overview.md)
 topic contains step-by-step instructions to help you quickly install, configure, and evaluate
 Password Policy Enforcer. Read the Evaluation topic if you are using Password Policy Enforcer for
 the first time.
+
+:::
@@ -29,8 +29,11 @@ Enforcer view.
 
 **Step 4 –** Enter the **name** or **IP address** of a domain controller, then click **OK**.
 
-**NOTE:** You cannot make changes to the Password Policy Enforcer configuration while the management
+:::note
+You cannot make changes to the Password Policy Enforcer configuration while the management
 console is connected to a read-only domain controller.
+:::
+
 
 ## Connecting to a Local Configuration
 
@@ -50,9 +53,18 @@ Enforcer view.
 
 **Step 3 –** Select the **Local** option, then click **OK**.
 
-**NOTE:** Domain configurations are stored in the CN=Password Policy Enforcer 10.0,CN=System object.
+:::note
+Domain configurations are stored in the CN=Password Policy Enforcer 10.0,CN=System object.
+:::
+
 
-**NOTE:** Local configurations are stored in the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 10.0\
+:::note
+Local configurations are stored in the HKLM\SOFTWARE\ANIXIS\Password Policy Enforcer 10.0\
 registry key.
+:::
+
+
+:::note
+Users with write permission to these objects can configure Password Policy Enforcer.
 
-**NOTE:** Users with write permission to these objects can configure Password Policy Enforcer.
+:::
@@ -32,11 +32,14 @@ location.
 
 The HIBP Updater is installed when you install the Password Policy Enforcer Management Server.
 
-**_RECOMMENDED:_** Only run this from one server.
+:::info
+Only run this from one server.
+:::
+
 
 **Step 1 –** To access the HIBP Updater, navigate to the installation location:
 
-...\Program Files (x86)\Password Policy Enforcer\HIBP\
+**...\Program Files (x86)\Password Policy Enforcer\HIBP\**
 
 ![hibpfolder](/img/product_docs/passwordpolicyenforcer/10.2/administration/hibpfolder.webp)
 
@@ -48,18 +51,24 @@ Password Policy Enforcer utilizes the Passwords Hash database to check if users
 password (i.e. during a password reset) matches the hash of a compromised password from a data
 breach.
 
-**NOTE:** First-time configuration of this window requires downloading the HIBP database from the
+:::note
+First-time configuration of this window requires downloading the HIBP database from the
 Netwrix website.
+:::
+
 
 ![passwordhashdatabase](/img/product_docs/passwordpolicyenforcer/10.2/administration/passwordhashdatabase.webp)
 
-**CAUTION:** Ensure the initial update of the database occurs during non-office hours. Due to the
+:::warning
+Ensure the initial update of the database occurs during non-office hours. Due to the
 size of the hash file, this download takes up a significant amount of CPU and download time.
+:::
+
 
 - Passwords Hash Database Folder – Central location of the Pwned database on the application server.
   The default path is:
 
-    …\HIBP\DB
+**…\HIBP\DB**
 
 - Update Type:
 
@@ -68,10 +77,13 @@ size of the hash file, this download takes up a significant amount of CPU and do
       instead of downloading the full HIBP database. This option is enabled after a full download of
       the HIBP database has completed.
 
-        **NOTE:** Only the full HIBP database file obtained from the Netwrix website has version
+        :::note
+        Only the full HIBP database file obtained from the Netwrix website has version
         information. That full HIBP database file can be obtained using the Website option.
         Alternately, the HIBP database can be obtained outside of the application by downloading it
         directly from the Netwrix website using an FTP connection:
+        :::
+
 
         - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip)
         - [https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt](https://releases.netwrix.com/resources/stealthintercept/stealthintercept-hibp-database-1.0.0.zip.sha256.txt)
@@ -102,7 +114,7 @@ files. Copy the hash files into the Sysvol share on one domain controller, and t
 System will copy the files into the Sysvol share of all other domain controllers. Configure the
 Compromised rule to read the files from:
 
-\\127.0.0.1\sysvol\your.domain\filename.db
+**\\127.0.0.1\sysvol\your.domain\filename.db**
 
 See the
 [Compromised Rule](/docs/passwordpolicyenforcer/10.2/administration/rules/compromised_rule.md)
@@ -114,8 +126,11 @@ local policies. If you are using Password Policy Enforcer for local policies and
 to receive hash file updates, then use the Sysvol share for file replication and a script or
 scheduled task to copy the file to a local folder.
 
