This week is a follow up to this post of a few months ago about getting started with Personal Data Encryption (PDE). That post was really focused on the early introduction of PDE and the functionality that it brings to the table, while this post will basically add-on to that functionality and knowledge. PDE is still a pretty unknown feature that is now actually growing in useful functionalities and could become a very welcome addition to the available data protection capabilities on Windows. With the latest version of Windows 11, version 24H2, PDE now also contains the ability to protect personal data in known Windows folders. Those known Windows folders are Documents, Desktop, and Pictures. That provides organizations with more protection capabilities for personal data, as PDE can be used alongside BitLocker. Main addition is that where the decryption key of BitLocker is released during the boot of the device, the decryption key of PDE is released during the sign-in of the user by using Windows Hello for Business. This post is focused on creating more awareness and showing the new really straight forward configuration options.
Note: Keep in mind that PDE for known Windows folders is available for Windows 11, version 24H2, and later.
Configuring Personal Data Encryption for known Windows folders
When looking at the configuration of PDE for known Windows folders, it all starts with the PDE CSP. That CSP is added to Windows 11, since version 22H2. That CSP contains the EnablePersonalDataEncryption node that can be used to enable PDE. Besides that, starting with Windows 11, version 24H2, that CSP now contains related nodes to enable PDE on specific known Windows folders. That means separate nodes for the Documents, Desktop, and Pictures folders. Those nodes are ProtectFolders/ProtectDocuments, ProtectFolders/ProtectDesktop and ProtectFolders/ProtectPictures. With the latest service release (2409) of Microsoft Intune, there is a new disk encryption template available for PDE. That template is named Personal Data Encryption and can be used to easily configure the different PDE settings, by relying on the PDE CSP. The following eight steps walk through the configuration of enabling PDE for known Windows folders, using that new template.
- Open the Microsoft Intune admin center portal and navigate to Endpoint security > Disk encryption
- On the Endpoint security | Disk encryption blade, click Create > New Policy
- On the Create a profile blade, select Windows > Personal Data Encryption and click Create
- On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, configure the following and click Next
- Switch the slider with Enable Personal Data Encryption (User) to Enable Personal Data Encryption (1)
- Protect Pictures (User): Select Enable PDE on folder (A)
- Protect Documents (User): Select Enable PDE on folder (B)
- Protect Desktop (User): Select Enable PDE on folder (C)
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the required user or devices and click Next
- On the Review + create page, verify the configuration and click Create
Note: Besides these minimal required settings, also seriously consider configuring the additional hardening settings that are all available within the Settings Catalog to prevent exposure of the encryption keys.
Experiencing Personal Data Encryption for known Windows folders
When the configurations of PDE for known Windows folders are in place, it’s time to look at the user experience. The addition of known Windows folders, makes the configuration of PDE a lot easier to test and verify. Those folders and the files within those folders will be displayed in File Explorer with a yellow lock icon, as shown below in Figure 2 (number 1 and 2). When looking at the Advanced Attributes of those files it will mention the encryption of content, as shown below in Figure 2 (number 3). And when looking at the Details it will clearly show the use of PDE, as shown below in Figure 2 (number 4).
Besides that, something that might even be more obvious, is the message that the user will receive when not using Windows Hello to sign-in. That message was shown in the previous post about getting started with PDE. That message is shown when the user is trying to use something different then Windows Hello, like username-password. In that case, the user will receive the message to use Windows Hello to access files that are encrypted by their organization.
More information
For more information about Personal Data Encryption and the configuration, refer to the following docs.
- PDE CSP – Windows Client Management | Microsoft Learn
- Personal Data Encryption (PDE) – Windows Security | Microsoft Learn
- PDE settings and configuration – Windows Security | Microsoft Learn
- Frequently asked questions for Personal Data Encryption (PDE) – Windows Security | Microsoft Learn
- Encrypt Windows devices with Intune – Microsoft Intune | Microsoft Learn
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Peter,
Thank you for posting this information, your posts are always so informative.
I can’t wrap my head around using PDE in an enterprise environment. If only the user can open the files what happens if there was an investigation or a legal hold on the device? I’d also worry about an upset employee encrypting all of their files before leaving a company. Then I’d be curious to know how Defender and DLP is handled when the files are encrypted.
Hopefully Microsoft will release more information about how to handle the scenarios above.
Hi David,
At this moment it’s only for the local data in the known Windows folders (and to be complete, the Mail app). When using OneDrive KFM, that information is also available in the OneDrive of the user.
Regards, Peter
How does PDE work with security tools? For example: EDR or forensic tools? Are those tools (probably running as system) able to see into the encrypted files if the user has logged in and unlocked the encryption keys?
Hi Mike,
I haven’t tried that specifically. But after signing in with Windows Hello, the keys are released from TPM and that should make the files available.
Regards, Peter
Is PDE going to replace Controlled Folder Access , does it co-exists, or do I need to decide on one?
CFA is more complex to configure (exclusions) but IMO more secure as only certain processes can write to known folders.
Hi Olaf,
I would say no. That’s a different tool for a different purpose. PDE is really focused on protecting personal data.
Regards, Peter
Hopefully there will be a way to remove those unsightly yellow padlock badges from the icons. They could serve a purpose if the files are *unavailable* due to PDE, but when they are unlocked and available they are just noise.
In that case it would be could to have controls for that, because I can also think of (many) cases in which it’s actually useful to have those indicators.
Regards, Peter
I configured the feature and everything works as advertised except that I can still access the files when logging in with the password instead of Windows Hello even though I see the message on the lock screen to use Hello.
When logging in as admin, trying to open the files in the user profile it fails, so they are encrypted it seems
Hi AlphaSeb,
Just to be sure; is that after signing out en signing-in, or also after a restart?
Regards, Peter
Hi Peter,
yes indeed, I can restart and login with the password and open the files. I don’t really get it!
Regards
Sebastian
That indeed doesn’t sound as designed. If you can reproduce that on multiple devices, I would suggest to report that with Microsoft.
Regards, Peter
I did exactly the same test and same result as AlphaSeb.
I connect after a reboot and after a lock with my Username/password and I was still access to my files.
I try to connect then with an admin account to test the access and the admin account has no access to my personal lock files.
So for me it’s better like that. Secured but we can use what we want to connect.
Thank you for confirming Michael. I would say that, even though that it might be convenient, that it’s not really what it should look like.
Regards, Peter
And in my opinion I think the intereset is limited if only this directories are protected when we use Onedrive.
Personally, I use Onedrive with a clean tree structure and admins have access to it. Even I use PDE.
You mean that you would like to see a broader adoption of PDE within the profile of the user, right?
Regards, Peter
Hello Peter,
Thank you for your post – the information you provided is very useful.
Could you please assist me in understanding the issue? The same policy works correctly on Autopilot devices (using the same account), but it fails to be applied and does not function as expected on Microsoft Entra hybrid-joined devices.
I would appreciate your guidance on this matter.
Hi Robert,
I know that it initially wasn’t supported, but according to the docs it should be now. What is the behavior that you are experiencing?
Regards, Peter
Hello Peter,
The same policy applied for autopilot and hybrid devices, on autopilot policy applied successfully and working as expected, but on hybrid can’t be aplied Intune policy error code 65000.
And besides that everything is the same? Including the Windows version and configuration?
Regards, Peter