deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/operating-system-security/data-protection/personal-data-encryption/known-folders.md
Paolo Matarazzo 2d9f087ead initial sync
2025-03-11 19:04:41 -04:00

5.0 KiB
Raw Blame History

title, description, ms.topic, ms.date
title description ms.topic ms.date
Personal Data Encryption For Known Folders Learn about Personal Data Encryption for known folders and how to configure it via Microsoft Intune and Configuration Service Providers (CSP). how-to 09/24/2024

Personal Data Encryption for know folders

Starting in Windows 11, version 24H2, Personal Data Encryption is further enhanced with Personal Data Encryption for known folders, which extends protection to the Windows folders: Desktop, Documents, and Pictures.

:::image type="content" source="images/known-folders-pde.png" alt-text="Icons of the known folders with a padlock representing their encryption status.":::

Personal Data Encryption for know folders settings

The following table lists the settings to configuire Personal Data Encryption for know folders.

Setting name Description
Enable Personal Data Encryption Personal Data Encryption isn't enabled by default. Before Personal Data Encryption can be used, you must enable it.
Sign-in and lock last interactive user automatically after a restart Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal Data Encryption. To use Personal Data Encryption, ARSO must be disabled.

Configure Personal Data Encryption for know folders

[!INCLUDE intune-settings-catalog-1]

Category Setting name Value

[!INCLUDE intune-settings-catalog-2]

Alternatively, you can configure devices using a [custom policy][INT-1] with the DeviceGuard Policy CSP.

Setting
Setting name:
OMA-URI: ``
Data type: int
Value: 1
Setting name:
OMA-URI: ``
Data type: int
Value:
Enabled with UEFI lock: 1
Enabled without lock: 2

If you use Microsoft Intune to manage your devices, you can configure Personal Data Encryption using a disk encryption policy, a settings catalog policy, or a custom profile.

Disk encryption policy

To configure devices using a disk encryption policy, go to Endpoint security > Disk encryption and select Create policy:

  • Platform > Windows
  • Profile > Personal Data Encryption

Provide a name, and select Next. In the Configuration settings page, select Enable Personal Data Encryption and configure the settings as needed.

Assign the policy to a group that contains as members the devices or users that you want to configure.

Settings catalog policy

[!INCLUDE intune-settings-catalog-1]

Category Setting name Value
PDE Enable Personal Data Encryption (User) Enable Personal Data Encryption
Administrative Templates > Windows Components > Windows Logon Options Sign-in and lock last interactive user automatically after a restart Disabled
Memory Dump Allow Live Dump Block
Memory Dump Allow Crash Dump Block
Administrative Templates > Windows Components > Windows Error Reporting Disable Windows Error Reporting Enabled
Power Allow Hibernate Block
Administrative Templates > System > Logon Allow users to select when a password is required when resuming from connected standby Disabled

[!INCLUDE intune-settings-catalog-2]

Tip

Use the following Graph call to automatically create the settings catalog policy in your tenant without assignments nor scope tags.

When using this call, authenticate to your tenant in the Graph Explorer window. If it's the first time using Graph Explorer, you may need to authorize the application to access your tenant or to modify the existing permissions. This graph call requires DeviceManagementConfiguration.ReadWrite.All permissions.

Configure Personal Data Encryption with CSP

Alternatively, you can configure devices using the Policy CSP and Personal Data Encryption CSP.

OMA-URI Format Value
./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption int 1
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/AllowAutomaticRestartSignOn string <disabled/>
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowCrashDump int 0
./Device/Vendor/MSFT/Policy/Config/MemoryDump/AllowLiveDump int 0
./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting string <enabled/>
./Device/Vendor/MSFT/Policy/Config/Power/AllowHibernate int 0
./Device/Vendor/MSFT/Policy/Config/ADMX_CredentialProviders/AllowDomainDelayLock string <disabled/>

User experience

When Personal Data Encryption is enabled, the user experience is as follows: