mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 02:13:43 +00:00
removed PDE acronym from docs
This commit is contained in:
Paolo Matarazzo
@ -1,42 +1,42 @@
|
||||
---
|
||||
title: PDE settings and configuration
|
||||
description: Learn about the available options to configure Personal Data Encryption (PDE) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
|
||||
title: Personal Data Encryption settings and configuration
|
||||
description: Learn about the available options to configure Personal Data Encryption (Personal Data Encryption) and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
|
||||
ms.topic: how-to
|
||||
ms.date: 09/24/2024
|
||||
---
|
||||
|
||||
# PDE settings and configuration
|
||||
# Personal Data Encryption settings and configuration
|
||||
|
||||
This article describes the Personal Data Encryption (PDE) settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
|
||||
This article describes the Personal Data Encryption settings and how to configure them via Microsoft Intune or Configuration Service Providers (CSP).
|
||||
|
||||
> [!NOTE]
|
||||
> PDE can be configured using MDM policies. The content to be protected by PDE can be specified using [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or protect content using PDE.
|
||||
> Personal Data Encryption can be configured using MDM policies. The content to be protected by Personal Data Encryption can be specified using [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable Personal Data Encryption or protect content using Personal Data Encryption.
|
||||
>
|
||||
> The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.
|
||||
> The Personal Data Encryption APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the Personal Data Encryption APIs can't be used to protect content until the Personal Data Encryption policy has been enabled.
|
||||
|
||||
## PDE settings
|
||||
## Personal Data Encryption settings
|
||||
|
||||
The following table lists the required settings to enable PDE.
|
||||
The following table lists the required settings to enable Personal Data Encryption.
|
||||
|
||||
| Setting name | Description |
|
||||
|-|-|
|
||||
|Enable Personal Data Encryption|PDE isn't enabled by default. Before PDE can be used, you must enable it.|
|
||||
|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with PDE. To use PDE, ARSO must be disabled.|
|
||||
|Enable Personal Data Encryption|Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.|
|
||||
|Sign-in and lock last interactive user automatically after a restart| Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.|
|
||||
|
||||
## PDE hardening recommendations
|
||||
## Personal Data Encryption hardening recommendations
|
||||
|
||||
The following table lists the recommended settings to improve PDE's security.
|
||||
The following table lists the recommended settings to improve Personal Data Encryption's security.
|
||||
|
||||
| Setting name | Description |
|
||||
|-|-|
|
||||
|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
|
||||
|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
|
||||
|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption (PDE) to protect content to be exposed. For greatest security, disable hibernation.|
|
||||
|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
|
||||
|Kernel-mode crash dumps and live dumps|Kernel-mode crash dumps and live dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps.|
|
||||
|Windows Error Reporting (WER)/user-mode crash dumps|Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable user-mode crash dumps.|
|
||||
|Hibernation|Hibernation files can potentially cause the keys used by Personal Data Encryption to protect content to be exposed. For greatest security, disable hibernation.|
|
||||
|Allow users to select when a password is required when resuming from connected standby |When this policy isn't configured on Microsoft Entra joined devices, users on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. During the time when the screen turns off but a password isn't required, the keys used by Personal Data Encryption to protect content could potentially be exposed. It's recommended to explicitly disable this policy on Microsoft Entra joined devices.|
|
||||
|
||||
## Configure PDE with Microsoft Intune
|
||||
## Configure Personal Data Encryption with Microsoft Intune
|
||||
|
||||
If you use Microsoft Intune to manage your devices, you can configure PDE using a disk encryption policy, a settings catalog policy, or a custom profile.
|
||||
If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.
|
||||
|
||||
### Disk encryption policy
|
||||
|
||||
@ -77,9 +77,9 @@ Content-Type: application/json
|
||||
{ "id": "00-0000-0000-0000-000000000000", "name": "_MSLearn_PDE", "description": "", "platforms": "windows10", "technologies": "mdm", "roleScopeTagIds": [ "0" ], "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_admx_credentialproviders_allowdomaindelaylock_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_errorreporting_disablewindowserrorreporting_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowcrashdump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowcrashdump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_memorydump_allowlivedump", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_memorydump_allowlivedump_0", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "user_vendor_msft_pde_enablepersonaldataencryption", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "user_vendor_msft_pde_enablepersonaldataencryption_1", "children": [] } } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_power_allowhibernate", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_power_allowhibernate_0", "children": [] } } } ] }
|
||||
```
|
||||
|
||||
## Configure PDE with CSP
|
||||
## Configure Personal Data Encryption with CSP
|
||||
|
||||
Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE CSP][CSP-2].
