Microsoft Personal Data Encryption for Windows 11

Pascal
Jan 4
4 min read

Updated: Feb 19

Microsoft has introduced a new security feature for Windows 11: Personal Data Encryption (PDE) . The feature was unveiled at the recent Microsoft Ignite 2024, and it immediately caught my attention. The session, hosted by Katharine Holdsworth, not only covered PDE, but also several other innovations that make Windows 11 more secure and easier to use. You can watch the full session here: Microsoft Ignite - Personal Data Encryption .

When I first saw Personal Data Encryption, two things immediately came to mind:

Comparison with Windows Information Protection (WIP): Has Microsoft succeeded the old WIP solution with this, or are there fundamental differences in how data protection is now approached?
Interesting use cases, like shared workspaces: I still regularly encounter shared workspaces, where everything from OneDrive to other Microsoft 365 tools need to be active. PDE seems to offer an extremely valuable solution here, especially when it comes to securely sharing work files without risking the user’s privacy.

In this blog post, we’ll dive deeper into what exactly PDE is, what you need to configure it, and how it differs from existing solutions like WIP. First, let’s take a look at what it takes to enable this new security functionality and what benefits it brings.

What is Personal Data Encryption?

Personal Data Encryption is a security mechanism designed to protect users' personal OneDrive content through encryption. It uses Windows Hello for Business as modern authentication, allowing the user to sign in using a PIN or biometric data, such as fingerprints or facial recognition.

The encryption keys used by Personal Data Encryption are stored securely within the Windows Hello container. When a user signs in with Windows Hello, this container is unlocked, making the keys available to unlock the user’s data. This provides an extra layer of protection for sensitive information on the device.

The first version of Personal Data Encryption was introduced in Windows 11, version 22H2, and brought with it a set of public APIs that allow applications to implement encryption of user content. In the latest version of Windows 11, version 24H2, the functionality has been further extended with Personal Data Encryption for well-known folders, such as the Windows Documents, Pictures, and Desktop folders. This ensures that files in these frequently used folders are also protected from unauthorized access.

Requirements

Before Personal Data Encryption can be used, it is important to know that there are a number of strict requirements, namely:

Windows 11, version 22H2 or later
Microsoft Entra Joined, domain or hybrid is not supported
Windows Hello for Business must be turned on
Windows 11 Enterprise or Education Edition

Configuring Personal Data Encryption (PDE)

To configure PDE, we will use Microsoft Intune to perform the configuration. It is important to set a few things correctly:

Setting	Value
Administrative Templates
Sign-in and lock last interactive user automatically after a restart	Disabled
Disable Windows Error Reporting	Enabled
Allow users to select when a password is required when returning from connected standby	Disabled
Memory Dump
Allow Crash Dump	Block
Allow Live Dump	Block
Personal Data Encryption
Enable Personal Data Encryption (User)	Enable Personal Data Encryption.
Protect Desktop (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder
Protect Documents (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder
Protect Pictures (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder.
Power
Allow Hibernate	Block

Example settings:

User Experience

What is the effect on the user? Once PDE is applied to the device, a notification will immediately appear on the Windows 11 Start screen "You need to sign in with Windows Hello to access files your organization has encrypted on this devices."

As Microsoft explains, Personal Data Encryption (PDE) uses Windows Hello for Business technology to unlock data. It is therefore important to sign in with Windows Hello for Business PIN or Biometric!

PDE associates data encryption keys with user data. When a user signs in to a Windows Hello for Business device, the encryption keys are released, making the encrypted data accessible to the user.
Once a user logs out, the unlock keys are deleted, leaving the data inaccessible even if another user logs in on the same device.

After signing in with Windows Hello for Business (WHfB), a new icon appears near the OneDrive links for My Documents, My Photos, and My Desktop:

When we open My Documents, we see that a key icon has been added to all files and folders. This icon indicates that the data is additionally secured with Personal Data Encryption.

The advantage of this extra encryption is that no one else logging into this device can access the cached OneDrive files. Even with local administrator rights, these files cannot be opened by another user. In this example, I am logged in with the Winston account, which also has local administrator rights.

Conclusion

The introduction of Personal Data Encryption (PDE) not only provides additional security for personal OneDrive files but also has a clear benefit for shared workspaces. In environments where multiple users need to sign in to the same device, there may be situations where access to each other’s OneDrive cache files appears possible. While permissions should normally prevent this, PDE provides an additional layer of security that ensures no one can gain unauthorized access to these files. This makes PDE a valuable addition in shared device scenarios.