From 6b6e47a0dbe670aad4e7e76fab492e4a8a56d9f7 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 12 Sep 2022 17:11:30 -0400
Subject: [PATCH 01/23] Add PDE
---
.../security/encryption-data-protection.md | 11 +++++++-
.../personal-data-encryption.md | 25 +++++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 windows/security/information-protection/personal-data-encryption.md
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 782617bafe..484f98fc97 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -6,7 +6,7 @@ author: denisebmsft
ms.author: deniseb
manager: dansimp
ms.topic: conceptual
-ms.date: 09/08/2021
+ms.date: 09/22/2022
ms.prod: m365-security
ms.technology: windows-sec
ms.localizationpriority: medium
@@ -45,8 +45,17 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
+## Personal Data Encryption
+
+(*Applies to: Windows 11, version 22H2 and later*)
+
+Personal Data Encryption (PDE) is a new feature in Windows 11 22H2.
+
+
+
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
+- [Personal Data Encryption]
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
new file mode 100644
index 0000000000..8912251e21
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -0,0 +1,25 @@
+---
+title: Personal Data Encryption (PDE)
+description: Personal Data Encryption unlocks user encrypted data at user logon instead of at boot
+ms.reviewer:
+manager: aaroncz
+ms.author: frankroj
+ms.prod: m365-security
+author: frankroj
+ms.date: 09/22/2022
+---
+
+
+# Personal Data Encryption
+
+(*Applies to: Windows 11, version 22H2 and later*)
+
+Personal data encryption (PDE) is
+
+## Differences between Personal Data Encryption and BitLocker
+
+## Prerequisites
+
+## How to enable
+
+## Next steps
\ No newline at end of file
From 3d01fe9a0da0c457c2c1a22407d1428f0c2355b4 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 12 Sep 2022 17:29:43 -0400
Subject: [PATCH 02/23] Add TOC entry for PDE
---
windows/security/TOC.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 133027057d..bb74695e92 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -149,6 +149,8 @@
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+ - name: Personal Data Encryption
+ href: information-protection/personal-data-encryption.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
From c8857a4214aa8975ac25b3eff66328e2f90aebf8 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Tue, 13 Sep 2022 17:13:13 -0400
Subject: [PATCH 03/23] Updating PDE docs 1
---
.../security/encryption-data-protection.md | 12 ++++++-----
.../personal-data-encryption.md | 20 ++++++++++++++++---
2 files changed, 24 insertions(+), 8 deletions(-)
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 484f98fc97..b5103f6849 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -32,8 +32,8 @@ Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
-- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
-- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
+- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
@@ -46,10 +46,12 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
## Personal Data Encryption
-
+
(*Applies to: Windows 11, version 22H2 and later*)
-Personal Data Encryption (PDE) is a new feature in Windows 11 22H2.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files in the known user folders of **Documents**, **Pictures**, and **Desktop**. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with user credentials. Unlike BitLocker which unlocks data encryption keys at boot, PDE does not unlock data encryption keys until a user logs via WHfB.
@@ -58,4 +60,4 @@ Personal Data Encryption (PDE) is a new feature in Windows 11 22H2.
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
-- [Personal Data Encryption]
+- [Personal Data Encryption](information-protection/personal-data-encryption.md)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 8912251e21..e026a30128 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -11,12 +11,26 @@ ms.date: 09/22/2022
# Personal Data Encryption
-
+
(*Applies to: Windows 11, version 22H2 and later*)
-Personal data encryption (PDE) is
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files in the known user folders of **Documents**, **Pictures**, and **Desktop**. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. Unlike BitLocker which unlocks data encryption keys at boot, PDE does not unlock data encryption keys until a user logs via WHfB.
+
+## Differences between PDE and BitLocker
+
+
+| Item | PDE | BitLocker |
+|--|--|--|
+| Release of encryption keys | At user logon via WHfB | At boot |
+| Encryption keys discarded | At user logoff | At reboot |
+| Files encrypted | User known folders of Documents, Pictures, and Desktop | Entire volume/drive |
+
+
+
+
-## Differences between Personal Data Encryption and BitLocker
## Prerequisites
From 325f3376923432f259a0995fe9612d8a081699fe Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Tue, 13 Sep 2022 20:20:51 -0400
Subject: [PATCH 04/23] Updating PDE docs 2
---
.../personal-data-encryption.md | 24 +++++++++++++++----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index e026a30128..39b377e9ac 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -27,13 +27,27 @@ PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with
| Encryption keys discarded | At user logoff | At reboot |
| Files encrypted | User known folders of Documents, Pictures, and Desktop | Entire volume/drive |
-
-
-
-
-
## Prerequisites
+- **Required**
+ - Azure AD joined device
+ - Windows Hello for Business
+ - FIDO authentication not enabled
+ - Winlogon automatic restart sign-on feature not enabled
+ - Windows Information Protection (WIP) not enabled
+ - OneDrive for user data backup
+ - Windows Hello for Business PIN reset service
+
+- **Recommended**
+ - BitLocker Drive Encryption enabled
+ - Kernel and user mode crash dumps disabled
+ - Hibernation disabled
+ - Windows Hello for Business PIN or Secure Biometrics
+
+> [!NOTE]
+> Only native Azure AD joined devices are supported. Hybrid Azure AD joined devices do not support PDE.
+
+
## How to enable
## Next steps
\ No newline at end of file
From 6ca651d15e627034736d4f6b0840eb120d240bad Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Wed, 14 Sep 2022 18:07:58 -0400
Subject: [PATCH 05/23] Update PDE Docs 3
---
.../security/encryption-data-protection.md | 7 ++-
.../personal-data-encryption.md | 49 ++++++++++---------
2 files changed, 31 insertions(+), 25 deletions(-)
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index b5103f6849..1016313d2b 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -49,11 +49,14 @@ Windows consistently improves data protection by improving existing options and
(*Applies to: Windows 11, version 22H2 and later*)
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files in the known user folders of **Documents**, **Pictures**, and **Desktop**. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with user credentials. Unlike BitLocker which unlocks data encryption keys at boot, PDE does not unlock data encryption keys until a user logs via WHfB.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. It is also an alternative to BitLocker + PIN when requiring user authentication before releasing encryption keys and decrypting files.
+Unlike BitLocker which unlocks data encryption keys at boot, PDE does not release data encryption keys until a user logs via Windows Hello for Business.
+> [!NOTE]
+> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
## See also
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 39b377e9ac..8c5c802d9f 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -14,9 +14,33 @@ ms.date: 09/22/2022
(*Applies to: Windows 11, version 22H2 and later*)
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files in the known user folders of **Documents**, **Pictures**, and **Desktop**. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. Unlike BitLocker which unlocks data encryption keys at boot, PDE does not unlock data encryption keys until a user logs via WHfB.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. It is also an alternative to BitLocker + PIN when requiring user authentication before releasing encryption keys and decrypting files.
+
+Unlike BitLocker which unlocks data encryption keys at boot, PDE does not release data encryption keys until a user logs via Windows Hello for Business.
