This week is all about a nice feature that has been introduced over a year ago, but that didn’t receive a lot of attention yet. That feature is Personal Data Encryption (PDE). PDE was introduced with Windows 11, version 22H2, as a security feature that provides file-based data encryption functionalities to Windows. Not as an alternative to BitLocker, but to work alongside BitLocker. Were the decryption key of BitLocker is released during the boot of the device, the decryption key of PDE is released during the sign-in of the user by using Windows Hello for Business. That makes sure that PDE is basically an additional layer of security, on top of BitLocker, that can focus on providing an additional layer of security for specific apps and their data. This post will start with a short introduction about PDE, followed with the configuration of PDE. This post will end with experiencing PDE.
Note: PDE is only available for Microsoft Entra joined Windows 11, version 22H2 and later, devices.
Introducing Personal Data Encryption
When looking at PDE, it’s good to start with the basics. The key component of PDE is that it utilizes Windows Hello for Business to link data encryption keys to user credentials. That will make sure that when a user signs in to Windows, using Windows Hello for Business, the decryption keys will be released. The release of those keys will make sure that the encrypted data becomes accessible to the user. As soon as the users logs off, the decryption keys are discarded again. That process will make sure that this data is protected up until the user signs in to Windows. So, even when Windows is already started, that data is still inaccessible until the user signs in by using Windows Hello. That makes PDE an additional layer of security on top of BitLocker.
Another nice part of PDE is that it works automatically. There is no need for the user to manually encrypt data like with EFS. However, that also comes with it’s current main challenge. That challenge is that the app must support PDE, using the PDE APIs. At this moment, the only app that supports PDE on Windows is the Mail app. After enabling PDE, the Mail app will automatically start using it. Good to know, however, is that within the latest Windows Insider Preview Builds, it’s now also possible to enable PDE for protecting standard folders in Windows (Desktop, Documents, and Pictures). That really adds additional value to PDE and makes the number of use cases immediately a lot bigger.
Note: With the latest Windows Insider Preview Builds, PDE now also becomes available to protect specific folders.
Besides the usage of PDE, it’s important to further harden Windows, to prevent keys from being exposed. To achieve that level of hardening, the following settings are advised to be used, besides enabling PDE.
| Setting | Value | Description |
|---|---|---|
| Allow Live Dump | Disabled | Kernel-mode live dumps can potentially cause the keys, that are used by PDE to protect content, to be exposed. |
| Allow Crash Dump | Disabled | User-mode crash dumps can potentially cause the keys, that are used by PDE to protect content, to be exposed. |
| Disable Windows Error Reporting | Enabled | User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. |
| Allow Hibernate | Block | Hibernation files can potentially cause the keys, that are used by PDE to protect content, to be exposed. |
| Allow users to select when a password is required when resuming from connected standby | Disabled | During the time when the screen turns off but a password isn’t required, the keys, that are used by PDE to protect content, could potentially be exposed. |
Configuring Personal Data Encryption
After getting familiar with PDE and the suggested hardening, it’s time to have a closer look at the configuration of PDE. For enabling PDE, Microsoft added the PDE CSP into Windows 11, version 22H2 and later. That CSP contains the EnablePersonalDataEncryption node that can be used to enable PDE. The configuration of this specific setting is available via the Setting Catalog. Besides that, it’s also important to make sure that automatic restart sign-on (ARSO) isn’t enabled, as it’s not supported in combination with PDE. That can be configured by using an existing Windows settings that is available within the Settings Catalog. The following eight steps walk through the configuration of enabling PDE and disabling ARSO.
- Open the Microsoft Intune admin center portal and navigate to Devices > Windows > Configuration profiles
- On the Windows | Configuration profiles blade, click Create > New Policy
- On the Create a profile blade, select Windows 10 and later > Settings catalog and click Create
- On the Basics page, provide at least a unique name to distinguish it from similar profiles and click Next
- On the Configuration settings page, as shown below in Figure 1, perform the following actions and click Next
- Click Add settings and perform the following in Settings picker
- Search for Enable Personal Data Encryption (User) as setting, to enable PDE
- Search for Sign-in and lock last interactive user automatically after a restart as setting, to enable ARSO
- To enable PDE (1), switch the slider to the right to Enable Personal Data Encryption
- To disable ARSO (2), switch the slider to the left to Disabled
- On the Scope tags page, configure the required scope tags and click Next
- On the Assignments page, configure the assignment for the required user or devices and click Next
- On the Review + create page, verify the configuration and click Create
Note: Besides these minimal required settings, also seriously consider configuring the additional hardening settings, that are all available within the Settings Catalog, to prevent exposure of the encryption keys.
Experiencing Personal Data Encryption
When the configuration for at least enabling PDE and for disabling ARSO are in place, it’s time to look at the user experience. It just might be challenging to test, as there is currently only one app that actually supports this promising functionality. That is the Mail app. That makes looking into the cache files of that app interesting. For example the cached attachments. Those files will be displayed in File Explorer with a yellow lock icon. When looking at the advanced attributes of those files, it will mention the use of PDE. Besides that, something that might even be more obvious, is the message that the user will receive when not using Windows Hello to sign-in. That message is shown below in Figure 2. That message is shown when the user is trying to use something different then Windows Hello, like username-password. In that case, the user will receive the message to use Windows Hello to access files that are encrypted by their organization.
Important: Keep in mind that, at the moment of writing, only the default Mail supports PDE in Windows.
Note: The potential addition of support for PDE to protect folders in Windows, could be a gamechanger for the usage of PDE. That would make the use cases a lot easier and immediately adds value.
More information
For more information about Personal Data Encryption and the configuration, refer to the following docs.
???? thanks for the article!