deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

PDE content move

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-06-01 07:44:12 -04:00
parent 7d90d6d095
commit 6a49032278
16 changed files with 237 additions and 506 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Configure Personal Data Encryption (PDE) policies in Intune
The various required and recommended policies needed for Personal Data Encryption (PDE) can be configured in Intune. The following links for both required and recommended policies contain step by step instructions on how to configure these policies in Intune.
## Required prerequisites
1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
## Security hardening recommendations
1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
1. [Disable hibernation](intune-disable-hibernation.md)
1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

75
windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml Normal file
View File

@ -0,0 +1,75 @@
### YamlMime:FAQ
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
ms.topic: faq
ms.date: 03/13/2023
# Max 5963468 OS 32516487
# Max 6946251
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Here are some answers to common questions regarding Personal Data Encryption (PDE)
sections:
- name: Single section - ignored
questions:
- question: Can PDE encrypt entire volumes or drives?
answer: |
No. PDE only encrypts specified files and content.
- question: Is PDE a replacement for BitLocker?
answer: |
No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- question: How are files and content protected by PDE selected?
answer: |
[PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
- question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
answer: |
No. PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
- question: Can a file be protected with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
No. Accessing PDE protected content over RDP isn't currently supported.
- question: Can PDE protected content be accessed via a network share?
answer: |
No. PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- question: How can it be determined if a file is protected with PDE?
answer: |
- Files protected with PDE and EFS will both show a padlock on the file's icon. To verify whether a file is protected with PDE vs. EFS:
1. In the properties of the file, navigate to **General** > **Advanced**. The option **Encrypt contents to secure data** should be selected.
2. Select the **Details** button.
3. If the file is protected with PDE, under **Protection status:**, the item **Personal Data Encryption is:** will be marked as **On**.
- [`cipher.exe`](/windows-server/administration/windows-commands/cipher) can also be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md).
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
answer: |
No. The keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-CBC with a 256-bit key to encrypt content.
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

20
windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md Normal file
View File

@ -0,0 +1,20 @@
---
ms.topic: include
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows.
PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
Because PDE utilizes Windows Hello for Business, PDE is also accessibility friendly due to the accessibility features available when using Windows Hello for Business.
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE protected content once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
> PDE can be enabled using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.

207
windows/security/operating-system-security/data-protection/personal-data-encryption/index.md Normal file
View File

@ -0,0 +1,207 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
manager: aaroncz
ms.topic: how-to
ms.date: 03/13/2023
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Personal Data Encryption (PDE)
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
## Prerequisites
### Required
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### Not supported with PDE
- [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md).
- [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### Security hardening recommendations
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md).
### Highly recommended
- [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup.
- [Windows Hello for Business PIN reset service](identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
## PDE protection levels
PDE uses AES-CBC with a 256-bit key to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
| PDE protected data is accessible after user signs out of Windows | No | No |
| PDE protected data is accessible when device is shut down | No | No |
| PDE protected data is accessible via UNC paths | No | No |
| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
| PDE protected data is accessible via Remote Desktop session | No | No |
| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
## PDE protected content accessibility
When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
Scenarios where a user will be denied access to PDE protected content include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If protected via level 2 protection, when the device is locked.
- When trying to access content on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content.
## How to enable PDE
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **1**
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md).
## Differences between PDE and BitLocker
PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
| Files protected | Individual specified files | Entire volume/drive |
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
## Differences between PDE and EFS
The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
To see if a file is protected with PDE or with EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
## Disable PDE and decrypt content
Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **0**
Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE protected files can be manually decrypted using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on a large number of devices.
To decrypt files on a device using `cipher.exe`:
- Decrypt all files under a directory including subdirectories:
```cmd
cipher.exe /d /s:<path_to_directory>
```
- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
```cmd
cipher.exe /d <path_to_file_or_directory>
```
> [!IMPORTANT]
> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- Supports protecting both email bodies and attachments
## See also
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

63
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune
ms.topic: how-to
ms.date: 06/01/2023
---
# Disable Winlogon automatic restart sign-on (ARSO) for PDE
Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption (PDE). For this reason, in order to use PDE, ARSO needs to be disabled.
## Disable Winlogon automatic restart sign-on (ARSO) in Intune
To disable ARSO using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appear, under **Template name**, select **Administrative templates**
1. Select **Create** to close the **Create profile** window.
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable ARSO**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. On the left pane of the page, make sure **Computer Configuration** is selected
1. Under **Setting name**, scroll down and select **Windows Components**
1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option
1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**
1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