+
+> [!NOTE]
+> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
+
+## Prerequisites
+
+- **Required**
+ - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md)
+ - [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview.md)
+ - [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md) not enabled
+ - Winlogon automatic restart sign-on feature not enabled
+ - Windows Information Protection (WIP) not enabled
+
+- **Recommended**
+ - [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled
+ - Kernel and user mode crash dumps disabled
+ - Hibernation disabled
+ - [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md)
+ - Secure Biometrics when using Windows Hello for Business
+
+> [!NOTE]
+> Only [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md) are supported. [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md) do not support PDE.
## Differences between PDE and BitLocker
@@ -27,27 +51,6 @@ PDE utilizes Windows Hello for Business (WHfB) to link data encryption keys with
| Encryption keys discarded | At user logoff | At reboot |
| Files encrypted | User known folders of Documents, Pictures, and Desktop | Entire volume/drive |
-## Prerequisites
-
-- **Required**
- - Azure AD joined device
- - Windows Hello for Business
- - FIDO authentication not enabled
- - Winlogon automatic restart sign-on feature not enabled
- - Windows Information Protection (WIP) not enabled
- - OneDrive for user data backup
- - Windows Hello for Business PIN reset service
-
-- **Recommended**
- - BitLocker Drive Encryption enabled
- - Kernel and user mode crash dumps disabled
- - Hibernation disabled
- - Windows Hello for Business PIN or Secure Biometrics
-
-> [!NOTE]
-> Only native Azure AD joined devices are supported. Hybrid Azure AD joined devices do not support PDE.
-
-
## How to enable
## Next steps
\ No newline at end of file
From d11eeb6f3debaba07c2772b47398850b52de48fa Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Thu, 15 Sep 2022 20:38:32 -0400
Subject: [PATCH 06/23] Update PDE Docs 4
---
.../personal-data-encryption.md | 114 +++++++++++++++---
1 file changed, 98 insertions(+), 16 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 8c5c802d9f..fa3e796523 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -12,13 +12,15 @@ ms.date: 09/22/2022
# Personal Data Encryption
-(*Applies to: Windows 11, version 22H2 and later*)
+(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. It is also an alternative to BitLocker + PIN when requiring user authentication before releasing encryption keys and decrypting files.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only needs to enter one set of credentials via Windows Hello for Business.
-Unlike BitLocker which unlocks data encryption keys at boot, PDE does not release data encryption keys until a user logs via Windows Hello for Business.
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen does not have accessibility options. However, PDE uses Windows Hello for Business which does have accessibility features.
+
+Unlike BitLocker which releases data encryption keys at boot, PDE does not release data encryption keys until a user logs in via Windows Hello for Business. Users will only be able to access their PDE encrypted files once they have signed into Windows using Windows Hello for Business. Users will not have access to their PDE encrypted files if they have signed into Windows via a password instead of Windows Hello for Business biometric or PIN. Users will also not have access to their PDE encrypted files if they are not signed in locally and are trying to access them through alternate methods such as network UNC paths or a Remote Desktop session. Files will also not be accessible to other users on the device even if they are signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
> [!NOTE]
> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
@@ -28,29 +30,109 @@ Unlike BitLocker which unlocks data encryption keys at boot, PDE does not releas
- **Required**
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md)
- [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview.md)
- - [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md) not enabled
- - Winlogon automatic restart sign-on feature not enabled
- - Windows Information Protection (WIP) not enabled
+ - Windows 11, version 22H2 and later Enterprise and Education editions
+
+- **Not supported with PDE**
+ - [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+ - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - [Windows Information Protection (WIP)](/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
+ - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md)
+ - Remote Desktop connections
-- **Recommended**
+- **Highly recommended**
- [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled
- - Kernel and user mode crash dumps disabled
- - Hibernation disabled
+ - Although PDE will work without BitLocker, it is recommend to also enable BitLocker. PDE is meant to supplement BitLocker, not replace it.
+ - Backup solution such as [OneDrive](/onedrive/onedrive)
+ - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md)
- - Secure Biometrics when using Windows Hello for Business
+ - Destructive PIN resets will cause PDE encryption keys to be lost. This will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+ - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+ - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+ - [Kernel and user mode crash dumps disabled](windows/client-management/mdm/policy-csp-memorydump)
+ - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps.
+ - [Hibernation disabled](windows/client-management/mdm/policy-csp-power#power-allowhibernate)
+ - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation.
+
+## PDE protection levels
+
+PDE offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+
+| | Level 1 | Level 2 |
+|---|---|---|
+| Data is accessible when user is signed in | Yes | Yes |
+| Data is accessible when user has locked their device | Yes | No |
+| Data is accessible after user signs out | No | No |
+| Data is accessible when device is shut down | No | No |
+| Decryption keys discarded | After user signs out | After user locks device or signs out |
+
+## How to enable PDE
+
+To enable PDE on devices, push an MDM policy to the devices with the following parameters:
+
+ Name: **Personal Data Encryption**
+ OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+ Data type: **Integer**
+ Value: **1**
+
+There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
-> Only [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md) are supported. [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md) do not support PDE.
+> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
+### Enabling PDE in Intune
+
+1. Sign into the Intune admin center
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Custom**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, select **Add**
+10. In the **Add Row** window:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+ 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+ 4. Next to **Data type**, select **Integer**
+ 5. Next to **Value**, enter in **1**
+11. Select **Save**, and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the PDE policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Applicability Rules** tab, configure as necessary and then select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+### Configuring required prerequisites in Intune
+
+#### Disabling Winlogon automatic restart sign-on (ARSO)
+
+### Configuring recommended prerequisites in Intune
+
+#### Disabling hibernation
+
+#### Disabling crash dumps
## Differences between PDE and BitLocker
-
-| Item | PDE | BitLocker |
+| | PDE | BitLocker |
|--|--|--|
-| Release of encryption keys | At user logon via WHfB | At boot |
+| Release of encryption keys | At user logon via Windows Hello for Business | At boot |
| Encryption keys discarded | At user logoff | At reboot |
-| Files encrypted | User known folders of Documents, Pictures, and Desktop | Entire volume/drive |
+| Files encrypted | Individual specified files | Entire volume/drive |
+| Authentication to release encryption keys | No additional PIN required - Windows Hello for Business credentials used | When BitLocker with PIN is enabled, additional PIN is required in addition to Windows logon credentials |
+| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN does not have accessibility features |
+
+## Differences between PDE and EFS
+
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files while EFS uses certificates to secure and encrypt the files.
+
+To see if a file is encrypted with PDE or EFS, open the properties of the file. Under the **General** tab, click on the **Advanced...** button. In the **Advanced Attributes** windows, click on the **Details** button. For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the atrribute of **On**. For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. You can also check the encryption type being used via the **cipher.exe /c** command line.
