From 56ef545e4ce65e5bdb930f3120e6fb3ad3b06d7b Mon Sep 17 00:00:00 2001
From: Sean Wheeler <sean.wheeler@microsoft.com>
Date: Mon, 8 Jul 2024 14:43:00 -0500
Subject: [PATCH] Add notes about SecureString (#11239)

* Add notes about SecureString

* Fix typo
---
 .../security/security-features.md             | 37 +++++++++++++------
 1 file changed, 26 insertions(+), 11 deletions(-)

diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md
index c655af24ec96..a287dd0d87c0 100644
--- a/reference/docs-conceptual/security/security-features.md
+++ b/reference/docs-conceptual/security/security-features.md
@@ -1,6 +1,6 @@
 ---
 description: PowerShell has several features designed to improve the security of your scripting environment.
-ms.date: 09/29/2023
+ms.date: 07/08/2024
 title: PowerShell security features
 ---
 # PowerShell security features
@@ -16,6 +16,20 @@ users. Execution policies only apply to the Windows platform.
 
 For more information see [about_Execution_Policies][02].
 
+## Use of the SecureString class
+
+PowerShell has several cmdlets that support the use of the `System.Security.SecureString` class.
+And, as with any .NET class, you can use **SecureString** in your own scripts. However, Microsoft
+doesn't recommend using **SecureString** for new development. Microsoft recommends that you avoid
+using passwords and rely on other means to authenticate, such as certificates or Windows
+authentication.
+
+PowerShell continues to support the **SecureString** class for backward compatibility. Using a
+**SecureString** is still more secure than using a plain text string. By default, PowerShell doesn't
+show the unprotected value of a **SecureString** object. However, **SecureString** can be easily
+converted to a plain text string. For a full discussion about using **SecureString**, see the
+[System.Security.SecureString class][01] documentation.
+
 ## Module and script block logging
 
 Module Logging allows you to enable logging for selected PowerShell modules. This setting is
@@ -41,7 +55,7 @@ with PowerShell 5.1, PowerShell running on Windows 10 (and higher) passes all sc
 PowerShell 7.3 extends the data that's sent to AMSI for inspection. It now includes all invocations
 of .NET method members.
 
-For more information about AMSI, see [How AMSI helps][11].
+For more information about AMSI, see [How AMSI helps][09].
 
 ## Constrained language mode
 
@@ -50,12 +64,12 @@ used in a PowerShell session. For a full description, see [about_Language_Modes]
 
 ## Application Control
 
-Windows 10 includes two technologies, [Windows Defender Application Control (WDAC)][10] and
+Windows 10 includes two technologies, [Windows Defender Application Control (WDAC)][08] and
 [AppLocker][07] that you can use to control applications. They allow you to create a lockdown
 experience to help secure your PowerShell environment.
 
 For more information about how PowerShell supports AppLocker and WDAC, see
-[Using Windows Defender Application Control][01].
+[Using Windows Defender Application Control][10].
 
 ### Changes in PowerShell 7.4
 
@@ -90,7 +104,7 @@ throwing errors. The log messages describe what restrictions would apply if the
 
 ### Security Servicing Criteria
 
-PowerShell follows the [Microsoft Security Servicing Criteria for Windows][13]. The table below
+PowerShell follows the [Microsoft Security Servicing Criteria for Windows][12]. The table below
 outlines the features that meet the servicing criteria and those that do not.
 
 |                  Feature                   |       Type       |
@@ -113,17 +127,18 @@ PowerShell. SBOMs will be added in the next release of the module. For modules,
 installed in the module's folder under `_manifest/spdx_2.2/manifest.spdx.json`.
 
 For more information about this initiative, see the blog post
-[Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft][12].
+[Generating Software Bills of Materials (SBOMs) with SPDX at Microsoft][11].
 
 <!-- link references -->
-[01]: ./application-control.md
+[01]: /dotnet/fundamentals/runtime-libraries/system-security-securestring
 [02]: /powershell/module/microsoft.powershell.core/about/about_execution_policies
 [03]: /powershell/module/microsoft.powershell.core/about/about_group_policy_settings#turn-on-module-logging
 [04]: /powershell/module/microsoft.powershell.core/about/about_language_modes
 [05]: /powershell/module/microsoft.powershell.core/about/about_logging_non-windows
 [06]: /powershell/module/microsoft.powershell.core/about/about_logging_windows
 [07]: /windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker
-[10]: /windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
-[11]: /windows/win32/amsi/how-amsi-helps
-[12]: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
-[13]: https://www.microsoft.com/msrc/windows-security-servicing-criteria
+[08]: /windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
+[09]: /windows/win32/amsi/how-amsi-helps
+[10]: application-control.md
+[11]: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
+[12]: https://www.microsoft.com/msrc/windows-security-servicing-criteria