What Is Windows 11 Personal Data Encryption (PDE)?

Windows 11 22H2 introduced Personal Data Encryption, a feature that adds extra security on top of BitLocker full-disk encryption

Published: Oct 14, 2024

Windows 11 2022 Update

SHARE ARTICLE

Personal Data Encryption (PDE) protects sensitive information from unauthorized access. Microsoft introduced the feature with Windows 11, version 22H2, but it hasn’t received a lot of fanfare. This article explains PDE, how it works, and why it might be needed in addition to BitLocker.

What is Personal Data Encryption (PDE)?

Personal Data Encryption (PDE) is a feature Microsoft released with Windows 11, version 22H2, that is complementary to BitLocker Encryption. PDE provides file-based data encryption functions in Windows. It utilizes Windows Hello for Business for authentication purposes to encrypt keys to user credentials.

PDE is enabled by default on eligible Windows 11 devices, encrypting data like photos, documents, and emails. PDE uses AES-CBC with a 256-bit key to protect content with two levels of protection.

Personal Data Encryption offers easy-to-configure options in Microsoft Intune to safeguard your sensitive personal data from unauthorized access, including administrators. Even if an administrator ‘administratively’ accesses a device, they will be unable to access these specific files and folders in the user’s profile. This is one of the strongest reasons to deploy PDE in your organization.

By leveraging advanced encryption techniques and the device’s Trusted Platform Module (TPM), it allows your users to keep documents, photos, and pictures encrypted, even if your device falls into the wrong hands. This not only protects your privacy but also helps you comply with data protection regulations.

Windows 11 Personal Data Encryption prerequisites

There are a few prerequisites you need to be aware of regarding PDE.

  • Windows 11, version 22H2 and later
    • (At the time of this writing) – Your devices must be running Windows 11, version 22H2, 22H3, or 24H2
  • The devices must be Microsoft Entra ID-joined (formerly Azure AD-joined).
    • (AD) Domain-joined and Entra ID hybrid-joined devices are not eligible
  • Windows Hello for Business must be used to sign in
    • This includes facial recognition, fingerprint logins, PINs, etc.
    • This does NOT include legacy passwords
  • Windows 11 Enterprise or Education SKUs are required
    • PDE will not work with Windows 11 Home and Pro editions

Configuring Personal Data Encryption (PDE)

The first step is simple – enable or validate that BitLocker Encryption has encrypted the volume on the device. Although PDE works without BitLocker, there is no reason not to have that foundational security in place.

Next, make sure you are backing up your users’ most critical files – OneDrive’s ‘Important Folders’ feature should be turned on (this backs up the user’s Desktop, Documents, and Pictures folders). In specific scenarios, such as TPM resets or destructive PIN resets, keys used by PDE to protect content will be lost – the files will be inaccessible. This gives you another layer of security in these situations.

Building blocks of PDE – PDE APIs and data encryption keys

To build on the nuts and bolts behind the scenes of PDE, let me explain PDE application programming interfaces (API). These APIs provide developers with programmed access to the encryption mechanisms of Windows. They allow developers to interact with PDE and leverage its security features for data protection.

As an example, applications can use PDE APIs to encrypt files before storing them on disk, ensuring they remain secure even if the device is compromised. Similar apps can encrypt data before uploading it to cloud storage services, providing an additional layer of security.

Data encryption keys are used to secure and protect sensitive data. Hardware-based TPM is used to store and manage these keys. This fundamentally protects the data in the event of device compromise.

PDE works closely with BitLocker – PDE uses these DEKs to encrypt and decrypt individual data files or segments whereas BitLocker utilizes a master key for the entire volume. 

PDE settings

I’ll give you an overview of the two methods of configuring PDE – Intune and a configuration service provider (CSP). There is no user interface in Windows to enable PDE or protect content with it. You will be using mobile device management (MDM) policies.

The two main settings are:

  1. Enable Personal Data Encryption (PDE) – PDE isn’t enabled by default. Before PDE can be used, you must enable it.
  2. Sign in and lock the last interactive user automatically after a restart – Winlogon automatic restart sign-on (ARSO) isn’t supported for use with PDE. To use PDR, ARSO must be disabled.

Configuring PDE with Microsoft Intune

If you’re using Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile. Let me show you the most straightforward method, a Disk encryption policy.

  • Go to Endpoint security -> Disk encryption and select Create Policy:
  • Platform > Windows
  • Profile > Personal Data Encryption
Adding a Personal Data Encryption policy in Microsoft Intune
Adding a Personal Data Encryption policy in Microsoft Intune (Image Credit: Michael Reinders/Petri.com)

You can go through the rest of the profile configuration tabs. You’ll note that for users in the Windows Insider Program, Microsoft has released a preview feature to include Pictures, Documents, and Desktop folders with PDE.

Configuring our new PDE policy in Intune
Configuring our new PDE policy in Intune (Image Credit: Michael Reinders/Petri.com)

Configuring PDE using a CSP

Alternatively, you can configure PDE devices using a Policy CSP and PDE CSP. Here’s a table supplied by Microsoft that shows you the pertinent settings.

OMA-URIFormatValue
./User/Vendor/MSFT/PDE/EnablePersonalDataEncryptionint1
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOnstring<disabled/>
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDumpint0
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDumpint0
./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReportingstring<enabled/>
./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernateint0
./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLockstring<disabled/>

Frequently asked questions

With a relatively new feature available, and knowing that many enterprises have only begun to start rolling out Windows 11, there are bound to be a lot of frequently asked questions. Let me address the most frequent here for you.

How does PDE differ from BitLocker encryption?

Personal Data Encryption offers an additional layer of security on top of BitLocker encryption. Microsoft recommends (as I do) to enable BitLocker encryption on all of your devices. However, PDE encrypts files instead of whole volumes and disks like BitLocker.

Also, unlike BitLocker which unlocks all files at boot, PDE doesn’t release encryption keys until a user signs in using Windows Hello for Business.

Are all files on a volume encrypted?

With PDE, no. Only specified files and folders are protected with PDE.

Why isn’t BitLocker ‘enough’?

In the event a hacker gains physical access to a device, they have the means to infiltrate your data further. However, unless they log in with the specific user’s account, using the facial/fingerprint/PIN login method, they will be unable to decrypt the critical files protected by PDE.

Can PDE-protected content be accessed via the network?

No, files protected by PDE are not accessible over a network share. The user needs to sign in directly with Windows Hello for Business to unlock the specified files.

SHARE ARTICLE