|
||||
Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [Personal Data Encryption CSP][CSP-2].
|
||||
|
||||
|OMA-URI|Format|Value|
|
||||
|-|-|-|
|
||||
@ -91,13 +91,13 @@ Alternatively, you can configure devices using the [Policy CSP][CSP-1] and [PDE
|
||||
|`./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate` |int| `0`|
|
||||
|`./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock`|string|`<disabled/>`|
|
||||
|
||||
## Disable PDE
|
||||
## Disable Personal Data Encryption
|
||||
|
||||
Once PDE is enabled, it isn't recommended to disable it. However if you need to disable PDE, you can do so using the following steps.
|
||||
Once Personal Data Encryption is enabled, it isn't recommended to disable it. However if you need to disable Personal Data Encryption, you can do so using the following steps.
|
||||
|
||||
### Disable PDE with a disk encryption policy
|
||||
### Disable Personal Data Encryption with a disk encryption policy
|
||||
|
||||
To disable PDE devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
|
||||
To disable Personal Data Encryption devices using a [disk encryption policy](/mem/intune/protect/endpoint-security-disk-encryption-policy), go to **Endpoint security** > **Disk encryption** and select **Create policy**:
|
||||
|
||||
- **Platform** > **Windows**
|
||||
- **Profile** > **Personal Data Encryption**
|
||||
@ -106,7 +106,7 @@ Provide a name, and select **Next**. In the **Configuration settings** page, sel
|
||||
|
||||
Assign the policy to a group that contains as members the devices or users that you want to configure.
|
||||
|
||||
### Disable PDE with a settings catalog policy in Intune
|
||||
### Disable Personal Data Encryption with a settings catalog policy in Intune
|
||||
|
||||
[!INCLUDE [intune-settings-catalog-1](../../../../../includes/configure/intune-settings-catalog-1.md)]
|
||||
|
||||
@ -116,24 +116,24 @@ Assign the policy to a group that contains as members the devices or users that
|
||||
|
||||
[!INCLUDE [intune-settings-catalog-2](../../../../../includes/configure/intune-settings-catalog-2.md)]
|
||||
|
||||
### Disable PDE with CSP
|
||||
### Disable Personal Data Encryption with CSP
|
||||
|
||||
You can disable PDE with CSP using the following setting:
|
||||
You can disable Personal Data Encryption with CSP using the following setting:
|
||||
|
||||
|OMA-URI|Format|Value|
|
||||
|-|-|-|
|
||||
|`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`|int|`0`|
|
||||
|
||||
## Decrypt PDE-encrypted content
|
||||
## Decrypt encrypted content
|
||||
|
||||
Disabling PDE doesn't decrypt any PDE protected content. It only prevents the PDE API from being able to protect any additional content. PDE-protected files can be manually decrypted using the following steps:
|
||||
Disabling Personal Data Encryption doesn't decrypt any Personal Data Encryption protected content. It only prevents the Personal Data Encryption API from being able to protect any additional content. Pprotected files can be manually decrypted using the following steps:
|
||||
|
||||
1. Open the properties of the file
|
||||
1. Under the **General** tab, select **Advanced...**
|
||||
1. Uncheck the option **Encrypt contents to secure data**
|
||||
1. Select **OK**, and then **OK** again
|
||||
|
||||
PDE-protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
|
||||
Protected files can also be decrypted using [`cipher.exe`][WINS-1], which can be helpful in the following scenarios:
|
||||
|
||||
- Decrypting a large number of files on a device
|
||||
- Decrypting files on multiple of devices
|
||||
@ -153,11 +153,11 @@ To decrypt files on a device using `cipher.exe`:
|
||||
```
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using PDE.
|
||||
> Once a user selects to manually decrypt a file, the user won't be able to manually protect the file again using Personal Data Encryption.