+
+
-## How to enable
## Next steps
\ No newline at end of file
From 5052d5f3e3c78ae1559d1d0021c580d7fe718b80 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Thu, 15 Sep 2022 21:59:25 -0400
Subject: [PATCH 07/23] Update PDE Docs 5
---
.../personal-data-encryption.md | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index fa3e796523..f3d6d0f5d6 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -23,7 +23,7 @@ PDE is also accessibility friendly. For example, The BitLocker PIN entry screen
Unlike BitLocker which releases data encryption keys at boot, PDE does not release data encryption keys until a user logs in via Windows Hello for Business. Users will only be able to access their PDE encrypted files once they have signed into Windows using Windows Hello for Business. Users will not have access to their PDE encrypted files if they have signed into Windows via a password instead of Windows Hello for Business biometric or PIN. Users will also not have access to their PDE encrypted files if they are not signed in locally and are trying to access them through alternate methods such as network UNC paths or a Remote Desktop session. Files will also not be accessible to other users on the device even if they are signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
> [!NOTE]
-> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
+> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to encrypt files via PDE. There are also no policies that can be deployed to devices via MDM to encrypt files via PDE.
## Prerequisites
@@ -69,10 +69,10 @@ PDE offers two levels of protection. The level of protection is determined based
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **1**
+> Name: **Personal Data Encryption**
+> OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+> Data type: **Integer**
+> Value: **1**
There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
@@ -88,22 +88,22 @@ There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Custom**, and then select **Create**
7. On the ****Basics** tab:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
8. Select **Next**
9. On the **Configuration settings** tab, select **Add**
10. In the **Add Row** window:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
- 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- 4. Next to **Data type**, select **Integer**
- 5. Next to **Value**, enter in **1**
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+ 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+ 4. Next to **Data type**, select **Integer**
+ 5. Next to **Value**, enter in **1**
11. Select **Save**, and then select **Next**
12. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the PDE policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the PDE policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
13. On the **Applicability Rules** tab, configure as necessary and then select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
From 4aea51f96cda98620b24ae827ade50441f0bcbd8 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:26:59 -0400
Subject: [PATCH 08/23] Update PDE Docs 6
---
.../personal-data-encryption.md | 111 +++++++++++++++---
1 file changed, 93 insertions(+), 18 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index f3d6d0f5d6..39b07fdc04 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -1,6 +1,6 @@
---
title: Personal Data Encryption (PDE)
-description: Personal Data Encryption unlocks user encrypted data at user logon instead of at boot
+description: Personal Data Encryption unlocks user encrypted data at user sign in instead of at boot
ms.reviewer:
manager: aaroncz
ms.author: frankroj
@@ -16,11 +16,11 @@ ms.date: 09/22/2022
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only needs to enter one set of credentials via Windows Hello for Business.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimizes the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-PDE is also accessibility friendly. For example, The BitLocker PIN entry screen does not have accessibility options. However, PDE uses Windows Hello for Business which does have accessibility features.
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
-Unlike BitLocker which releases data encryption keys at boot, PDE does not release data encryption keys until a user logs in via Windows Hello for Business. Users will only be able to access their PDE encrypted files once they have signed into Windows using Windows Hello for Business. Users will not have access to their PDE encrypted files if they have signed into Windows via a password instead of Windows Hello for Business biometric or PIN. Users will also not have access to their PDE encrypted files if they are not signed in locally and are trying to access them through alternate methods such as network UNC paths or a Remote Desktop session. Files will also not be accessible to other users on the device even if they are signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user logs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to encrypt files via PDE. There are also no policies that can be deployed to devices via MDM to encrypt files via PDE.
@@ -41,11 +41,11 @@ Unlike BitLocker which releases data encryption keys at boot, PDE does not relea
- **Highly recommended**
- [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled
- - Although PDE will work without BitLocker, it is recommend to also enable BitLocker. PDE is meant to supplement BitLocker, not replace it.
+ - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md)
- - Destructive PIN resets will cause PDE encryption keys to be lost. This will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+ - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](windows/client-management/mdm/policy-csp-memorydump)
@@ -65,16 +65,26 @@ PDE offers two levels of protection. The level of protection is determined based
| Data is accessible when device is shut down | No | No |
| Decryption keys discarded | After user signs out | After user locks device or signs out |
+## When will PDE encrypted files be inaccessible
+
+When a file is encrypted with PDE, its icon will show a lock on it. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. Scenarios where a user will be denied access to a PDE encrypted file include:
+
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
+- If specified via level 2 protection, when the device is locked.
+- When trying to access files on the device remotely. For example, UNC network paths.
+- Remote Desktop sessions
+- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+
## How to enable PDE
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-> Name: **Personal Data Encryption**
-> OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-> Data type: **Integer**
-> Value: **1**
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **1**
-There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
+There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
@@ -104,33 +114,98 @@ There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
-13. On the **Applicability Rules** tab, configure as necessary and then select **Next**
+13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
### Configuring required prerequisites in Intune
#### Disabling Winlogon automatic restart sign-on (ARSO)
+1. Sign into the Intune admin center
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Administrative templates**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable ARSO**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+10. Select **Sign-in and lock last interactive user automatically after a restart**
+11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+12. Select **Next**
+13. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the ARSO policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
### Configuring recommended prerequisites in Intune
#### Disabling hibernation
+1. Sign into the Intune admin center
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Power**
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the ARSO policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
#### Disabling crash dumps
+
+1. Sign into the Intune admin center
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Memory Dump**
+10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the ARSO policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
## Differences between PDE and BitLocker
| | PDE | BitLocker |
|--|--|--|
-| Release of encryption keys | At user logon via Windows Hello for Business | At boot |
-| Encryption keys discarded | At user logoff | At reboot |
+| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
+| Encryption keys discarded | At user sign out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
-| Authentication to release encryption keys | No additional PIN required - Windows Hello for Business credentials used | When BitLocker with PIN is enabled, additional PIN is required in addition to Windows logon credentials |
-| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN does not have accessibility features |
+| Authentication to release encryption keys | No additional PIN required - Windows Hello for Business credentials used | When BitLocker with PIN is enabled, additional PIN is required in addition to Windows sign in credentials |
+| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files while EFS uses certificates to secure and encrypt the files.
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
-To see if a file is encrypted with PDE or EFS, open the properties of the file. Under the **General** tab, click on the **Advanced...** button. In the **Advanced Attributes** windows, click on the **Details** button. For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the atrribute of **On**. For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. You can also check the encryption type being used via the **cipher.exe /c** command line.
+To see if a file is encrypted with PDE or EFS, open the properties of the file. Under the **General** tab, select on the **Advanced...** button. In the **Advanced Attributes** windows, select on the **Details** button. For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. You can also check the encryption type being used via the **cipher.exe /c** command line.
From 0c0a0c7f90f2776e7932ed2c7751536a4a151392 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:39:13 -0400
Subject: [PATCH 09/23] Update PDE Docs 7
---
.../personal-data-encryption.md | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 39b07fdc04..08f43feab3 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -198,16 +198,23 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
| Encryption keys discarded | At user sign out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
-| Authentication to release encryption keys | No additional PIN required - Windows Hello for Business credentials used | When BitLocker with PIN is enabled, additional PIN is required in addition to Windows sign in credentials |
+| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
-To see if a file is encrypted with PDE or EFS, open the properties of the file. Under the **General** tab, select on the **Advanced...** button. In the **Advanced Attributes** windows, select on the **Details** button. For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. You can also check the encryption type being used via the **cipher.exe /c** command line.
+To see if a file is encrypted with PDE or EFS
+1. Open the properties of the file.