-**CAUTION:** %SystemRoot%. hash files should only be read from a local disk. Using shared hash files
+:::warning
+%SystemRoot%. hash files should only be read from a local disk. Using shared hash files
 degrades performance, and could jeopardize security.
+:::
+
 
 ## Scheduler
 

@@ -70,8 +70,11 @@ button.
 
 **Step 4 –** Enter the full **UNC path to PPE10.1.msi** in the Open dialog box.
 
-**NOTE:** You must enter a UNC path so that other computers can access this file over the network.
+:::note
+You must enter a UNC path so that other computers can access this file over the network.
 For example: \\file server\distribution point share\PPE10.1.msi
+:::
+
 
 **Step 5 –** Click **Open**.
 

@@ -44,7 +44,10 @@ Settings**, **Account Policies**, and **Password Policy** items.
 
 ![installing_ppe_3](/img/product_docs/passwordpolicyenforcer/10.2/evaluation/preparing_the_computer.webp)
 
-**NOTE:** You do not have to disable all the Windows password policy rules to use Password Policy
+:::note
+You do not have to disable all the Windows password policy rules to use Password Policy
 Enforcer. You can use a combination of Password Policy Enforcer and Windows rules together if you
 like. Just remember that a password is only accepted if it complies with the rules enforced by both
 Windows and Password Policy Enforcer.
+
+:::
@@ -17,10 +17,13 @@ topic for additional information.
 - Fifteen megabytes free disk space
 - Eight megabytes free RAM (72 megabytes if using Argon2 hashes)
 
-**NOTE:** Users do not have to change their password immediately after Password Policy Enforcer is
+:::note
+Users do not have to change their password immediately after Password Policy Enforcer is
 installed. They can continue using their current password until it expires, even if their current
 password does not comply with the password policy. Installing Password Policy Enforcer does not
 extend the Active Directory schema.
+:::
+
 
 ## Installation Types
 

@@ -33,8 +33,11 @@ Select the **Save email to a pickup folder** option to have the Password Policy
 emails to a folder for later delivery by a mail server. Click the **Browse** button to select a
 folder. The mail server must monitor this folder for new email.
 
-**NOTE:** Saving email to a pickup folder is the fastest and most reliable delivery method. Use this
+:::note
+Saving email to a pickup folder is the fastest and most reliable delivery method. Use this
 option if your mail server supports pickup folders.
+:::
+
 
 The Password Policy Enforcer Mailer sends emails at 2:00 AM every day. Check the Windows Application
 Event Log to monitor its progress. You can also run the Password Policy Enforcer Mailer from the

@@ -34,8 +34,11 @@ conditions.
 **Step 5 –** If you are prompted to Modify, Repair, or Remove the installation, select **Modify**,
 then click **Next**. Proceed to step 11. Do not disable the other features as described below.
 
-**CAUTION:** If prompted to Modify, Repair, or Remove, do not modify any settings or disable any
+:::warning
+If prompted to Modify, Repair, or Remove, do not modify any settings or disable any
 features as described in steps 6 - 10.
+:::
+
 
 **Step 6 –** Click **Next** when the Password Policy Enforcer Installation Wizard opens.
 

@@ -53,8 +53,14 @@ Password Policy Enforcer management console.
 
 ![configuring_ppe_1](/img/product_docs/passwordpolicyenforcer/10.2/administration/configuring_ppe_1.webp)
 
-**NOTE:** If you are opening the management console for the first time, click **Yes** when asked if
+:::note
+If you are opening the management console for the first time, click **Yes** when asked if
 you would like to create a new Password Policy Enforcer configuration.
+:::
 
-**NOTE:** Press F1 while using the management console to display help information for the current
+
+:::note
+Press F1 while using the management console to display help information for the current
 window.
+
+:::
@@ -18,18 +18,24 @@ Info Tech group, then any policy assigned to the Info Tech group also applies to
 Helpdesk group. If this behavior is not desired, then you can assign a different policy to the
 Helpdesk group.
 
