Windows 11 22H2 introduced Personal Data Encryption, a feature that adds extra security on top of BitLocker full-disk encryption
Published: Oct 14, 2024
Personal Data Encryption (PDE) protects sensitive information from unauthorized access. Microsoft introduced the feature with Windows 11, version 22H2, but it hasn’t received a lot of fanfare. This article explains PDE, how it works, and why it might be needed in addition to BitLocker.
Personal Data Encryption (PDE) is a feature Microsoft released with Windows 11, version 22H2, that is complementary to BitLocker Encryption. PDE provides file-based data encryption functions in Windows. It utilizes Windows Hello for Business for authentication purposes to encrypt keys to user credentials.
PDE is enabled by default on eligible Windows 11 devices, encrypting data like photos, documents, and emails. PDE uses AES-CBC with a 256-bit key to protect content with two levels of protection.
Personal Data Encryption offers easy-to-configure options in Microsoft Intune to safeguard your sensitive personal data from unauthorized access, including administrators. Even if an administrator ‘administratively’ accesses a device, they will be unable to access these specific files and folders in the user’s profile. This is one of the strongest reasons to deploy PDE in your organization.
By leveraging advanced encryption techniques and the device’s Trusted Platform Module (TPM), it allows your users to keep documents, photos, and pictures encrypted, even if your device falls into the wrong hands. This not only protects your privacy but also helps you comply with data protection regulations.
There are a few prerequisites you need to be aware of regarding PDE.
The first step is simple – enable or validate that BitLocker Encryption has encrypted the volume on the device. Although PDE works without BitLocker, there is no reason not to have that foundational security in place.
Next, make sure you are backing up your users’ most critical files – OneDrive’s ‘Important Folders’ feature should be turned on (this backs up the user’s Desktop, Documents, and Pictures folders). In specific scenarios, such as TPM resets or destructive PIN resets, keys used by PDE to protect content will be lost – the files will be inaccessible. This gives you another layer of security in these situations.
To build on the nuts and bolts behind the scenes of PDE, let me explain PDE application programming interfaces (API). These APIs provide developers with programmed access to the encryption mechanisms of Windows. They allow developers to interact with PDE and leverage its security features for data protection.
As an example, applications can use PDE APIs to encrypt files before storing them on disk, ensuring they remain secure even if the device is compromised. Similar apps can encrypt data before uploading it to cloud storage services, providing an additional layer of security.
Data encryption keys are used to secure and protect sensitive data. Hardware-based TPM is used to store and manage these keys. This fundamentally protects the data in the event of device compromise.
PDE works closely with BitLocker – PDE uses these DEKs to encrypt and decrypt individual data files or segments whereas BitLocker utilizes a master key for the entire volume.
I’ll give you an overview of the two methods of configuring PDE – Intune and a configuration service provider (CSP). There is no user interface in Windows to enable PDE or protect content with it. You will be using mobile device management (MDM) policies.
The two main settings are:
If you’re using Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile. Let me show you the most straightforward method, a Disk encryption policy.
You can go through the rest of the profile configuration tabs. You’ll note that for users in the Windows Insider Program, Microsoft has released a preview feature to include Pictures, Documents, and Desktop folders with PDE.
Alternatively, you can configure PDE devices using a Policy CSP and PDE CSP. Here’s a table supplied by Microsoft that shows you the pertinent settings.
OMA-URI | Format | Value |
---|---|---|
./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption | int | 1 |
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn | string | <disabled/> |
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump | int | 0 |
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump | int | 0 |
./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting | string | <enabled/> |
./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate | int | 0 |
./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock | string | <disabled/> |
With a relatively new feature available, and knowing that many enterprises have only begun to start rolling out Windows 11, there are bound to be a lot of frequently asked questions. Let me address the most frequent here for you.
Personal Data Encryption offers an additional layer of security on top of BitLocker encryption. Microsoft recommends (as I do) to enable BitLocker encryption on all of your devices. However, PDE encrypts files instead of whole volumes and disks like BitLocker.
Also, unlike BitLocker which unlocks all files at boot, PDE doesn’t release encryption keys until a user signs in using Windows Hello for Business.
With PDE, no. Only specified files and folders are protected with PDE.
In the event a hacker gains physical access to a device, they have the means to infiltrate your data further. However, unless they log in with the specific user’s account, using the facial/fingerprint/PIN login method, they will be unable to decrypt the critical files protected by PDE.
No, files protected by PDE are not accessible over a network share. The user needs to sign in directly with Windows Hello for Business to unlock the specified files.