+2. Under the **General** tab, select on the **Advanced...** button.
+3. In the **Advanced Attributes** windows, select on the **Details** button.
+For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+
+Encryption information including what encryption method is being used can be obtained with the command line **cipher.exe /c** command.
## Next steps
\ No newline at end of file
From 42c78fe967d9c53f84f1c9efa65be6d6006068ab Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:53:57 -0400
Subject: [PATCH 10/23] Update PDE Docs 8
---
.../personal-data-encryption.md | 26 ++++++++++++++++---
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 08f43feab3..4376282469 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -205,11 +205,11 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
-To see if a file is encrypted with PDE or EFS
+To see if a file is encrypted with PDE or EFS:
-1. Open the properties of the file.
-2. Under the **General** tab, select on the **Advanced...** button.
-3. In the **Advanced Attributes** windows, select on the **Details** button.
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. In the **Advanced Attributes** windows, select **Details**
For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
@@ -217,4 +217,22 @@ For EFS encrypted files, under **Users who can access this file:**, there will b
Encryption information including what encryption method is being used can be obtained with the command line **cipher.exe /c** command.
+
+## Disabling PDE and decrypting files
+
+Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using **cipher.exe**. Additionally, in certain scenarios a user may be able to decrypt a file using the following steps:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. Uncheck the option **Encrypt contents to secure data**
+4. Select **OK**, and then **OK** again
+
+> [!Important]
+> Once a user selects to decrypt a file, they will not be able to encrypt the file again.
+
+## Windows out of box applications that support PDE
+
+- Mail
+ - Supports encrypting both email bodies and attachments
+
## Next steps
\ No newline at end of file
From 722b39158d6e1a99df46a2304e32d8581945b3cb Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 16:04:21 -0400
Subject: [PATCH 11/23] Update PDE Docs 9
---
.../information-protection/personal-data-encryption.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 4376282469..94df47826b 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -14,7 +14,7 @@ ms.date: 09/22/2022
(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimizes the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
@@ -23,7 +23,7 @@ PDE is also accessibility friendly. For example, The BitLocker PIN entry screen
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user logs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
-> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to encrypt files via PDE. There are also no policies that can be deployed to devices via MDM to encrypt files via PDE.
+> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
## Prerequisites
From 313053591db6b500bf988a4d0055c3f2e1b9325b Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 16:47:18 -0400
Subject: [PATCH 12/23] Update PDE Docs 10
---
.../personal-data-encryption.md | 40 +++++++++++++++++--
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 94df47826b..c7bbcea853 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -67,7 +67,7 @@ PDE offers two levels of protection. The level of protection is determined based
## When will PDE encrypted files be inaccessible
-When a file is encrypted with PDE, its icon will show a lock on it. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. Scenarios where a user will be denied access to a PDE encrypted file include:
+When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. Scenarios where a user will be denied access to a PDE encrypted file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If specified via level 2 protection, when the device is locked.
@@ -217,7 +217,6 @@ For EFS encrypted files, under **Users who can access this file:**, there will b
Encryption information including what encryption method is being used can be obtained with the command line **cipher.exe /c** command.
-
## Disabling PDE and decrypting files
Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using **cipher.exe**. Additionally, in certain scenarios a user may be able to decrypt a file using the following steps:
@@ -232,7 +231,42 @@ Currently there's no method to disable PDE via MDM policy. However, PDE can be d
## Windows out of box applications that support PDE
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+
- Mail
- Supports encrypting both email bodies and attachments
-## Next steps
\ No newline at end of file
+## FAQ
+
+**Can PDE encrypt entire volumes or drives?**
+No. PDE only encrypts specified files
+
+**Is PDE replacement for BitLocker?**
+No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+
+**Can an IT admin specify which files should be encrypted?**
+Yes, but it can only be done using APIs.
+
+**Do I need to use OneDrive as my backup provider?**
+PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+
+**What is the relation between Windows Hello for Business and PDE?**
+Windows Hello for Business unlocks PDE encryption keys during user sign on.
+
+**Can a file be encrypted with both PDE and EFS at the same time?**
+No. PDE and EFS are mutually exclusive.
+
+**Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?**
+No. Accessing PDE encrypted files over RDP isn't currently supported.
+
+**Can PDE encrypted files be access via a network share?**
+No. PDE encrypted files can only be accessed after signing on locally with Windows Hello for Business credentials.
+
+**How can it be determined if a file is encrypted with PDE?**
+Encrypted files will show a padlock on the file's icon. Additionally, **cipher.exe** can be used to show the encryption state of the file.
+
+**Can users manually encrypt and decrypt files with PDE.**
+Currently users can decrypt files manually but they can't encrypt files manually.
+
+**If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?**
+No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
\ No newline at end of file
From 57a9e65ad3d0af21284d271510ab83b5d143b9dc Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 16:51:18 -0400
Subject: [PATCH 13/23] Update PDE Docs 11
---
.../security/information-protection/personal-data-encryption.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index c7bbcea853..1922d7497e 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -65,7 +65,7 @@ PDE offers two levels of protection. The level of protection is determined based
| Data is accessible when device is shut down | No | No |
| Decryption keys discarded | After user signs out | After user locks device or signs out |
-## When will PDE encrypted files be inaccessible
+## PDE encrypted files accessibility
When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. Scenarios where a user will be denied access to a PDE encrypted file include:
From 0590697c285719ab526b941b67bd8ee1bb29f4cc Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 16:59:41 -0400
Subject: [PATCH 14/23] Update PDE Docs 12
---
.../information-protection/personal-data-encryption.md | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
index 1922d7497e..615f4d6d18 100644
--- a/windows/security/information-protection/personal-data-encryption.md
+++ b/windows/security/information-protection/personal-data-encryption.md
@@ -67,7 +67,9 @@ PDE offers two levels of protection. The level of protection is determined based
## PDE encrypted files accessibility
-When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. Scenarios where a user will be denied access to a PDE encrypted file include:
+When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
+
+Scenarios where a user will be denied access to a PDE encrypted file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If specified via level 2 protection, when the device is locked.
@@ -219,7 +221,9 @@ Encryption information including what encryption method is being used can be obt
## Disabling PDE and decrypting files
-Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using **cipher.exe**. Additionally, in certain scenarios a user may be able to decrypt a file using the following steps:
+Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using **cipher.exe**.
+
+In certain scenarios a user may be able to manually decrypt a file using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
@@ -227,7 +231,7 @@ Currently there's no method to disable PDE via MDM policy. However, PDE can be d
4. Select **OK**, and then **OK** again
> [!Important]
-> Once a user selects to decrypt a file, they will not be able to encrypt the file again.
+> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
## Windows out of box applications that support PDE
From 73b01b18865cabff07be3f439905b486d9c9879f Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Fri, 16 Sep 2022 17:14:22 -0400
Subject: [PATCH 15/23] Update PDE Docs 13
---
windows/security/encryption-data-protection.md | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index 1016313d2b..aa3a7da83d 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -49,15 +49,16 @@ Windows consistently improves data protection by improving existing options and
(*Applies to: Windows 11, version 22H2 and later*)
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. It is also an alternative to BitLocker + PIN when requiring user authentication before releasing encryption keys and decrypting files.
