netwrix · TylerReese · Oct 23, 2025 · Oct 16, 2025
@@ -9,6 +9,9 @@ sidebar_position: 60
 The PPE Cmdlets are available to manage Password Policy Enforcer from a Windows PowerShell. The
 cmdlets are not case-sensitive.
 
+Starting with version **11.1**, the PowerShell cmdlets are built on .NET 8.0 and require PowerShell version 7.5 or newer to function.
+**Installation link**: [https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.5](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.5)
+
 To establish the connection:
 
 **Step 1 –** Open a Windows PowerShell. Some cmdlets require administrative permissions. You can use

@@ -35,9 +35,8 @@ If a reboot was not done, add **/forcerestart** at the end
 ## Mailer
 
 You can run the Password Policy Enforcer Mailer from the command line to deliver email immediately,
-or to troubleshoot problems. PPEMail.exe is copied into the \Program Files (x86)
-
-\Password Policy Enforcer\ folder when the Password Policy Enforcer Mailer is installed.
+or to troubleshoot problems. PPEMail.exe is copied into the \Program Files\Netwrix\Password Policy 
+Enforcer\ folder when the Password Policy Enforcer Mailer is installed.
 
 PPEMail.exe starts a simulation when run without any parameters. It finds users whose password will
 expire soon, but no email is sent or saved to the pickup folder. Use the simulation mode to find

@@ -6,9 +6,9 @@ sidebar_position: 30
 
 # Compromised Password Check
 
-The Compromised Password Checker finds compromised passwords. Users can be notified via email and
-advised or forced to change their password. The check can be scheduled to check existing passwords
-against a compromised hash list at any time.
+The Compromised Password Checker identifies weak or unsafe passwords, including compromised, reused, 
+or empty ones. Users can be notified via email and advised or forced to change their password. 
+The check can be scheduled to run at any time to verify existing passwords against security rules.
 
 :::note
 Create the **Compromised Passwords Base** file prior to enabling the Compromised Password
@@ -39,6 +39,9 @@ Click the **Compromised Password Check** toggle to enable/disable the feature.
 - **Log events in Windows Application Event Viewer** select this option if you want to log events.
 - **Force users to change password** select this option to force users to change compromised
   passwords.
+- **Report password reuse by another account** select this option to generate password reuse report.
+- **Force users to change password** select this option to force users to change reused
+  passwords.
 - **Recipient of the full report on the found compromised passwords** specify the email address of
   the administrator who should receive the full report.
 - **From** specify the email sender.
@@ -54,13 +57,27 @@ Click **Save** to save your settings before running the check or setting up a sc
 Click **Run now** to run the check. Depending on your network, the check can take quite a while to
 complete. You can schedule it for off hours instead of running it now.
 
-Here is an example of the compromised passwords list:
+Here is an example of the compromised passwords report:
 
+---
+**List of compromised passwords**
 |User  |  Account | Sid | Email | Description |
 | --- | --- | --- | --- | --- |
 | admin    | Administrator | S-1-5-21-1006207104-1546379664-2458629591-500  |      | Sending emails is not possible due to the lack of an email address in the account. |
 | user2   | user2  | S-1-5-21-1006207104-1546379664-2458629591-1118 | [email protected] | Email has been sent  |
 
+
+**List of reused passwords**
+|User  |  Account | Sid | Email | Description |
+| --- | --- | --- | --- | --- |
+| admin    | Administrator | S-1-5-21-1006207104-1546379664-2458629591-500  |      | Sending emails is not possible due to the lack of an email address in the account. |
+| user2   | user2  | S-1-5-21-1006207104-1546379664-2458629591-1118 | [email protected] | Email has been sent  |
+
+**Users with empty password:**
+Guest (S-1-5-21-1006207104-1546379664-2458629591-501)
+
+---
+
 #### Schedule the Compromised Password Check
 
 Click **Schedule** to set up a schedule to run the Compromised Password Check.

@@ -86,7 +86,7 @@ Users with write permission to these objects can configure Password Policy Enfor
   Policy to distribute a local configuration to many computers. See the
   [Domain and Local Policies](/docs/passwordpolicyenforcer/11.1/installation/domain_and_local_policies.md) topic for additional information.
 
-![Connected To Local Configuration](/images/passwordpolicyenforcer/11.1/administration/connecttodomain.webp)
+![Connected To Local Configuration](/images/passwordpolicyenforcer/11.1/administration/connecttolocal.webp)
 
 ### Help
 
@@ -105,10 +105,11 @@ Links to documentation and support tools.
 
 ### Settings
 
-There are three tabs:
+There are four tabs:
 
 - General
 - Notifications
+- Mail Service
 - License
 
 #### General
@@ -174,36 +175,26 @@ Here are the default settings.
 - **Log event when password accepted by service** adds an entry to the Windows Application Event Log
   whenever a password is accepted. The logged event includes the username. Default is not checked.
 
+- **Use old icons in Live Policy Feedback** allows switching between displaying old-style and new-style icons in the Password Policy Enforcer Client on the change password screen.
+
 #### Notifications
 
 Open the **Settings** > **Notifications** tab to set up notifications. Notifications are only
 available when **domain** is selected with the Connected To configuration setting.
 
 If you make changes, click **Save** to keep your changes or **Discard** to cancel.
 
-Here are the default settings.
-
 ![Notifications Settings](/images/passwordpolicyenforcer/11.1/administration/settingsnotifications.webp)
 
 - **Send email reminders**: check this option to send reminders. Default is not checked.
-
-    - **SMTP Server**: enter IP address.
-    - **Port**: enter port number.
-    - **Username**: enter your username.
-    - **Password**: enter your password.
-    - **Use TLS**: check this option to enable TLS email encryption.
-
-- **Save email to a pickup folder**: check this option to have the Mailer save emails to a folder
-  for later delivery by a mail server. The mail server must monitor this folder for new email.
-
+- **Save email to a pickup folder**: check this option to have the Mailer save emails to a folder for later delivery by a mail server. The mail server must monitor this folder for new email.
     - **Path**: Click **Browse** and select the path to the pickup folder.
 
 :::note
 Saving email to a pickup folder is the fastest and most reliable delivery method. Use this
 option if your mail server supports pickup folders.
 :::
 
-
 The Password Policy Enforcer Mailer sends emails at 2:00 AM every day (local time on your server).
 Check the Windows Application Event Log to monitor its progress. You can also run the Password
 Policy Enforcer Mailer from the command line to send email immediately, or to troubleshoot problems.
@@ -214,6 +205,74 @@ You can change the time the mailer runs. Set the **PPE Mailer** service startup
 desired time.
 :::
 
+##### Configuring Email Settings
+
+There are three possible ways to configure email settings:
+ - **SMTP Server**
+ - **Google OAuth2**
+ - **O365 OAuth2**
+
+###### SMTP Server
+
+![Notifications Settings](/images/passwordpolicyenforcer/11.1/administration/settingsnotifications2.webp)
+
+- **SMTP Server**: enter IP address.
+- **Port**: enter port number.
+- **Username**: enter your username.
+- **Password**: enter your password.
+- **Use TLS**: check this option to enable TLS email encryption.
+
+###### Google OAuth2
+
+![Notifications Settings](/images/passwordpolicyenforcer/11.1/administration/settingsnotifications3.webp)
+
+- **User Account**: authenticated Google Workspace account.
+- **Client ID**: value configured in the Google Workspace Admin Console.
+- **Client Secret**: value configured in the Google Workspace Admin Console.
+- **Clear Credentials**: removes stored values and tokens.
+- **Update Credentials**: initiates token generation in a browser window.
+
+:::note
+The Google OAuth2 timeout can be configured in **PPEConfiguration.json**.
+By default, it is set to **1 minute**:
+```
+"Configuration": { 
+  "GoogleOAuthTimeout": 60
+}
+```
+:::
+
+###### O365 OAuth2
+
+![Notifications Settings](/images/passwordpolicyenforcer/11.1/administration/settingsnotifications4.webp)
+
+- **User Account**: Office 365 account.
+- **Client ID**: value configured in the Office 365 Admin Console.
+- **Client Secret**: value configured in the Office 365 Admin Console.
+- **Tenant ID**: Office 365 tenant identifier.
+- **Clear Credentials**: removes values.
+
+#### Mail Service
+
+Open the **Settings** > **Mail Service** tab to set up mail service for notifications. 
+
+If you make changes, click **Save** to keep your changes or **Discard** to cancel.
+
+![Mail Server Tab](/images/passwordpolicyenforcer/11.1/administration/settingsmailserver.webp)
+
+- **Service**: specify the address of the machine where the mail service is installed.
+- **Port**: specify the port number.
+
+:::note
+If you need to use a port other than 12345, open the **PPEMailService.json** file on the machine where 
+the mail service is installed, update the port value, and restart the mail service to apply the changes.
+```
+"MailService": {
+  "HostName": "localhost",
+  "Port": 6000
+}
+```
+:::
 
