deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update PDE Docs 4

Browse Source
This commit is contained in:
Frank Rojas 2022-09-15 20:38:32 -04:00
parent 6ca651d15e
commit d11eeb6f3d
1 changed files with 98 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
windows/security/information-protection/personal-data-encryption.md
View File

@ -12,13 +12,15 @@ ms.date: 09/22/2022
# Personal Data Encryption # Personal Data Encryption
<!-- Max 5963468 OS 32516487 --> <!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*) (*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker. Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides encryption of individual user files. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. It is also an alternative to BitLocker + PIN when requiring user authentication before releasing encryption keys and decrypting files. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This can minimizes the amount of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requires users to remember two different credentials. With PDE, users only needs to enter one set of credentials via Windows Hello for Business.
Unlike BitLocker which unlocks data encryption keys at boot, PDE does not release data encryption keys until a user logs via Windows Hello for Business. PDE is also accessibility friendly. For example, The BitLocker PIN entry screen does not have accessibility options. However, PDE uses Windows Hello for Business which does have accessibility features.
Unlike BitLocker which releases data encryption keys at boot, PDE does not release data encryption keys until a user logs in via Windows Hello for Business. Users will only be able to access their PDE encrypted files once they have signed into Windows using Windows Hello for Business. Users will not have access to their PDE encrypted files if they have signed into Windows via a password instead of Windows Hello for Business biometric or PIN. Users will also not have access to their PDE encrypted files if they are not signed in locally and are trying to access them through alternate methods such as network UNC paths or a Remote Desktop session. Files will also not be accessible to other users on the device even if they are signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
> [!NOTE] > [!NOTE]
> PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE. > PDE is currently only available to developers via [APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md). There is no user interface in Windows or administrative policies that can be pushed to devices to encrypt files via PDE.
@ -28,29 +30,109 @@ Unlike BitLocker which unlocks data encryption keys at boot, PDE does not releas
- **Required** - **Required**
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md) - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md)
- [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview.md) - [Windows Hello for Business](/security/identity-protection/hello-for-business/hello-overview.md)
- [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md) not enabled - Windows 11, version 22H2 and later Enterprise and Education editions
- Winlogon automatic restart sign-on feature not enabled
- Windows Information Protection (WIP) not enabled - **Not supported with PDE**
- [FIDO/security key authentication](/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- [Windows Information Protection (WIP)](/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md)
- Remote Desktop connections
- **Recommended** - **Highly recommended**
- [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled - [BitLocker Drive Encryption](/security/information-protection/bitlocker/bitlocker-overview.md) enabled
- Kernel and user mode crash dumps disabled - Although PDE will work without BitLocker, it is recommend to also enable BitLocker. PDE is meant to supplement BitLocker, not replace it.
- Hibernation disabled - Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md) - [Windows Hello for Business PIN reset service](/security/identity-protection/hello-for-business/hello-feature-pin-reset.md)
- Secure Biometrics when using Windows Hello for Business - Destructive PIN resets will cause PDE encryption keys to be lost. This will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps.
- [Hibernation disabled](windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation.
## PDE protection levels
PDE offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
| | Level 1 | Level 2 |
|---|---|---|
| Data is accessible when user is signed in | Yes | Yes |
| Data is accessible when user has locked their device | Yes | No |
| Data is accessible after user signs out | No | No |
| Data is accessible when device is shut down | No | No |
| Decryption keys discarded | After user signs out | After user locks device or signs out |
## How to enable PDE
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
Name: **Personal Data Encryption**
OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
Data type: **Integer**
Value: **1**
There is also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE] > [!NOTE]
> Only [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join.md) are supported. [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid.md) do not support PDE. > Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager.md) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
### Enabling PDE in Intune
1. Sign into the Intune admin center
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Custom**, and then select **Create**
7. On the ****Basics** tab:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
8. Select **Next**
9. On the **Configuration settings** tab, select **Add**
10. In the **Add Row** window:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
11. Select **Save**, and then select **Next**
12. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
13. On the **Applicability Rules** tab, configure as necessary and then select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
### Configuring required prerequisites in Intune
#### Disabling Winlogon automatic restart sign-on (ARSO)
### Configuring recommended prerequisites in Intune
#### Disabling hibernation
#### Disabling crash dumps
## Differences between PDE and BitLocker ## Differences between PDE and BitLocker
| | PDE | BitLocker |
| Item | PDE | BitLocker |
|--|--|--| |--|--|--|
| Release of encryption keys | At user logon via WHfB | At boot | | Release of encryption keys | At user logon via Windows Hello for Business | At boot |
| Encryption keys discarded | At user logoff | At reboot | | Encryption keys discarded | At user logoff | At reboot |
| Files encrypted | User known folders of Documents, Pictures, and Desktop | Entire volume/drive | | Files encrypted | Individual specified files | Entire volume/drive |
| Authentication to release encryption keys | No additional PIN required - Windows Hello for Business credentials used | When BitLocker with PIN is enabled, additional PIN is required in addition to Windows logon credentials |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN does not have accessibility features |
## Differences between PDE and EFS
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files while EFS uses certificates to secure and encrypt the files.
To see if a file is encrypted with PDE or EFS, open the properties of the file. Under the **General** tab, click on the **Advanced...** button. In the **Advanced Attributes** windows, click on the **Details** button. For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the atrribute of **On**. For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. You can also check the encryption type being used via the **cipher.exe /c** command line.
## How to enable
## Next steps ## Next steps