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimizes the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-Unlike BitLocker which unlocks data encryption keys at boot, PDE does not release data encryption keys until a user logs via Windows Hello for Business.
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
+
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user logs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
-> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
-
+> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
## See also
From 5188ab89300d0b5ff321da86400af3a5f9717110 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 12:28:53 -0400
Subject: [PATCH 16/23] Update PDE Docs 14 - Split Files
---
windows/security/TOC.yml | 10 +-
.../security/encryption-data-protection.md | 29 +-
.../personal-data-encryption.md | 276 ------------------
.../configure-pde-in-intune.md | 124 ++++++++
.../personal-data-encryption/faq-pde.md | 55 ++++
.../includes/pde-description.md | 27 ++
.../personal-data-encryption/overview-pde.md | 142 +++++++++
7 files changed, 366 insertions(+), 297 deletions(-)
delete mode 100644 windows/security/information-protection/personal-data-encryption.md
create mode 100644 windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
create mode 100644 windows/security/information-protection/personal-data-encryption/faq-pde.md
create mode 100644 windows/security/information-protection/personal-data-encryption/includes/pde-description.md
create mode 100644 windows/security/information-protection/personal-data-encryption/overview-pde.md
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index bb74695e92..d605d2e4cc 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -149,8 +149,14 @@
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
- - name: Personal Data Encryption
- href: information-protection/personal-data-encryption.md
+ - name: Personal Data Encryption (PDE)
+ items:
+ - name: Personal Data Encryption (PDE) overview
+ href: information-protection/personal-data-encryption/overview-pde.md
+ - name: Personal Data Encryption (PDE) (FAQ)
+ href: information-protection/personal-data-encryption/faq-pde.md
+ - name: Configure Personal Data Encryption (PDE) in Intune
+ href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
- name: Network security
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
index aa3a7da83d..48738d546a 100644
--- a/windows/security/encryption-data-protection.md
+++ b/windows/security/encryption-data-protection.md
@@ -2,17 +2,17 @@
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
search.appverid: MET150
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.topic: conceptual
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
+ms.topic: overview
ms.date: 09/22/2022
-ms.prod: m365-security
-ms.technology: windows-sec
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
-ms.reviewer: deepakm, rafals
+ms.reviewer: rafals
---
# Encryption and data protection in Windows client
@@ -45,23 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
-## Personal Data Encryption
+## Personal Data Encryption (PDE)
(*Applies to: Windows 11, version 22H2 and later*)
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimizes the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user logs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
+[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
-- [Personal Data Encryption](information-protection/personal-data-encryption.md)
+- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)
diff --git a/windows/security/information-protection/personal-data-encryption.md b/windows/security/information-protection/personal-data-encryption.md
deleted file mode 100644
index 615f4d6d18..0000000000
--- a/windows/security/information-protection/personal-data-encryption.md
+++ /dev/null
@@ -1,276 +0,0 @@
----
-title: Personal Data Encryption (PDE)
-description: Personal Data Encryption unlocks user encrypted data at user sign in instead of at boot
-ms.reviewer:
-manager: aaroncz
-ms.author: frankroj
-ms.prod: m365-security
-author: frankroj
-ms.date: 09/22/2022
----
-
-
-# Personal Data Encryption
-
-(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
-
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
-
-PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimizes the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
-
-PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
-
-Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user logs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
-
-> [!NOTE]
-> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
-
-## Prerequisites
-
-- **Required**
- - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md)
- - [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview.md)
- - Windows 11, version 22H2 and later Enterprise and Education editions
-
-- **Not supported with PDE**
- - [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - [Windows Information Protection (WIP)](/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
- - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md)
- - Remote Desktop connections
-
-- **Highly recommended**
- - [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled
- - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- - Backup solution such as [OneDrive](/onedrive/onedrive)
- - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- - [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md)
- - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- - [Kernel and user mode crash dumps disabled](windows/client-management/mdm/policy-csp-memorydump)
- - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps.
- - [Hibernation disabled](windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation.
-
-## PDE protection levels
-
-PDE offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
-
-| | Level 1 | Level 2 |
-|---|---|---|
-| Data is accessible when user is signed in | Yes | Yes |
-| Data is accessible when user has locked their device | Yes | No |
-| Data is accessible after user signs out | No | No |
-| Data is accessible when device is shut down | No | No |
-| Decryption keys discarded | After user signs out | After user locks device or signs out |
-
-## PDE encrypted files accessibility
-
-When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
-
-Scenarios where a user will be denied access to a PDE encrypted file include:
-
-- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
-- If specified via level 2 protection, when the device is locked.
-- When trying to access files on the device remotely. For example, UNC network paths.
-- Remote Desktop sessions
-- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
-
-## How to enable PDE
-
-To enable PDE on devices, push an MDM policy to the devices with the following parameters:
-
-- Name: **Personal Data Encryption**
-- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
-- Data type: **Integer**
-- Value: **1**
-
-There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
-
-> [!NOTE]
-> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
-
-### Enabling PDE in Intune
-
-1. Sign into the Intune admin center
-2. Navigate to **Devices** > **Configuration Profiles**
-3. Select **Create profile**
-4. Under **Platform**, select **Windows 10 and later**
-5. Under **Profile type**, select **Templates**
-6. Under **Template name**, select **Custom**, and then select **Create**
-7. On the ****Basics** tab:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
-8. Select **Next**
-9. On the **Configuration settings** tab, select **Add**
-10. In the **Add Row** window:
- 1. Next to **Name**, enter **Personal Data Encryption**
- 2. Next to **Description**, enter a description
- 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- 4. Next to **Data type**, select **Integer**
- 5. Next to **Value**, enter in **1**
-11. Select **Save**, and then select **Next**
-12. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the PDE policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Configuring required prerequisites in Intune
-
-#### Disabling Winlogon automatic restart sign-on (ARSO)
-
-1. Sign into the Intune admin center
-2. Navigate to **Devices** > **Configuration Profiles**
-3. Select **Create profile**
-4. Under **Platform**, select **Windows 10 and later**
-5. Under **Profile type**, select **Templates**
-6. Under **Template name**, select **Administrative templates**, and then select **Create**
-7. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable ARSO**
- 2. Next to **Description**, enter a description
-8. Select **Next**
-9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
-10. Select **Sign-in and lock last interactive user automatically after a restart**
-11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
-12. Select **Next**
-13. On the **Scope tags** tab, configure if necessary and then select **Next**
-12. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the ARSO policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-### Configuring recommended prerequisites in Intune
-
-#### Disabling hibernation
-
-1. Sign into the Intune admin center
-2. Navigate to **Devices** > **Configuration Profiles**
-3. Select **Create profile**
-4. Under **Platform**, select **Windows 10 and later**
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
- 2. Next to **Description**, enter a description
-7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the ARSO policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-#### Disabling crash dumps
-
-1. Sign into the Intune admin center
-2. Navigate to **Devices** > **Configuration Profiles**
-3. Select **Create profile**
-4. Under **Platform**, select **Windows 10 and later**
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
- 2. Next to **Description**, enter a description
-7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Memory Dump**
-10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the ARSO policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-
-## Differences between PDE and BitLocker
-
-| | PDE | BitLocker |
-|--|--|--|
-| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
-| Encryption keys discarded | At user sign out | At reboot |
-| Files encrypted | Individual specified files | Entire volume/drive |
-| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
-| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
-
-## Differences between PDE and EFS
-
-The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
-
-To see if a file is encrypted with PDE or EFS:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. In the **Advanced Attributes** windows, select **Details**
-
-For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
-
-For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
-
-Encryption information including what encryption method is being used can be obtained with the command line **cipher.exe /c** command.
