In an age where digital security is paramount, protecting sensitive data stored on personal devices is essential. Microsoft continually enhances Windows by developing advanced encryption methods to meet evolving security requirements, ensuring your data remains protected against unauthorized access even in the event of device loss or theft. This article provides an overview of Windows Personal Data Encryption, its features, and how to use it effectively.
Table of Contents
What Is Personal Data Encryption?
Windows Personal Data Encryption is a new feature introduced recently (for Windows 11 24H2) that protects personal user data by encrypting files and folders. That level of encryption ensures that only the authorized users can access encrypted contents.
This is Definitely important in many scenarios like Device Stolen, Local Admin access the device or even if the device have multiple profiles and another employee tried navigated through User Profiles and tried to open Personal File from another windows account.
Windows PDE Capabilities
This is a list with Windows PDE Capabilities:
- Windows PDE can protect all Contents (Text, Photos, Docs.. etc.)
- Windows PDE protection extends to all folders and subfolders within 3 location only (Desktop, Documents, Pictures)
- Windows PDE doesn’t change file ownership (It remains always Personal) but protected with User’s Credentials.
Does it conflict with Bitlocker?
No, there’s no conflict at all with Personal Data Encryption and Bitlocker.
It’s strongly recommended to use Personal Data Encryption Policy on the top of Bitlocker and increase security layers.
Windows PDE Requirements
- Device MUST be run Windows 11 24H2 or Later
- Device MUST be joining Microsoft Entra Joined or Hybrid Joined
- User MUST setup and login with Windows Hello for Business.
- For this point, Per-Microsoft Docs it’s a MUST but I’ve tested this and can see files encrypted without Hello for Business setup on the device. Maybe this is a Bug Microsoft will solve later on, especially when this feature is still in preview and suspectable to enhancements and changes.
Enabling Personal Data Encryption from Intune
To enable Windows PDE from Intune:
1- Open Intune Portal and click on Endpoint Protection
2- Select Disk encryption, click on Create Policy
3- Select Platform “Windows” and Profile “Personal Data Encryption”
4- Enable the feature itself (Enable Personal Data Encryption) and based on Organization’s needs select which folder should be protected (Pictures, Desktop, Documents)
Finally, Assign Policy to User Group ONLY.
Best Practices for Windows PDE
1- Use OneDrive to Sync Files: Through Settings Catalog, you can enforce sync files from Desktop, Pictures and Documents to Cloud to ensure it won’t be lost.
2- Windows Hello For Business: can be enforced to devices via Endpoint Protection (account Protection policy).
3- Disable Remote Desktop: Windows Hello for Business can’t unlock the device accessed via RDP.
4- Disable Crash Dumps and Hibernation: Because there’s a channel for Personal Data Encryption Keys to be stored in hibernation or crash dump files. and these can be also enabled via settings catalog.
5- Enable Bitlocker Encryption: to increase protection layers, it can be enabled via Endpoint Protection (Disk Encryption)
Example of End-User possible Scenarios
1- If the end-user is accessing the PC with any authentication method other than Windows Hello PIN
2- Lock Screen sign-in method recommended
3- If Local Account or any other (Entra Joined) profile accessing the protected files.
3- File Ownership remains Personal
4- The encrypted files will show with “Yellow Lock Icon” like this
PDE Policy Delivery
From Registry Key “Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\PDE” you can ensure if the policy landed to the device or not and what’s the exact scope of encryption applied.
Limitations and Considerations
While encryption adds a robust layer of security, it is not foolproof. Users should remain vigilant about:
- Password Security: Losing your encryption password or recovery key can render your data inaccessible.
- Performance Impact: Encryption may slightly reduce system performance, particularly on older hardware.
- Compatibility: Ensure that backup and restore procedures are compatible with your encryption method.
Conclusion
Windows personal encryption tools like BitLocker, Device Encryption, and EFS offer reliable methods to secure your data. Whether you’re safeguarding personal files or sensitive work documents, these tools provide peace of mind in an increasingly digital world. By understanding and implementing these solutions, you can protect your information from unauthorized access and cyber threats.
This is Repo for all IntuneBytes Endpoint Protection Articles
Leave a Reply