|
||||
|
||||
## Next steps
|
||||
|
||||
- Review the [Personal Data Encryption (PDE) FAQ](faq.yml)
|
||||
- Review the [Personal Data Encryption FAQ](faq.yml)
|
||||
|
||||
<!--links used in this document-->
|
||||
|
||||
|
||||
@ -1,51 +1,51 @@
|
||||
### YamlMime:FAQ
|
||||
|
||||
metadata:
|
||||
title: Frequently asked questions for Personal Data Encryption (PDE)
|
||||
description: Answers to common questions regarding Personal Data Encryption (PDE).
|
||||
title: Frequently asked questions for Personal Data Encryption
|
||||
description: Answers to common questions regarding Personal Data Encryption.
|
||||
ms.topic: faq
|
||||
ms.date: 09/24/2024
|
||||
|
||||
title: Frequently asked questions for Personal Data Encryption (PDE)
|
||||
title: Frequently asked questions for Personal Data Encryption
|
||||
summary: |
|
||||
Here are some answers to common questions regarding Personal Data Encryption (PDE)
|
||||
Here are some answers to common questions regarding Personal Data Encryption
|
||||
|
||||
sections:
|
||||
- name: General
|
||||
questions:
|
||||
- question: Can PDE encrypt entire volumes or drives?
|
||||
- question: Can Personal Data Encryption encrypt entire volumes or drives?
|
||||
answer: |
|
||||
No, PDE only encrypts specified files and content.
|
||||
- question: How are files and content protected by PDE selected?
|
||||
No, Personal Data Encryption only encrypts specified files and content.
|
||||
- question: How are files and content protected by Personal Data Encryption selected?
|
||||
answer: |
|
||||
[PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using PDE.
|
||||
- question: Can users manually encrypt and decrypt files with PDE?
|
||||
[Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) are used to select which files and content are protected using Personal Data Encryption.
|
||||
- question: Can users manually encrypt and decrypt files with Personal Data Encryption?
|
||||
answer: |
|
||||
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt PDE-encrypted content](configure.md#decrypt-pde-encrypted-content).
|
||||
- question: Can PDE protected content be accessed after signing on via a Remote Desktop connection (RDP)?
|
||||
Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section [Decrypt encrypted content](configure.md#decrypt-encrypted-content).
|
||||
- question: Can Personal Data Encryption protected content be accessed after signing on via a Remote Desktop connection (RDP)?
|
||||
answer: |
|
||||
No, it's not supported to access PDE-protected content over RDP.
|
||||
- question: Can PDE protected content be accessed via a network share?
|
||||
No, it's not supported to access protected content over RDP.
|
||||
- question: Can Personal Data Encryption protected content be accessed via a network share?
|
||||
answer: |
|
||||
No, PDE protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
|
||||
- question: What encryption method and strength does PDE use?
|
||||
No, Personal Data Encryption protected content can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
|
||||
- question: What encryption method and strength does Personal Data Encryption use?
|
||||
answer: |
|
||||
PDE uses AES-CBC with a 256-bit key to encrypt content.
|
||||
Personal Data Encryption uses AES-CBC with a 256-bit key to encrypt content.
|
||||
|
||||
- name: PDE and other Windows features
|
||||
- name: Personal Data Encryption and other Windows features
|
||||
questions:
|
||||
- question: What is the relation between Windows Hello for Business and PDE?
|
||||
- question: What is the relation between Windows Hello for Business and Personal Data Encryption?
|
||||
answer: |
|
||||
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to protect content.
|
||||
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content?
|
||||
During user sign-on, Windows Hello for Business unlocks the keys that Personal Data Encryption uses to protect content.
|
||||
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their Personal Data Encryption protected content?
|
||||
answer: |
|
||||
No, the keys used by PDE to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
|
||||
- question: Can a file be protected with both PDE and EFS at the same time?
|
||||
No, the keys used by Personal Data Encryption to protect content are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
|
||||
- question: Can a file be protected with both Personal Data Encryption and EFS at the same time?
|
||||
answer: |
|
||||
No, PDE and EFS are mutually exclusive.
|
||||
- question: Is PDE a replacement for BitLocker?
|
||||
No, Personal Data Encryption and EFS are mutually exclusive.
|
||||
- question: Is Personal Data Encryption a replacement for BitLocker?
|
||||
answer: |
|
||||
No, it's recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
|
||||
- question: Do I need to use OneDrive in Microsoft 365 as my backup provider?
