With Windows 11, Personal Data Encryption (PDE) is a new encryption method that allows users files to be encrypted on a per-user basis without encrypting the entire disk. Personal Data Encryption utilizes Windows Hello for Business linking the data encryption keys to user credentials. Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello credentials. Only the user who encrypted the files can decrypt them. If a local admin logs in, they won’t be able to access another user’s encrypted data without the users credentials.
Personal Data Encryption works alongside device level BitLocker encryption. Also OneDrive in Microsoft 365 is the recommended backup method and as the files are unlocked at user sign-in and he encryption is local and the files backed up to OneDrive are not encrypted by Personal Data Encryption.
The requirements are Windows 11 Pro or Enterprise edition, a Windows Hello Enabled and a TPM 2.0 enabled device. To configure Personal Data Encryption in Microsoft Intune, create a Settings Catalog Windows Configuration profile in Microsoft Intune as follows and assign to the required users.
Microsoft Recommend that the following settings are also applied to further harden the encryption process. Disable Windows Error Reporting, Kernel-mode crash dumps/live dumps and Windows Hibernate to prevent keys from being potentially being exposed.
Personal Data Encryption is very useful to secure users data, protecting data from local admins or even with multiuser devices adding an extra layer of security without compromising user experience.