 #### License
 

@@ -28,13 +28,12 @@ Policy Guide have been added.
 
 The policy management links are all on the Password Policies tile:
 
-- Add a Policy.
-- Set Up a Policy (click on existing policy name).
-- Test Policy.
-- Set Priorities.
-- Export.
-- Context menu (3 stacked dots) beside each defined policy Make Copy, Make Default/Remove Default,
-  Rename and Delete .
+- [Add a Policy.](#add-a-policy)
+- [Set Up a Policy](#set-up-a-policy) (click on existing policy name).
+- [Test Policy.](#test-policy)
+- [Set Priorities.](#set-priorities)
+- [Export.](#export)
+- Context menu (3 stacked dots) beside each defined policy [Make Copy](#make-copy), [Make Default/Remove Default](#make-defaultremove-default), [Rename](#rename) and [Delete](#delete).
 
 ## Add a Policy
 

@@ -18,8 +18,7 @@ for long passwords.
 
 Select the **Dictionary** check box to enable the Dictionary rule.
 
-Browse to a dictionary file. A sample file **Dict.txt** is installed in the **\Program
-Files\Password Policy Enforcer** folder. This file is sorted and ready to use. It contains
+Browse to a dictionary file. A sample file **Dict.txt** is installed in the **\Program Files\Netwrix\Password Policy Enforcer\\** folder. This file is sorted and ready to use. It contains
 approximately 257,000 words, names, and acronyms.
 
 Select the **Detect inclusion of non-alpha characters** check box if Password Policy Enforcer should
@@ -114,7 +113,7 @@ local disk. Using a shared dictionary degrades performance, and could jeopardize
 
 :::note
 The `\Program Files (x86)\` folder does not exist on 32-bit Windows, so move the
-dictionary into the `\Program Files\Password Policy Enforcer\` folder if you have 32-bit and 64-bit
+dictionary into the `\Program Files\Netwrix\Password Policy Enforcer\` folder if you have 32-bit and 64-bit
 computers sharing a common Password Policy Enforcer configuration.
 :::
 

@@ -76,7 +76,7 @@ Here are the requirements for both the full and evaluation Password Policy Enfor
 - 10
 - 11
 
-- .NET 8.0.15 or higher
+- .NET Desktop Runtime 8.0.15 or higher
 
 ## Password Policy Enforcer Web
 

@@ -62,8 +62,7 @@ Agreement**.
   selected by default.
 - Configuration Console – manages policy configuration. Install where ever needed. Selected by
   default.
-- Mailer Service – sends email reminders. Should be installed on a Domain Controller. It is not
-  selected by default.
+- Mailer Service – sends email reminders. It is not selected by default.
 
 **Step 8 –** The default location is shown. Click **Browse** and select a new location if needed.
-Original file line number
+Diff line change
@@ Expand Up @@
     - 10
     - 11
-    - .NET 8.0.15 or higher
+    - .NET Desktop Runtime 8.0.15 or higher
     ## Password Policy Enforcer Web
@@ Expand Down @@