|
||||
answer: |
|
||||
No, PDE doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by PDE to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
|
||||
No, Personal Data Encryption doesn't have a requirement for a backup provider, including OneDrive in Microsoft 365. However, backups are recommended in case the keys used by Personal Data Encryption to protect files are lost. OneDrive in Microsoft 365 is a recommended backup provider.
|
||||
|
||||
@ -7,98 +7,98 @@ ms.date: 09/24/2024
|
||||
|
||||
# Personal Data Encryption
|
||||
|
||||
Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides file-based data encryption capabilities to Windows.
|
||||
Starting in Windows 11, version 22H2, Personal Data Encryption is a security feature that provides file-based data encryption capabilities to Windows.
|
||||
|
||||
PDE utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
|
||||
Personal Data Encryption utilizes Windows Hello for Business to link *data encryption keys* with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user.\
|
||||
When a user logs off, decryption keys are discarded and data is inaccessible, even if another user signs into the device.
|
||||
|
||||
The use of Windows Hello for Business offers the following advantages:
|
||||
|
||||
- It reduces the number of credentials to access encrypted content: users only need to sign-in with Windows Hello for Business
|
||||
- The accessibility features available when using Windows Hello for Business extend to PDE protected content
|
||||
- The accessibility features available when using Windows Hello for Business extend to Personal Data Encryption protected content
|
||||
|
||||
PDE differs from BitLocker in that it encrypts files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.\
|
||||
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business.
|
||||
Personal Data Encryption differs from BitLocker in that it encrypts files instead of whole volumes and disks. Personal Data Encryption occurs in addition to other encryption methods such as BitLocker.\
|
||||
Unlike BitLocker that releases data encryption keys at boot, Personal Data Encryption doesn't release data encryption keys until a user signs in using Windows Hello for Business.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
To use PDE, the following prerequisites must be met:
|
||||
To use Personal Data Encryption, the following prerequisites must be met:
|
||||
|
||||
- Windows 11, version 22H2 and later
|
||||
- The devices must be [Microsoft Entra joined][AAD-1]. Domain-joined and Microsoft Entra hybrid joined devices aren't supported
|
||||
- Users must sign in using [Windows Hello for Business](../../../identity-protection/hello-for-business/index.md)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you sign in with a password or a [security key][AAD-2], you can't access PDE protected content.
|
||||
> If you sign in with a password or a [security key][AAD-2], you can't access Personal Data Encryption protected content.
|
||||
|
||||
[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)]
|
||||
|
||||
## PDE protection levels
|
||||
## Personal Data Encryption protection levels
|
||||
|
||||
PDE uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
|
||||
Personal Data Encryption uses *AES-CBC* with a *256-bit key* to protect content and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [Personal Data Encryption APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
|
||||
|
||||
| Item | Level 1 | Level 2 |
|
||||
|---|---|---|
|
||||
| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
|
||||
| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
|
||||
| PDE protected data is accessible after user signs out of Windows | No | No |
|
||||
| PDE protected data is accessible when device is shut down | No | No |
|
||||
| PDE protected data is accessible via UNC paths | No | No |
|
||||
| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
|
||||
| PDE protected data is accessible via Remote Desktop session | No | No |
|
||||
| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
|
||||
| Protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
|
||||
| Protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
|
||||
| Protected data is accessible after user signs out of Windows | No | No |
|
||||
| Protected data is accessible when device is shut down | No | No |
|
||||
| Protected data is accessible via UNC paths | No | No |
|
||||
| Protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
|
||||
| Protected data is accessible via Remote Desktop session | No | No |
|
||||
| Decryption keys used by Personal Data Encryption discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
|
||||
|
||||
## PDE protected content accessibility
|
||||
## Personal Data Encryption protected content accessibility
|
||||
|
||||
When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access PDE protected content, they'll be denied access to the content.
|
||||
When a file is protected with Personal Data Encryption, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access Personal Data Encryption protected content, they'll be denied access to the content.
