Merge pull request #10677 from paolomatarazzo/pm-20250311-pde-known-folders

PDE for known folders

includes/licensing/_edition-requirements.md

@@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|
-|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
+|**[Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|❌|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|

includes/licensing/_licensing-requirements.md

@@ -53,7 +53,7 @@ ms.topic: include
 |**[OneFuzz service](https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/)**|Yes|Yes|Yes|Yes|Yes|
 |**Opportunistic Wireless Encryption (OWE)**|Yes|Yes|Yes|Yes|Yes|
 |**[Passkeys](/windows/security/identity-protection/passkeys)**|Yes|Yes|Yes|Yes|Yes|
-|**[Personal Data Encryption (PDE)](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
+|**[Personal Data Encryption](/windows/security/operating-system-security/data-protection/personal-data-encryption/)**|❌|Yes|Yes|Yes|Yes|
 |**Privacy Resource Usage**|Yes|Yes|Yes|Yes|Yes|
 |**Privacy Transparency and Controls**|Yes|Yes|Yes|Yes|Yes|
 |**[Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|

includes/licensing/personal-data-encryption-pde.md

@@ -7,13 +7,13 @@ ms.topic: include
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support Personal data encryption (PDE):
+The following table lists the Windows editions that support Personal Data Encryption:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |No|Yes|No|Yes|
 
-Personal data encryption (PDE) license entitlements are granted by the following licenses:
+Personal Data Encryption license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|

windows/security/book/cloud-services.md

@@ -11,6 +11,6 @@ ms.date: 11/18/2024
 
 The workplace is constantly evolving, with many users working outside the office at least some of the time. While remote work and cloud services provide more flexibility, they also result in more endpoints and locations for organizations to worry about.
 
-Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
+Windows 11, combined with Microsoft Entra ID for identity management, and cloud-based device management solutions like Microsoft Intune<sup>[\[4\]](conclusion.md#footnote4)</sup>, can be the foundation of a *Zero Trust* security model that enables flexible workstyles while controlling access, safeguarding sensitive information, and mitigating threats.
 
 :::image type="content" source="images/cloud-security-on.png" alt-text="Diagram containing a list of security features." lightbox="images/cloud-security.png" border="false":::

windows/security/book/includes/bitlocker.md

@@ -9,7 +9,7 @@ ms.topic: include
 
 BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure<sup>[\[4\]](../conclusion.md#footnote4)</sup>.
 
-For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune<sup>[\[3\]](../conclusion.md#footnote3)</sup>. It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune<sup>[\[4\]](../conclusion.md#footnote4)</sup>. It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
 
 [!INCLUDE [new-24h2](new-24h2.md)]
 

windows/security/book/includes/exploit-protection.md

@@ -13,7 +13,7 @@ When a mitigation is encountered on the device, a notification will be displayed
 
 You can use audit mode to evaluate how Exploit Protection would impact your organization if it were enabled. And go through safe deployment practices (SDP).
 
-Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune or group policy.
+Windows 11 provides configuration options for Exploit Protection. You can prevent users from modifying these specific options with device management solutions like Microsoft Intune<sup>[\[4\]](../conclusion.md#footnote4)</sup> or group policy.
 
 [!INCLUDE [learn-more](learn-more.md)]
 

windows/security/book/includes/kiosk-mode.md

@@ -9,7 +9,7 @@ ms.topic: include
 
 :::row:::
     :::column span="2":::
-        Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune<sup>[\[7\]](../conclusion.md#footnote7)</sup>. Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
+        Windows allows you to restrict functionality to specific applications using built-in features, making it ideal for public-facing or shared devices like kiosks. You can set up Windows as a kiosk either locally on the device, or through a cloud-based device management solution like Microsoft Intune<sup>[\[4\]](../conclusion.md#footnote4)</sup>. Kiosk mode can be configured to run a single app, multiple apps, or a full-screen web browser. You can also configure the device to automatically sign in and launch the designated kiosk app at startup.
     :::column-end:::
     :::column span="2":::
 :::image type="content" source="../images/kiosk.png" alt-text="Screenshot of a Windows kiosk." border="false" lightbox="../images/kiosk.png" :::

windows/security/book/includes/microsoft-intune.md

@@ -13,7 +13,7 @@ Intune works with Microsoft Entra ID to manage security features and processes,
 
 Organizations can cut costs while securing and managing remote devices through the cloud in compliance with company policies<sup>[\[11\]](../conclusion.md#footnote11)</sup>. For example, organizations can save time and money by provisioning preconfigured devices to remote employees using Windows Autopilot.
 
-Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
+Windows 11 enables IT professionals to move to the cloud while consistently enforcing security policies. Windows 11 provides expanded support for group policy administrative templates (ADMX-backed policies) in cloud-native device management solutions like Microsoft Intune<sup>[\[4\]](../conclusion.md#footnote4)</sup>, enabling IT professionals to easily apply the same security policies to both on-premises and remote devices.
 
 Customers have asked for App Control for Business (previously called *Windows Defender Application Control*) to support manage installer for a long time. Now it's possible to enable allowlisting of Win32 apps to proactively reduce the number of malware infections.
 

windows/security/operating-system-security/data-protection/personal-data-encryption/configure.md

@@ -1,8 +1,8 @@
 ---
-title: Personal Data Encryption settings and configuration
+title: Personal Data Encryption Settings and Configuration
-description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
+description: Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 ms.topic: how-to
-ms.date: 09/24/2024
+ms.date: 03/12/2025
 ---
 
 # Personal Data Encryption settings and configuration
@@ -10,9 +10,9 @@ ms.date: 09/24/2024
 This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
 
 > [!NOTE]
-> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
+> Personal Data Encryption can be configured using CSP policies. The content to be protected by Personal Data Encryption can be specified using Personal Data Encryption for known folders and [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
 >
-> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
+> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy is enabled.
 
 ## Personal Data Encryption settings
 
@@ -23,6 +23,16 @@ The following table lists the required settings to enable Personal Data Encrypti
 |Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
 |Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
 
+## Personal Data Encryption for known folders settings
+
+The following table lists the settings to configure Personal Data Encryption for known folders.
+
+| Setting name | Description |
+|-|-|
+|Protect Desktop|Enable Personal Data Encryption on the Desktop folder.|
+|Protect Documents|Enable Personal Data Encryption on the Documents folder.|
+|Protect Pictures|Enable Personal Data Encryption on the Pictures folder.|
+
 ## Personal Data Encryption hardening recommendations
 
 The following table lists the recommended settings to improve Personal Data Encryption's security.
@@ -55,7 +65,10 @@ Assign the policy to a group that contains as members the devices or users that
 
 | Category | Setting name | Value |
 |--|--|--|
-|**PDE**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Personal Data Encryption**|Enable Personal Data Encryption (User)|Enable Personal Data Encryption|
+|**Personal Data Encryption**|Protect Desktop (User)|Enable protection for the Desktop folder|
+|**Personal Data Encryption**|Protect Documents (User)|Enable protection for the Documents folder|
+|**Personal Data Encryption**|Protect Pictures (User)|Enable protection for the Pictures folder|
 |**Administrative Templates > Windows Components > Windows Logon Options**|Sign-in and lock last interactive user automatically after a restart|Disabled|
 |**Memory Dump**|Allow Live Dump|Block|
 |**Memory Dump**|Allow Crash Dump|Block|
@@ -68,7 +81,7 @@ Assign the policy to a group that contains as members the devices or users that
 > [!TIP]
 > Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.
 >
-> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
+> When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you might need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires *DeviceManagementConfiguration.ReadWrite.All* permissions.
 
 ```msgraph-interactive
 POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
@@ -84,6 +97,9 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Pers
 |OMA-URI|Format|Value|
 |-|-|-|
 |`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`1`|
+|`./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop`|int|`1`|
+|`./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments`|int|`1`|
+|`./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures`|int|`1`|
 |`./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn`|string|`<disabled/>`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump`| int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump` |int| `0`|
@@ -91,6 +107,17 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Pers
 |`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
 |`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
 
+## User experience
+
+When Personal Data Encryption is enabled, the user experience is as follows:
+
+- Access to Personal Data Encryption protected content is only possible when users sign in using Windows Hello (biometrics or PIN). If users sign in without Windows Hello, they can't open encrypted content
+- If a user attempts to sign in without Windows Hello, a message appears on the sign in screen indicating that to access encrypted content the user must sign in with Windows Hello
+    :::image type="content" source="images/pde-sign-in.png" lightbox="images/pde-sign-in.png" alt-text="Screenshot of the sign in screen. If a user attempts to sign in with a password, a message indicates that the files protected by Personal Data Encryption aren't accessible." border="false":::
+- The data protected by Personal Data Encryption has a padlock on the file or folder's icon. The padlock icon is displayed in File Explorer and on the desktop
+    :::image type="content" source="images/pde-protection.png" alt-text="Screenshot of File Explorer with some files protected by Personal Data Encryption, displaying a padlock." border="false":::
+
+
 ## Disable Personal Data Encryption
 
 Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
@@ -112,7 +139,7 @@ Assign the policy to a group that contains as members the devices or users that
 
 | Category | Setting name | Value |
 |--|--|--|
-|**PDE**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
+|**Personal Data Encryption**|**Enable Personal Data Encryption (User)**|Disable Personal Data Encryption|
 
 [!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
 
@@ -126,7 +153,7 @@ You can disable Personal Data Encryption with CSP using the following setting:
 
 ## Decrypt encrypted content
 
-Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
+When you disable Personal Data Encryption, the content encrypted using Personal Data Encryption for known folders is automatically decrypted. However, the content encrypted using Personal Data Encryption APIs isn't decrypted automatically. To decrypt this content, follow these steps:
 
 1. Open the properties of the file
 1. Under the **General** tab, select **Advanced...**
@@ -153,7 +180,7 @@ To decrypt files on a device using `cipher.exe`:
   ```
 
