deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #7159 from frankroj/frankroj-pde-update

Browse Source 
PDE Updates 1
This commit is contained in:
Angela Fleischmann 2022-09-23 17:02:45 -06:00 committed by GitHub
commit cd9b803cfa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/information-protection/personal-data-encryption/faq-pde.yml
View File

@ -30,25 +30,25 @@ sections:
- question: Can an IT admin specify which files should be encrypted?
answer: |
Yes, but it can only be done using the PDE APIs.
Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
- question: Do I need to use OneDrive as my backup provider?
answer: |
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
Windows Hello for Business unlocks PDE encryption keys during user sign on.
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
- question: Can a file be encrypted with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
- question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
No. Accessing PDE encrypted files over RDP isn't currently supported.
- question: Can a PDE encrypted files be access via a network share?
- question: Can PDE encrypted files be access via a network share?
answer: |
No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
@ -62,11 +62,11 @@ sections:
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-256 to encrypt files
PDE uses AES-CBC with a 256-bit key to encrypt files
additionalContent: |
## See also

24
windows/security/information-protection/personal-data-encryption/overview-pde.md
View File

@ -1,6 +1,6 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
author: frankroj
ms.author: frankroj
@ -40,19 +40,19 @@ ms.date: 09/22/2022
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
- Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
| Item | Level 1 | Level 2 |
|---|---|---|
@ -94,15 +94,15 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption
| Item | PDE | BitLocker |
|--|--|--|
| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
| Encryption keys discarded | At user sign out | At reboot |
| Release of key | At user sign-in via Windows Hello for Business | At boot |
| Keys discarded | At user sign-out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
To see if a file is encrypted with PDE or EFS:
@ -118,9 +118,7 @@ Encryption information including what encryption method is being used can be obt
## Disable PDE and decrypt files
Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
In certain scenarios a user may be able to manually decrypt a file using the following steps:
Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
@ -139,4 +137,4 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
## See also
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)