deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-05 17:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
Liz Long b490bf1697 meta security 4
2022-10-25 11:46:27 -04:00

5.7 KiB
Raw Blame History

title, description, author, ms.author, ms.reviewer, manager, ms.topic, ms.prod, ms.technology, ms.localizationpriority, ms.date
title description author ms.author ms.reviewer manager ms.topic ms.prod ms.technology ms.localizationpriority ms.date
Configure Personal Data Encryption (PDE) in Intune Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune frankroj frankroj rafals aaroncz how-to windows-client itpro-security medium 09/22/2022

Configure Personal Data Encryption (PDE) policies in Intune

Required prerequisites

Enable Personal Data Encryption (PDE)

  1. Sign into the Intune
  2. Navigate to Devices > Configuration Profiles
  3. Select Create profile
  4. Under Platform, select Windows 10 and later
  5. Under Profile type, select Templates
  6. Under Template name, select Custom, and then select Create
  7. On the **Basics tab:
    1. Next to Name, enter Personal Data Encryption
    2. Next to Description, enter a description
  8. Select Next
  9. On the Configuration settings tab, select Add
  10. In the Add Row window:
    1. Next to Name, enter Personal Data Encryption
    2. Next to Description, enter a description
    3. Next to OMA-URI, enter in ./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
    4. Next to Data type, select Integer
    5. Next to Value, enter in 1
  11. Select Save, and then select Next
  12. On the Assignments tab:
    1. Under Included groups, select Add groups
    2. Select the groups that the PDE policy should be deployed to
    3. Select Select
    4. Select Next
  13. On the Applicability Rules tab, configure if necessary and then select Next
  14. On the Review + create tab, review the configuration to make sure everything is configured correctly, and then select Create

Disable Winlogon automatic restart sign-on (ARSO)

  1. Sign into the Intune
  2. Navigate to Devices > Configuration Profiles
  3. Select Create profile
  4. Under Platform, select Windows 10 and later
  5. Under Profile type, select Templates
  6. Under Template name, select Administrative templates, and then select Create
  7. On the **Basics tab:
    1. Next to Name, enter Disable ARSO
    2. Next to Description, enter a description
  8. Select Next
  9. On the Configuration settings tab, under Computer Configuration, navigate to Windows Components > Windows Logon Options
  10. Select Sign-in and lock last interactive user automatically after a restart
  11. In the Sign-in and lock last interactive user automatically after a restart window that opens, select Disabled, and then select OK
  12. Select Next
  13. On the Scope tags tab, configure if necessary and then select Next
  14. On the Assignments tab:
    1. Under Included groups, select Add groups
    2. Select the groups that the ARSO policy should be deployed to
    3. Select Select
    4. Select Next
  15. On the Review + create tab, review the configuration to make sure everything is configured correctly, and then select Create

Recommended prerequisites

Disable crash dumps

  1. Sign into the Intune
  2. Navigate to Devices > Configuration Profiles
  3. Select Create profile
  4. Under Platform, select Windows 10 and later
  5. Under Profile type, select Settings catalog, and then select Create
  6. On the **Basics tab:
    1. Next to Name, enter Disable Hibernation
    2. Next to Description, enter a description
  7. Select Next
  8. On the Configuration settings tab, select Add settings
  9. In the Settings picker windows, select Memory Dump
  10. When the settings appear in the lower pane, under Setting name, select both Allow Crash Dump and Allow Live Dump, and then select the X in the top right corner of the Settings picker window to close the window
  11. Change both Allow Live Dump and Allow Crash Dump to Block, and then select Next
  12. On the Scope tags tab, configure if necessary and then select Next
  13. On the Assignments tab:
    1. Under Included groups, select Add groups
    2. Select the groups that the crash dumps policy should be deployed to
    3. Select Select
    4. Select Next
  14. On the Review + create tab, review the configuration to make sure everything is configured correctly, and then select Create

Disable hibernation

  1. Sign into the Intune
  2. Navigate to Devices > Configuration Profiles
  3. Select Create profile
  4. Under Platform, select Windows 10 and later
  5. Under Profile type, select Settings catalog, and then select Create
  6. On the **Basics tab:
    1. Next to Name, enter Disable Hibernation
    2. Next to Description, enter a description
  7. Select Next
  8. On the Configuration settings tab, select Add settings
  9. In the Settings picker windows, select Power
  10. When the settings appear in the lower pane, under Setting name, select Allow Hibernate, and then select the X in the top right corner of the Settings picker window to close the window
  11. Change Allow Hibernate to Block, and then select Next
  12. On the Scope tags tab, configure if necessary and then select Next
  13. On the Assignments tab:
    1. Under Included groups, select Add groups
    2. Select the groups that the hibernation policy should be deployed to
    3. Select Select
    4. Select Next
  14. On the Review + create tab, review the configuration to make sure everything is configured correctly, and then select Create

See also