 > [!IMPORTANT]
-> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
+> Once a user selects to manually decrypt a file, the user can't manually protect the file again using Personal Data Encryption.
 
 ## Next steps
 

windows/security/operating-system-security/data-protection/personal-data-encryption/faq.yml

@@ -4,7 +4,7 @@ metadata:
   title: Frequently asked questions for Personal Data Encryption
   description: Answers to common questions regarding Personal Data Encryption.
   ms.topic: faq
-  ms.date: 09/24/2024
+  ms.date: 03/12/2025
 
 title: Frequently asked questions for Personal Data Encryption
 summary: |
@@ -27,7 +27,7 @@ sections:
           No, it's not supported to access protected content over RDP.
       - question: Can Personal Data Encryption protected content be accessed via a network share?
         answer: |
-          No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+          No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello credentials.
       - question: What encryption method and strength does Personal Data Encryption use?
         answer: |
           Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
@@ -36,10 +36,10 @@ sections:
     questions:
       - question: What is the relation between Windows Hello for Business and Personal Data Encryption?
         answer: |
-          During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
+          During user sign-on, Windows Hello unlocks the keys that Personal Data Encryption uses to protect content.
-      - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
+      - question: If a user signs into Windows with a password instead of Windows Hello, will they be able to access their Personal Data Encryption protected content?
         answer: |
-          No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+          No, the keys used by Personal Data Encryption to encrypt content are protected by Windows Hello credentials and can only be unlocked when signing on with Windows Hello (PIN or biometrics).
       - question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
         answer: |
           No, Personal Data Encryption and EFS are mutually exclusive.
@@ -49,3 +49,5 @@ sections:
       - question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
         answer: |
           No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
+      - question: Are the files encrypted by Personal Data Encryption synced to OneDrive in an encrypted form?
+        answer: Personal Data Encryption ensures that files are protected from unauthorized access by encrypting them at rest. When files are synced to OneDrive, they are transferred over a secure connection. However, Personal Data Encryption's encryption only applies to local data saved to the disk. Applications accessing the files, including OneDrive when it syncs data, get cleartext data. This means that while Personal Data Encryption protects files on the local disk, the files synced to OneDrive are not encrypted by Personal Data Encryption in the cloud.

windows/security/operating-system-security/data-protection/personal-data-encryption/index.md

@@ -1,32 +1,37 @@
 ---
-title: Personal Data Encryption
+title: Personal Data Encryption Overview
-description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
+description: Learn about Personal Data Encryption, a security feature that provides file-based data encryption capabilities to Windows.
-ms.topic: how-to
+ms.topic: overview
-ms.date: 09/24/2024
+ms.date: 03/12/2025
 ---
 
-# Personal Data Encryption
+# Personal Data Encryption overview
 
-Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
+Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows. It utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello, decryption keys are released, and encrypted data becomes accessible to the user. Conversely, when a user signs out, decryption keys are discarded, rendering the data inaccessible even if another user signs into the device. This ensures that sensitive information remains always protected.
 
-Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
+The benefits of Personal Data Encryption are significant. By reducing the number of credentials needed to access encrypted content, users only need to sign in with Windows Hello. Additionally, the accessibility features available with Windows Hello extend to Personal Data Encryption protected content.
-When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
 
-The use of Windows Hello for Business offers the following advantages:
+Unlike BitLocker, which encrypts entire volumes and disks, Personal Data Encryption focuses on individual files, providing another layer of security. This feature not only enhances data protection but also shows a strong commitment to safeguarding personal information.
 
-- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
+## Personal Data Encryption for known folders
-- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
 
-Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
+:::row:::
-Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
+  :::column span="2":::
+  Starting in Windows 11, version 24H2, Personal Data Encryption is further enhanced with *Personal Data Encryption for known folders*. Once enabled, the Windows folders **Desktop**, **Documents**, and **Pictures**, along with their contents, are automatically encrypted. This feature provides a quick and easy way to add an extra layer of security to commonly used folders.
+  :::column-end:::
+  :::column span="2":::
+  :::image type="content" source="images/pde-known-folders.png" alt-text="Icons of the known folders with a padlock representing their encryption status." border="false":::
+  :::column-end:::
+:::row-end:::
 
 ## Prerequisites
 
 To use Personal Data Encryption, the following prerequisites must be met:
 
 - Windows 11, version 22H2 and later
+  - Personal Data Encryption for known folders is only available on Windows 11, version 24H2 and later
 - The devices must be [Microsoft Entra joined][ENTRA-1] or [Microsoft Entra hybrid joined][ENTRA-2]. Domain-joined devices aren't supported
-- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
+- Users must sign in using [Windows Hello](../../../identity-protection/hello-for-business/index.md)
 
 > [!IMPORTANT]
 > If you sign in with a password or a [FIDO2 security key][ENTRA-3], you can't access Personal Data Encryption protected content.
@@ -39,37 +44,37 @@ Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content
 
 | Item | Level 1 | Level 2 |
 |---|---|---|
-| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
+| Protected data accessible when user signs in via Windows Hello | Yes | Yes |
 | Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
 | Protected data is accessible after user signs out of Windows | No | No |
 | Protected data is accessible when device is shut down | No | No |
 | Protected data is accessible via UNC paths | No | No |
-| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
+| Protected data is accessible when signing with Windows password instead of Windows Hello | No | No |
 | Protected data is accessible via Remote Desktop session | No | No |
 | Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
 
 ## Personal Data Encryption protected content accessibility
 
-When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
+When a file is protected with Personal Data Encryption, its icon shows a padlock. If the user isn't signed in locally with Windows Hello, or an unauthorized user attempts to access protected content, they're denied access.
 
-Scenarios where a user will be denied access to Personal Data Encryption protected content include:
+Scenarios where a user is denied access to Personal Data Encryption protected content include:
 
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
+- User signs in with a password instead of using Windows Hello (biometrics or PIN)
 - If protected via level 2 protection, when the device is locked
 - When trying to access content on the device remotely. For example, UNC network paths
 - Remote Desktop sessions
-- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
+- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello and have permissions to navigate to the Personal Data Encryption protected content
 
 ## Differences between Personal Data Encryption and BitLocker
 
 Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
 
-| Item | Personal Data Encryption | BitLocker |
+|| Personal Data Encryption | BitLocker |
 |--|--|--|
-| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
+| **Release of decryption key**| At user sign-in via Windows Hello | At boot |
-| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
+| **Decryption keys discarded**| When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
-| Protected content | All files in protected folders | Entire volume/drive |
+| **Protected content**| All files in protected folders | Entire volume/drive |
-| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
+| **Authentication to access protected content**| Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
 
 ## Differences between Personal Data Encryption and EFS
 
@@ -81,9 +86,9 @@ To see if a file is protected with Personal Data Encryption or with EFS:
 1. Under the **General** tab, select **Advanced...**
 1. In the **Advanced Attributes** windows, select **Details**
 
-For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For Personal Data Encryption protected files, under **Protection status:** there's an item listed as **Personal Data Encryption is: On**.
 
-For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+For EFS protected files, under **Users who can access this file:**, there's a **Certificate thumbprint** next to the users with access to the file. There's also a section labeled **Recovery certificates for this file as defined by recovery policy:**.
 
 Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
 
@@ -92,17 +97,9 @@ Encryption information including what encryption method is being used to protect
 The following are recommendations for using Personal Data Encryption:
 
 - Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
-- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
+- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must resync OneDrive
-- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
+- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN reset causes keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides nondestructive PIN resets
-- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
+- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers more security when authenticating with Windows Hello via biometrics or PIN
-
-## Windows out of box applications that support Personal Data Encryption
-
-Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
-
-| App name | Details |
-|-|-|
-| Mail | Supports protecting both email bodies and attachments|
 
 ## Next steps
 

windows/security/operating-system-security/data-protection/toc.yml

@@ -3,7 +3,7 @@ items:
   href: bitlocker/toc.yml
 - name: Encrypted hard drives
   href: encrypted-hard-drive.md
-- name: Personal data encryption
+- name: Personal Data Encryption
   href: personal-data-encryption/toc.yml
 - name: Email Encryption (S/MIME)
   href: configure-s-mime.md