62
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Disable hibernation for PDE in Intune
description: Disable hibernation for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable hibernation for PDE
Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.
## Disable hibernation in Intune
To disable hibernation using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Hibernation**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Power**
1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

61
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Disable kernel-mode crash dumps and live dumps for PDE in Intune
description: Disable kernel-mode crash dumps and live dumps for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable kernel-mode crash dumps and live dumps for PDE
Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.
## Disable kernel-mode crash dumps and live dumps in Intune
To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
1. Next to **Description**, enter a description.
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, scroll down and select **Memory Dump**
1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

76
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable allowing users to select when a password is required when resuming from connected standby for PDE
When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device's screen turns off before a password is required when waking the device
- A password is required immediately after the screen turns off
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices
- Workgroup devices, including Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome
Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**.
## Disable allowing users to select when a password is required when resuming from connected standby in Intune
To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
1. Next to **Description**, enter a description
1. Select **Next**.
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **System**
1. Under **System**, scroll down and select **Logon**
1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**
1. select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

64
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.
## Disable Windows Error Reporting (WER)/user-mode crash dumps in Intune
To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Settings catalog**
1. Select **Create** to close the **Create profile** window
1. The **Create profile** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
1. Next to **Description**, enter a description
1. Select **Next**
1. In the **Configuration settings** page:
1. Select **Add settings**
1. In the **Settings picker** window that opens:
1. Under **Browse by category**, expand **Administrative Templates**
1. Under **Administrative Templates**, scroll down and expand **Windows Components**
1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it
1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option
1. Select **Next**
1. In the **Scope tags** page, configure if necessary and then select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md)
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

70
windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Enable Personal Data Encryption (PDE) in Intune
description: Enable Personal Data Encryption (PDE) in Intune
ms.topic: how-to
ms.date: 03/13/2023
---
# Enable Personal Data Encryption (PDE)
By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
## Enable Personal Data Encryption (PDE) in Intune
To enable Personal Data Encryption (PDE) using Intune, follow the below steps:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the **Home** screen, select **Devices** in the left pane
1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**
1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**
1. In the **Create profile** window that opens:
1. Under **Platform**, select **Windows 10 and later**
1. Under **Profile type**, select **Templates**
1. When the templates appears, under **Template name**, select **Custom**
1. Select **Create** to close the **Create profile** window
1. The **Custom** screen will open. In the **Basics** page:
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Select **Next**
1. In **Configuration settings** page:
1. Next to **OMA-URI Settings**, select **Add**
1. In the **Add Row** window that opens:
1. Next to **Name**, enter **Personal Data Encryption**
1. Next to **Description**, enter a description
1. Next to **OMA-URI**, enter in:
**`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`**
1. Next to **Data type**, select **Integer**
1. Next to **Value**, enter in **1**
1. Select **Save** to close the **Add Row** window
1. Select **Next**
1. In the **Assignments** page:
1. Under **Included groups**, select **Add groups**
> [!NOTE]
> Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile.
1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window
1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**
1. In **Applicability Rules**, configure if necessary and then select **Next**
1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**
## Additional PDE configurations in Intune
The following PDE configurations can also be configured using Intune:
### Prerequisites
- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md)
### Security hardening recommendations
- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md)
- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md)
- [Disable hibernation](intune-disable-hibernation.md)
- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md)
## More information
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

19
windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml Normal file
View File

@ -0,0 +1,19 @@
items:
- name: Overview
href: index.md
- name: Configure PDE with Intune
href: configure-pde-in-intune.md
- name: Enable Personal Data Encryption (PDE)
href: intune-enable-pde.md
- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE
href: intune-disable-arso.md
- name: Disable kernel-mode crash dumps and live dumps for PDE
href: intune-disable-memory-dumps.md
- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE
href: intune-disable-wer.md
- name: Disable hibernation for PDE
href: intune-disable-hibernation.md
- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE
href: intune-disable-password-connected-standby.md
- name: PDE frequently asked questions (FAQ)
href: faq-pde.yml