-**NOTE:** When a policy is assigned to a container, Password Policy Enforcer enforces the policy for
+:::note
+When a policy is assigned to a container, Password Policy Enforcer enforces the policy for
 all users in the container as well as any child containers. For example, if the Helpdesk and
 Managers OUs are children of the Info Tech OU, then any policy assigned to the Info Tech OU also
 applies to the two child OUs. If this behavior is not desired, then you can assign a different
 policy to a child OU.
+:::
+
 
 ![managing_policies_3](/img/product_docs/passwordpolicyenforcer/10.2/administration/managing_policies_3.webp)
 
-**NOTE:** When a domain policy is assigned to a user or group, Password Policy Enforcer stores the
+:::note
+When a domain policy is assigned to a user or group, Password Policy Enforcer stores the
 user or group SID in the configuration. The assignment remains valid even if the user or group is
 renamed. When a local policy is assigned to a user, Password Policy Enforcer stores the username in
 the configuration. The assignment is invalidated if the user is renamed.
+:::
+
 
 ![managing_policies_4](/img/product_docs/passwordpolicyenforcer/10.2/administration/managing_policies_4.webp)
 
@@ -70,8 +76,11 @@ Follow the steps to remove a policy assignment.
 
 **Step 7 –** Click OK to close the Policy Properties page.
 
-**NOTE:** Different assignment types can be used for a single policy. For example, you may assign
+:::note
+Different assignment types can be used for a single policy. For example, you may assign
 users to a policy by both OU and group at the same time.
+:::
+
 
 ## Policy Assignment Conflicts
 

@@ -40,6 +40,9 @@ will accept passphrases that comply with all enabled rules, irrespective of the
 This ensures that passphrases can be used, even if they do not meet the compliance level when
 Password Policy Enforcer is configured to disable one or more rules for passphrases.
 
-**NOTE:** Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can
+:::note
+Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can
 be weaker than a well-chosen password. Do not disable too many rules under the assumption that
 length alone will make up for the reduced complexity as this is not always true.
+
+:::
@@ -24,26 +24,35 @@ Password Policy Enforcer should enforce this policy, or deselect it to disable t
 policy's icon in the left pane of the management console changes to an X icon when a policy is
 disabled.
 
-**NOTE:** A user's password history may be updated even when the policy assigned to the user is
+:::note
+A user's password history may be updated even when the policy assigned to the user is
 disabled. See the
 [Rules](/docs/passwordpolicyenforcer/10.2/administration/rules/rules.md)
 topic for additional information.
+:::
+
 
 The **Default character set** drop-down list specifies which character set Password Policy
 Enforcer will use to enforce its rules. The default value (Netwrix Password Policy
 Enforcer) requires users to comply with rules that use the Password Policy Enforcer character set.
 Choose the alternate option (Windows) to have users comply with rules that use the Windows character
 set.
 
-**NOTE:** Only Password Policy Enforcer 10.0 and higher will contain the Windows character set.
+:::note
+Only Password Policy Enforcer 10.0 and higher will contain the Windows character set.
 Password Policy Enforcer 9, Netwrix Password Reset and Password Policy Enforcer/Web 7 (and older for
 all products) will always use the Password Policy Enforcer character set.
+:::
+
 
-**CAUTION:** This value should not be changed while using PPE9.x clients, APR 3.x and Password
+:::warning
+This value should not be changed while using PPE9.x clients, APR 3.x and Password
 Policy Enforcer/Web 7.x (and older for all above). These clients only support the Password Policy
 Enforcer character set. They will work if Password Policy Enforcer is configured to use the Windows
 character sets, but they will still continue to use the Password Policy Enforcer character set as
 that is all they know.
+:::
+
 