-
-## Disabling PDE and decrypting files
-
-Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using **cipher.exe**.
-
-In certain scenarios a user may be able to manually decrypt a file using the following steps:
-
-1. Open the properties of the file
-2. Under the **General** tab, select **Advanced...**
-3. Uncheck the option **Encrypt contents to secure data**
-4. Select **OK**, and then **OK** again
-
-> [!Important]
-> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
-
-## Windows out of box applications that support PDE
-
-Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
-
-- Mail
- - Supports encrypting both email bodies and attachments
-
-## FAQ
-
-**Can PDE encrypt entire volumes or drives?**
-No. PDE only encrypts specified files
-
-**Is PDE replacement for BitLocker?**
-No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
-
-**Can an IT admin specify which files should be encrypted?**
-Yes, but it can only be done using APIs.
-
-**Do I need to use OneDrive as my backup provider?**
-PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
-
-**What is the relation between Windows Hello for Business and PDE?**
-Windows Hello for Business unlocks PDE encryption keys during user sign on.
-
-**Can a file be encrypted with both PDE and EFS at the same time?**
-No. PDE and EFS are mutually exclusive.
-
-**Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?**
-No. Accessing PDE encrypted files over RDP isn't currently supported.
-
-**Can PDE encrypted files be access via a network share?**
-No. PDE encrypted files can only be accessed after signing on locally with Windows Hello for Business credentials.
-
-**How can it be determined if a file is encrypted with PDE?**
-Encrypted files will show a padlock on the file's icon. Additionally, **cipher.exe** can be used to show the encryption state of the file.
-
-**Can users manually encrypt and decrypt files with PDE.**
-Currently users can decrypt files manually but they can't encrypt files manually.
-
-**If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?**
-No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
new file mode 100644
index 0000000000..0af367f22c
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -0,0 +1,124 @@
+---
+title: Configure Personal Data Encryption (PDE) in Intune
+description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+# Configure Personal Data Encryption (PDE) polices in Intune
+
+## Required prerequisites
+
+### Enable Personal Data Encryption (PDE)
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Custom**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, select **Add**
+10. In the **Add Row** window:
+ 1. Next to **Name**, enter **Personal Data Encryption**
+ 2. Next to **Description**, enter a description
+ 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+ 4. Next to **Data type**, select **Integer**
+ 5. Next to **Value**, enter in **1**
+11. Select **Save**, and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the PDE policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+#### Disable Winlogon automatic restart sign-on (ARSO)
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Templates**
+6. Under **Template name**, select **Administrative templates**, and then select **Create**
+7. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable ARSO**
+ 2. Next to **Description**, enter a description
+8. Select **Next**
+9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
+10. Select **Sign-in and lock last interactive user automatically after a restart**
+11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
+12. Select **Next**
+13. On the **Scope tags** tab, configure if necessary and then select **Next**
+12. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the ARSO policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## Recommended prerequisites
+
+#### Disable hibernation
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Power**
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the hibernation policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+#### Disable crash dumps
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Memory Dump**
+10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the crash dumps policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
+## See also
+- [Personal Data Encryption (PDE)](overview-pde.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.md b/windows/security/information-protection/personal-data-encryption/faq-pde.md
new file mode 100644
index 0000000000..6c202e3473
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.md
@@ -0,0 +1,55 @@
+---
+title: Personal Data Encryption (PDE) FAQ
+description: Personal Data Encryption (PDE) FAQ
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+## Personal Data Encryption (PDE) FAQ
+
+**Can PDE encrypt entire volumes or drives?**
+No. PDE only encrypts specified files.
+
+**Is PDE a replacement for BitLocker?**
+No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+
+**Can an IT admin specify which files should be encrypted?**
+Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
+
+**Do I need to use OneDrive as my backup provider?**
+No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+
+**What is the relation between Windows Hello for Business and PDE?**
+Windows Hello for Business unlocks PDE encryption keys during user sign on.
+
+**Can a file be encrypted with both PDE and EFS at the same time?**
+No. PDE and EFS are mutually exclusive.
+
+**Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?**
+No. Accessing PDE encrypted files over RDP isn't currently supported.
+
+**Can PDE encrypted files be access via a network share?**
+No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+
+**How can it be determined if a file is encrypted with PDE?**
+Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
+
+**Can users manually encrypt and decrypt files with PDE?**
+Currently users can decrypt files manually but they can't encrypt files manually.
+
+**If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?**
+No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+
+## See also
+- [Personal Data Encryption (PDE)](overview-pde.md)
+- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
new file mode 100644
index 0000000000..272d2627e5
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -0,0 +1,27 @@
+---
+title: Personal Data Encryption (PDE) description
+description: Personal Data Encryption (PDE) description include file
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
+
+Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
+
+> [!NOTE]
+> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
new file mode 100644
index 0000000000..e0a9b0133d
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -0,0 +1,142 @@
+---
+title: Personal Data Encryption (PDE)
+description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
+
+author: frankroj
+ms.author: frankroj
+ms.reviewer: rafals
+manager: aaroncz
+ms.topic: how-to
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.localizationpriority: medium
+ms.date: 09/22/2022
+---
+
+
+
+# Personal Data Encryption (PDE)
+
+(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
+
+[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
+
+## Prerequisites
+
+### **Required**
+ - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
+ - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
+ - Windows 11, version 22H2 and later Enterprise and Education editions
+
+### **Not supported with PDE**
+ - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
+ - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
+ - For information on disabling ARSO via Intune, please see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+ - [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)
+ - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
+ - Remote Desktop connections
+
+### **Highly recommended**
+ - [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled
+ - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
+ - Backup solution such as [OneDrive](/onedrive/onedrive)
+ - In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
+ - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
+ - Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
+ - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
+ - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
+ - [Kernel and user mode crash dumps disabled](../../../client-management/mdm/policy-csp-memorydump.md)
+ - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, please see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+ - [Hibernation disabled](../../../client-management/mdm/policy-csp-power#power-allowhibernate)
+ - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, please see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+
+## PDE protection levels
+
+PDE offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+
+| Item | Level 1 | Level 2 |
+|---|---|---|
+| Data is accessible when user is signed in | Yes | Yes |
+| Data is accessible when user has locked their device | Yes | No |
+| Data is accessible after user signs out | No | No |
+| Data is accessible when device is shut down | No | No |
+| Decryption keys discarded | After user signs out | After user locks device or signs out |
+
+## PDE encrypted files accessibility
+
+When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
+
+Scenarios where a user will be denied access to a PDE encrypted file include:
+
+- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
+- If specified via level 2 protection, when the device is locked.
+- When trying to access files on the device remotely. For example, UNC network paths.
+- Remote Desktop sessions.
+- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
+
+## How to enable PDE
+
+To enable PDE on devices, push an MDM policy to the devices with the following parameters:
+
+- Name: **Personal Data Encryption**
+- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
+- Data type: **Integer**
+- Value: **1**
+
+There's also a [PDE CSP](../../../client-management/mdm/personaldataencryption-csp.md) available for MDM solutions that support it.
+
+> [!NOTE]
+> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
+
+For information on enabling PDE via Intune, please see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
+
+## Differences between PDE and BitLocker
+
+| Item | PDE | BitLocker |
+|--|--|--|
+| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
+| Encryption keys discarded | At user sign out | At reboot |
+| Files encrypted | Individual specified files | Entire volume/drive |
+| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
+| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
+
+## Differences between PDE and EFS
+
+The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
+
+To see if a file is encrypted with PDE or EFS:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. In the **Advanced Attributes** windows, select **Details**
+
+For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
+
+For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
+
+Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
+
+## Disable PDE and decrypt files
+
+Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
+
+In certain scenarios a user may be able to manually decrypt a file using the following steps:
+
+1. Open the properties of the file
+2. Under the **General** tab, select **Advanced...**
+3. Uncheck the option **Encrypt contents to secure data**
+4. Select **OK**, and then **OK** again
+
+> [!Important]
+> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
+
+## Windows out of box applications that support PDE
+
+Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
+
+- Mail
+ - Supports encrypting both email bodies and attachments
+
+## See also
+- [Personal Data Encryption (PDE) FAQ](faq-pde.md)
+- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
From 117beb40564a3af51a397879728508f7dd88d811 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 14:09:57 -0400
Subject: [PATCH 17/23] Update PDE Docs 15 - Add FAQ YAML
---
.../personal-data-encryption/faq-pde.md | 2 +-
.../personal-data-encryption/faq-pde.yml | 60 +++++++++++++++++++
.../personal-data-encryption/overview-pde.md | 4 +-
3 files changed, 63 insertions(+), 3 deletions(-)
create mode 100644 windows/security/information-protection/personal-data-encryption/faq-pde.yml
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.md b/windows/security/information-protection/personal-data-encryption/faq-pde.md
index 6c202e3473..00f774b64f 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.md
@@ -15,7 +15,7 @@ ms.date: 09/22/2022
-## Personal Data Encryption (PDE) FAQ
+# Personal Data Encryption (PDE) FAQ
**Can PDE encrypt entire volumes or drives?**
No. PDE only encrypts specified files.
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
new file mode 100644
index 0000000000..c0f9fc0568
--- /dev/null
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -0,0 +1,60 @@
+### YamlMime:FAQ
+metadata:
+ title: Frequently asked questions for Personal Data Encryption (PDE)
+ description: Answers to common questions regarding Personal Data Encryption (PDE).
+
+title: Frequently asked questions for Personal Data Encryption (PDE)
+summary: |
+ Here are some answers to common questions regarding Personal Data Encryption (PDE)
+
+sections:
+ - name: Single section - ignored
+ questions:
+ - question: Can PDE encrypt entire volumes or drives?
+ answer: |
+ No. PDE only encrypts specified files.
+
+ - question: Is PDE a replacement for BitLocker?
+ answer: |
+ No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
+
+ - question: Can an IT admin specify which files should be encrypted?
+ answer: |
+ Yes, but it can only be done using the PDE APIs.
+
+ - question: Do I need to use OneDrive as my backup provider?
+ answer: |
+ No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
+
+ - question: What is the relation between Windows Hello for Business and PDE?
+ answer: |
+ Windows Hello for Business unlocks PDE encryption keys during user sign on.
+
+ - question: Can a file be encrypted with both PDE and EFS at the same time?
+ answer: |
+ No. PDE and EFS are mutually exclusive.
+
+ - question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
+ answer: |
+ No. Accessing PDE encrypted files over RDP isn't currently supported.
+
+ - question: Can PDE encrypted files be access via a network share?
+ answer: |
+ No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
+
+ - question: How can it be determined if a file is encrypted with PDE?
+ answer: |
+ Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
+
+ - question: Can users manually encrypt and decrypt files with PDE?
+ answer: |
+ Currently users can decrypt files manually but they can't encrypt files manually.
+
+ - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
+ answer: |
+ No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+
+additionalContent: |
+ ## See also
+ - [Personal Data Encryption (PDE)](overview-pde.md)
+ - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index e0a9b0133d..6f8904b046 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -32,12 +32,12 @@ ms.date: 09/22/2022
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, please see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- - [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)
+ - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### **Highly recommended**
- - [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled
+ - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
From 044172735c95ffc2677ffa8d88e978ef140a7275 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 14:47:03 -0400
Subject: [PATCH 18/23] Update PDE Docs 16
---
windows/security/TOC.yml | 2 +-
.../personal-data-encryption/faq-pde.md | 55 -------------------
.../personal-data-encryption/faq-pde.yml | 2 +-
3 files changed, 2 insertions(+), 57 deletions(-)
delete mode 100644 windows/security/information-protection/personal-data-encryption/faq-pde.md
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index d605d2e4cc..c479c94205 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -154,7 +154,7 @@
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) (FAQ)
- href: information-protection/personal-data-encryption/faq-pde.md
+ href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.md b/windows/security/information-protection/personal-data-encryption/faq-pde.md
deleted file mode 100644
index 00f774b64f..0000000000
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Personal Data Encryption (PDE) FAQ
-description: Personal Data Encryption (PDE) FAQ
-
-author: frankroj
-ms.author: frankroj
-ms.reviewer: rafals
-manager: aaroncz
-ms.topic: how-to
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.localizationpriority: medium
-ms.date: 09/22/2022
----
-
-
-
-# Personal Data Encryption (PDE) FAQ
-
-**Can PDE encrypt entire volumes or drives?**
-No. PDE only encrypts specified files.
-
-**Is PDE a replacement for BitLocker?**
-No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
-
-**Can an IT admin specify which files should be encrypted?**
-Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
-
-**Do I need to use OneDrive as my backup provider?**
-No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
-
-**What is the relation between Windows Hello for Business and PDE?**
-Windows Hello for Business unlocks PDE encryption keys during user sign on.
-
-**Can a file be encrypted with both PDE and EFS at the same time?**
-No. PDE and EFS are mutually exclusive.
-
-**Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?**
-No. Accessing PDE encrypted files over RDP isn't currently supported.
-
-**Can PDE encrypted files be access via a network share?**
-No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
-
-**How can it be determined if a file is encrypted with PDE?**
-Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
-
-**Can users manually encrypt and decrypt files with PDE?**
-Currently users can decrypt files manually but they can't encrypt files manually.
-
-**If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?**
-No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
-
-## See also
-- [Personal Data Encryption (PDE)](overview-pde.md)
-- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index c0f9fc0568..478fc11b8d 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -38,7 +38,7 @@ sections:
answer: |
No. Accessing PDE encrypted files over RDP isn't currently supported.
- - question: Can PDE encrypted files be access via a network share?