|
||||
|
||||
Scenarios where a user will be denied access to PDE protected content include:
|
||||
Scenarios where a user will be denied access to Personal Data Encryption protected content include:
|
||||
|
||||
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN
|
||||
- If protected via level 2 protection, when the device is locked
|
||||
- When trying to access content on the device remotely. For example, UNC network paths
|
||||
- Remote Desktop sessions
|
||||
- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected content
|
||||
- Other users on the device who aren't owners of the content, even if they're signed in via Windows Hello for Business and have permissions to navigate to the Personal Data Encryption protected content
|
||||
|
||||
## Differences between PDE and BitLocker
|
||||
## Differences between Personal Data Encryption and BitLocker
|
||||
|
||||
PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
|
||||
Personal Data Encryption is meant to work alongside BitLocker. Personal Data Encryption isn't a replacement for BitLocker, nor is BitLocker a replacement for Personal Data Encryption. Using both features together provides better security than using either BitLocker or Personal Data Encryption alone. However there are differences between BitLocker and Personal Data Encryption and how they work. These differences are why using them together offers better security.
|
||||
|
||||
| Item | PDE | BitLocker |
|
||||
| Item | Personal Data Encryption | BitLocker |
|
||||
|--|--|--|
|
||||
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
|
||||
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At shutdown |
|
||||
| Protected content | All files in protected folders | Entire volume/drive |
|
||||
| Authentication to access protected content | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
|
||||
|
||||
## Differences between PDE and EFS
|
||||
## Differences between Personal Data Encryption and EFS
|
||||
|
||||
The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
|
||||
The main difference between protecting files with Personal Data Encryption instead of EFS is the method they use to protect the file. Personal Data Encryption uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
|
||||
|
||||
To see if a file is protected with PDE or with EFS:
|
||||
To see if a file is protected with Personal Data Encryption or with EFS:
|
||||
|
||||
1. Open the properties of the file
|
||||
1. Under the **General** tab, select **Advanced...**
|
||||
1. In the **Advanced Attributes** windows, select **Details**
|
||||
|
||||
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
|
||||
For Personal Data Encryption protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
|
||||
|
||||
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
|
||||
|
||||
Encryption information including what encryption method is being used to protect the file can be obtained with the [`cipher.exe /c`](/windows-server/administration/windows-commands/cipher) command.
|
||||
|
||||
## Recommendations for using PDE
|
||||
## Recommendations for using Personal Data Encryption
|
||||
|
||||
The following are recommendations for using PDE:
|
||||
The following are recommendations for using Personal Data Encryption:
|
||||
|
||||
- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although PDE works without BitLocker, it's recommended to enable BitLocker. PDE is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
|
||||
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost making any PDE-protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
|
||||
- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by PDE to protect content to be lost, making any content protected with PDE inaccessible. After a destructive PIN reset, content protected with PDE must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
|
||||
- Enable [BitLocker Drive Encryption](../bitlocker/index.md). Although Personal Data Encryption works without BitLocker, it's recommended to enable BitLocker. Personal Data Encryption is meant to work alongside BitLocker for increased security at it isn't a replacement for BitLocker
|
||||
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview). In certain scenarios, such as TPM resets or destructive PIN resets, the keys used by Personal Data Encryption to protect content will be lost making any protected content inaccessible. The only way to recover such content is from a backup. If the files are synced to OneDrive, to regain access you must re-sync OneDrive
|
||||
- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md). Destructive PIN resets will cause keys used by Personal Data Encryption to protect content to be lost, making any content protected with Personal Data Encryption inaccessible. After a destructive PIN reset, content protected with Personal Data Encryption must be recovered from a backup. For this reason, Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets
|
||||
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) offers additional security when authenticating with Windows Hello for Business via biometrics or PIN
|
||||
|
||||
## Windows out of box applications that support PDE
|
||||
## Windows out of box applications that support Personal Data Encryption
|
||||
|
||||
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE:
|
||||
Certain Windows applications support Personal Data Encryption out of the box. If Personal Data Encryption is enabled on a device, these applications will utilize Personal Data Encryption:
|
||||
|
||||
| App name | Details |
|
||||
|-|-|
|
||||
@ -106,7 +106,7 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
|
||||
|
||||
## Next steps
|
||||
|
||||
- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [PDE settings and configuration](configure.md)
|
||||
- Learn about the available options to configure Personal Data Encryption and how to configure them via Microsoft Intune or configuration Service Provider (CSP): [Personal Data Encryption settings and configuration](configure.md)
|
||||
- Review the [Personal Data Encryption FAQ](faq.yml)
|
||||
|
||||
<!--links used in this document-->
|
||||
|
||||
Reference in New Issue
Block a user