 - Some languages such as Japanese do not distinguish between uppercase and lowercase. These
   characters will be in the Windows Alpha set, but not in the Upper or Lower sets.
@@ -79,17 +88,23 @@ The user logon name and new password are sent to the program as command-line par
 example, if you add the commands below to a batch file, Password Policy Enforcer will record each
 user's logon name and new password in a text file called passwords.txt:
 
-echo Username: %1 >> c:\passwords.txt
+**echo Username: %1 >> c:\passwords.txt**
 
 echo Password: %2 >> c:\passwords.txt
 
-**CAUTION:** This script is shown as an example only. You should not store user passwords.
+:::warning
+This script is shown as an example only. You should not store user passwords.
+:::
+
 
 The command can now include the [USERNAME] and [PASSWORD] macros. If neither is specified, then the
 command is executed with both parameters to maintain compatibility with existing programs/scripts.
 
-**_RECOMMENDED:_** Use the [USERNAME] parameter if the password is not needed by the program/script
+:::info
+Use the [USERNAME] parameter if the password is not needed by the program/script
 so that the password is not unnecessarily sent to the change notification command/script.
+:::
+
 
 Record any configuration notes about this policy in the Notes text box.
 

@@ -26,8 +26,11 @@ New Password text boxes.
 
 **Step 5 –** Click **Test**, or wait a few seconds if Test passwords as I type is selected.
 
-**NOTE:** Policy testing simulates a password change, but it does not change the password. As it is
+:::note
+Policy testing simulates a password change, but it does not change the password. As it is
 only a simulation, you do not have to enter the correct password in the Old Password text box.
+:::
+
 
 The Password Policy Enforcer management console displays a green check mark below the Test button if
 the new password complies with the Password Policy Enforcer password policy, or a red cross if it
@@ -70,8 +73,11 @@ Follow the steps below to test your configuration.
 
 **Step 4 –** Select the location of the folder where you want to upload the result.
 
-**NOTE:** It is recommended that the Password File and Result folder are not located on a shared
+:::note
+It is recommended that the Password File and Result folder are not located on a shared
 drive, so the processing can be done faster.
+:::
+
 
 **Step 5 –** Select a desired policy from the drop down list.
 

@@ -20,7 +20,7 @@ Client. You can use Active Directory GPOs to configure many computers, or the Lo
 Editor to configure one computer. The Password Policy Client configuration is stored in the
 HKLM\SOFTWARE\Policies\ANIXIS\Password Policy Client\ registry key.
 
-Install the Password Policy Client Administrative Template
+**Install the Password Policy Client Administrative Template**
 
 **Step 1 –** Connect to any Domain Controller where you have Password Policy Enforcer installed and
 have the group policy management console available.
@@ -91,8 +91,11 @@ Windows 10 and 11.
 **Step 1 –** Use the **Group Policy Management Console** (gpmc.msc) to display the GPOs linked at
 the domain level.
 
-**NOTE:** If you are not using Active Directory, then open the Local Group Policy Editor
+:::note
+If you are not using Active Directory, then open the Local Group Policy Editor
 (gpedit.msc) and skip step 2.
+:::
+
 
 **Step 2 –** Right-click the **Password Policy Client GPO**, then click the **Edit...** button.
 
@@ -103,4 +106,7 @@ Templates**, **Classic Administrative Templates** (**ADM**), **Password Policy E
 **Step 4 –** Double-click the **Display settings (Windows 10)** setting in the right pane of the
 Group Policy Management Editor.
 
-**NOTE:** Information about each option is shown in the Help box.
+:::note
+Information about each option is shown in the Help box.
+
+:::
@@ -70,7 +70,10 @@ the policy set by the organization. The image below illustrates an example of a
 
 ![livepolicymessageexample](/img/product_docs/passwordpolicyenforcer/10.2/administration/livepolicymessageexample.webp)
 
-**NOTE:** The password client needs to be at version 10.2+ to support this capability.
+:::note
+The password client needs to be at version 10.2+ to support this capability.
+:::
+
 
 To support password live messages the password policy message must include the [Live_Policy]
 declaration in the Password Policy Message.