deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update overview-pde.md

Browse Source
This commit is contained in:
Thomas Raya
2022-12-12 09:56:52 -08:00
committed by GitHub
parent 0020f48507
commit 97160ebc39
1 changed files with 53 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -3,123 +3,75 @@ title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/07/2022
ms.date: 09/22/2022
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Personal Data Encryption (PDE)
**Applies to:**
- Windows 11, version 22H2 and later Enterprise and Education editions
(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
## Prerequisites
### Required
### **Required**
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### **Not supported with PDE**
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### Not supported with PDE
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### Security hardening recommendations
- [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies)
Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](configure-pde-in-intune.md#disable-kernel-mode-crash-dumps-and-live-dumps).
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
Hibernation files can potentially cause the keys used by PDE to protect files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
When this policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including native Azure Active Directory joined devices, is different:
- On-premises Active Directory joined devices:
- A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device.
- A password is required immediately after the screen turns off.
The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices.
- Workgroup devices, including native Azure AD joined devices:
- A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device.
- During the time when the screen turns off but a password isn't required, the keys used by PDE to protect files could potentially be exposed. This outcome isn't a desired outcome.
Because of this undesired outcome, it's recommended to explicitly disable this policy on native Azure AD joined devices instead of leaving it at the default of not configured.
For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](configure-pde-in-intune.md#disable-allowing-users-to-select-when-a-password-is-required-when-resuming-from-connected-standby).
### Highly recommended
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker.
- Backup solution such as [OneDrive in Microsoft 365](/sharepoint/onedrive-overview)
In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect files will be lost. In such scenarios, any file protected with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
Destructive PIN resets will cause keys used by PDE to protect files to be lost. The destructive PIN reset will make any file protected with PDE no longer accessible after a destructive PIN reset. Files protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
### **Highly recommended**
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
PDE uses AES-CBC with a 256-bit key to protect files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
| PDE protected data accessible when user has signed in via Windows Hello for Business | Yes | Yes |
| PDE protected data is accessible at Windows lock screen | Yes | Data is accessible for one minute after lock, then it's no longer available |
| PDE protected data is accessible after user signs out of Windows | No | No |
| PDE protected data is accessible when device is shut down | No | No |
| PDE protected data is accessible via UNC paths | No | No |
| PDE protected data is accessible when signing with Windows password instead of Windows Hello for Business | No | No |
| PDE protected data is accessible via Remote Desktop session | No | No |
| Decryption keys used by PDE discarded | After user signs out of Windows | One minute after Windows lock screen is engaged or after user signs out of Windows |
| Data is accessible when user is signed in | Yes | Yes |
| Data is accessible when user has locked their device | Yes | No |
| Data is accessible after user signs out | No | No |
| Data is accessible when device is shut down | No | No |
| Decryption keys discarded | After user signs out | After user locks device or signs out |
## PDE protected files accessibility
## PDE encrypted files accessibility
When a file is protected with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE protected file, they'll be denied access to the file.
When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
Scenarios where a user will be denied access to a PDE protected file include:
Scenarios where a user will be denied access to a PDE encrypted file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If protected via level 2 protection, when the device is locked.
- If specified via level 2 protection, when the device is locked.
- When trying to access files on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE protected files.
- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
## How to enable PDE
@ -133,83 +85,55 @@ To enable PDE on devices, push an MDM policy to the devices with the following p
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not protect any files. To protect files via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which files to protect and at what level to protect the files. Additionally, the PDE APIs can't be used to protect files until the PDE policy has been enabled.
> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
PDE is meant to work alongside BitLocker. PDE isn't a replacement for BitLocker, nor is BitLocker a replacement for PDE. Using both features together provides better security than using either BitLocker or PDE alone. However there are differences between BitLocker and PDE and how they work. These differences are why using them together offers better security.
| Item | PDE | BitLocker |
|--|--|--|
| Release of decryption key | At user sign-in via Windows Hello for Business | At boot |
| Decryption keys discarded | When user signs out of Windows or one minute after Windows lock screen is engaged | At reboot |
| Files protected | Individual specified files | Entire volume/drive |
| Authentication to access protected file | Windows Hello for Business | When BitLocker with TPM + PIN is enabled, BitLocker PIN plus Windows sign-in |
| Release of key | At user sign-in via Windows Hello for Business | At boot |
| Keys discarded | At user sign-out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
To see if a file is protected with PDE or with EFS:
To see if a file is encrypted with PDE or EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
For PDE protected files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS protected files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used to protect the file can be obtained with the [cipher.exe /c](/windows-server/administration/windows-commands/cipher) command.
Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
## Disable PDE and decrypt files
Once PDE is enabled, it isn't recommended to disable it. However if PDE does need to be disabled, it can be done so via the MDM policy described in the section [How to enable PDE](#how-to-enable-pde). The value of the OMA-URI needs to be changed from **`1`** to **`0`** as follows:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **0**
Disabling PDE doesn't decrypt any PDE protected files. It only prevents the PDE API from being able to protect any additional files. PDE protected files can be manually decrypted using the following steps:
Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
PDE protected files can also be decrypted using [cipher.exe](/windows-server/administration/windows-commands/cipher). Using `cipher.exe` can be helpful to decrypt files in the following scenarios:
- Decrypting a large number of files on a device
- Decrypting files on a large number of devices.
To decrypt files on a device using `cipher.exe`:
- Decrypt all files under a directory including subdirectories:
```cmd
cipher.exe /d /s:<path_to_directory>
```
- Decrypt a single file or all of the files in the specified directory, but not any subdirectories:
```cmd
cipher.exe /d <path_to_file_or_directory>
```
> [!IMPORTANT]
> Once a user selects to manually decrypt a file, the user will not be able to manually protect the file again using PDE.
> [!Important]
> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- Supports protecting both email bodies and attachments
- Supports encrypting both email bodies and attachments
## See also
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)