+ - question: Can a PDE encrypted files be access via a network share?
answer: |
No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
From e364789e9cb803166eafbfab7b52dd63459c48ff Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 15:01:43 -0400
Subject: [PATCH 19/23] Update PDE Docs 17
---
.../configure-pde-in-intune.md | 48 +++++++++----------
.../personal-data-encryption/faq-pde.yml | 10 ++++
.../personal-data-encryption/overview-pde.md | 8 ++--
3 files changed, 38 insertions(+), 28 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index 0af367f22c..ec21661d69 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -73,29 +73,6 @@ ms.date: 09/22/2022
## Recommended prerequisites
-#### Disable hibernation
-
-1. Sign into the Intune
-2. Navigate to **Devices** > **Configuration Profiles**
-3. Select **Create profile**
-4. Under **Platform**, select **Windows 10 and later**
-5. Under **Profile type**, select **Settings catalog**, and then select **Create**
-6. On the ****Basics** tab:
- 1. Next to **Name**, enter **Disable Hibernation**
- 2. Next to **Description**, enter a description
-7. Select **Next**
-8. On the **Configuration settings** tab, select **Add settings**
-9. In the **Settings picker** windows, select **Power**
-10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
-11. Change **Allow Hibernate** to **Block**, and then select **Next**
-12. On the **Scope tags** tab, configure if necessary and then select **Next**
-13. On the **Assignments** tab:
- 1. Under **Included groups**, select **Add groups**
- 2. Select the groups that the hibernation policy should be deployed to
- 3. Select **Select**
- 4. Select **Next**
-14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
-
#### Disable crash dumps
1. Sign into the Intune
@@ -119,6 +96,29 @@ ms.date: 09/22/2022
4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+#### Disable hibernation
+
+1. Sign into the Intune
+2. Navigate to **Devices** > **Configuration Profiles**
+3. Select **Create profile**
+4. Under **Platform**, select **Windows 10 and later**
+5. Under **Profile type**, select **Settings catalog**, and then select **Create**
+6. On the ****Basics** tab:
+ 1. Next to **Name**, enter **Disable Hibernation**
+ 2. Next to **Description**, enter a description
+7. Select **Next**
+8. On the **Configuration settings** tab, select **Add settings**
+9. In the **Settings picker** windows, select **Power**
+10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
+11. Change **Allow Hibernate** to **Block**, and then select **Next**
+12. On the **Scope tags** tab, configure if necessary and then select **Next**
+13. On the **Assignments** tab:
+ 1. Under **Included groups**, select **Add groups**
+ 2. Select the groups that the hibernation policy should be deployed to
+ 3. Select **Select**
+ 4. Select **Next**
+14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
+
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
-- [Personal Data Encryption (PDE) FAQ](faq-pde.md)
\ No newline at end of file
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
\ No newline at end of file
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index 478fc11b8d..a1864d9e9d 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -1,7 +1,17 @@
### YamlMime:FAQ
+
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
+ author: frankroj
+ ms.author: frankroj
+ ms.reviewer: rafals
+ manager: aaroncz
+ ms.topic: faq
+ ms.prod: windows-client
+ ms.technology: itpro-security
+ ms.localizationpriority: medium
+ ms.date: 09/22/2022
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 6f8904b046..8fd6b39074 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -45,9 +45,9 @@ ms.date: 09/22/2022
- Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- - [Kernel and user mode crash dumps disabled](../../../client-management/mdm/policy-csp-memorydump.md)
+ - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, please see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- - [Hibernation disabled](../../../client-management/mdm/policy-csp-power#power-allowhibernate)
+ - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, please see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
@@ -83,7 +83,7 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
- Data type: **Integer**
- Value: **1**
-There's also a [PDE CSP](../../../client-management/mdm/personaldataencryption-csp.md) available for MDM solutions that support it.
+There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
@@ -138,5 +138,5 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
- Supports encrypting both email bodies and attachments
## See also
-- [Personal Data Encryption (PDE) FAQ](faq-pde.md)
+- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
\ No newline at end of file
From 5a904454e740b702f833de53020a9a122d0de700 Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 16:35:04 -0400
Subject: [PATCH 20/23] Update PDE Docs 18
---
.../personal-data-encryption/faq-pde.yml | 3 +++
.../personal-data-encryption/includes/pde-description.md | 2 +-
.../personal-data-encryption/overview-pde.md | 2 +-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index a1864d9e9d..23d80a0c05 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -64,6 +64,9 @@ sections:
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
+ - question: What encryption method and strength does PDE use?: |
+ PDE uses AES-256 to encrypt files
+
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
index 272d2627e5..7ca7334657 100644
--- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
+++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md
@@ -15,7 +15,7 @@ ms.date: 09/22/2022
-Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual files. PDE occurs in addition to other encryption methods such as BitLocker.
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index 8fd6b39074..fd3f933c65 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -52,7 +52,7 @@ ms.date: 09/22/2022
## PDE protection levels
-PDE offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
+PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
| Item | Level 1 | Level 2 |
|---|---|---|
From a4998dc1dffa227c866da690ed53ac7e3bcaf02e Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 16:49:45 -0400
Subject: [PATCH 21/23] PDE Final Review
---
.../personal-data-encryption/configure-pde-in-intune.md | 2 +-
.../personal-data-encryption/overview-pde.md | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
index ec21661d69..0151546bcc 100644
--- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
+++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
@@ -15,7 +15,7 @@ ms.date: 09/22/2022
-# Configure Personal Data Encryption (PDE) polices in Intune
+# Configure Personal Data Encryption (PDE) policies in Intune
## Required prerequisites
diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md
index fd3f933c65..90896a5bd7 100644
--- a/windows/security/information-protection/personal-data-encryption/overview-pde.md
+++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md
@@ -31,7 +31,7 @@ ms.date: 09/22/2022
### **Not supported with PDE**
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- - For information on disabling ARSO via Intune, please see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
+ - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
@@ -46,9 +46,9 @@ ms.date: 09/22/2022
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, please see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
+ - Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, please see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
+ - Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
@@ -88,7 +88,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
-For information on enabling PDE via Intune, please see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
+For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
From 6b8be333ab21ec844c7354a609a9e6215e9aba6d Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 16:54:16 -0400
Subject: [PATCH 22/23] PDE Final Review 2
---
.../personal-data-encryption/faq-pde.yml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index 23d80a0c05..e20d56066f 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -64,7 +64,8 @@ sections:
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- - question: What encryption method and strength does PDE use?: |
+ - question: What encryption method and strength does PDE use?:
+ answer: |
PDE uses AES-256 to encrypt files
additionalContent: |
From 22e30fa35eaa0c0c8ddc5c045c6f8b04007699db Mon Sep 17 00:00:00 2001
From: Frank Rojas <45807133+frankroj@users.noreply.github.com>
Date: Mon, 19 Sep 2022 16:57:27 -0400
Subject: [PATCH 23/23] PDE Final Review 3
---
.../information-protection/personal-data-encryption/faq-pde.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
index e20d56066f..49b38650ce 100644
--- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml
+++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml
@@ -64,7 +64,7 @@ sections:
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- - question: What encryption method and strength does PDE use?:
+ - question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-256 to encrypt files