deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-10 11:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
MandiOhlinger 8c027710f6 find & replace
2023-02-09 19:20:29 -05:00

9.2 KiB
Raw Blame History

title, description, author, ms.author, ms.reviewer, manager, ms.topic, ms.prod, ms.technology, ms.localizationpriority, ms.date
title description author ms.author ms.reviewer manager ms.topic ms.prod ms.technology ms.localizationpriority ms.date
Configure Personal Data Encryption (PDE) in Intune Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune frankroj frankroj rhonnegowda aaroncz how-to windows-client itpro-security medium 12/13/2022

Configure Personal Data Encryption (PDE) policies in Intune

Required prerequisites

Enable Personal Data Encryption (PDE)

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Templates

  6. Under Template name, select Custom, and then select Create

  7. In Basics:

    1. Next to Name, enter Personal Data Encryption
    2. Next to Description, enter a description

  8. Select Next

  9. In Configuration settings, select Add

  10. In Add Row:

    1. Next to Name, enter Personal Data Encryption
    2. Next to Description, enter a description
    3. Next to OMA-URI, enter in ./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
    4. Next to Data type, select Integer
    5. Next to Value, enter in 1

  11. Select Save, and then select Next

  12. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the PDE policy should be deployed to
    3. Select Select
    4. Select Next

  13. In Applicability Rules, configure if necessary and then select Next

  14. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

Disable Winlogon automatic restart sign-on (ARSO)

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Templates

  6. Under Template name, select Administrative templates, and then select Create

  7. In Basics:

    1. Next to Name, enter Disable ARSO
    2. Next to Description, enter a description

  8. Select Next

  9. In Configuration settings, under Computer Configuration, navigate to Windows Components > Windows Logon Options

  10. Select Sign-in and lock last interactive user automatically after a restart

  11. In the Sign-in and lock last interactive user automatically after a restart window that opens, select Disabled, and then select OK

  12. Select Next

  13. In Scope tags, configure if necessary and then select Next

  14. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the ARSO policy should be deployed to
    3. Select Select
    4. Select Next

  15. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

Security hardening recommendations

Disable kernel-mode crash dumps and live dumps

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Settings catalog, and then select Create

  6. In Basics:

    1. Next to Name, enter Disable Kernel-Mode Crash Dumps
    2. Next to Description, enter a description

  7. Select Next

  8. In Configuration settings, select Add settings

  9. In the Settings picker window, under Browse by category, select Memory Dump

  10. When the settings appear under Setting name, select both Allow Crash Dump and Allow Live Dump, and then select the X in the top right corner of the Settings picker window to close the window

  11. Change both Allow Live Dump and Allow Crash Dump to Block, and then select Next

  12. In Scope tags, configure if necessary and then select Next

  13. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the disable crash dumps policy should be deployed to
    3. Select Select
    4. Select Next

  14. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

Disable Windows Error Reporting (WER)/Disable user-mode crash dumps

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Settings catalog, and then select Create

  6. In Basics:

    1. Next to Name, enter Disable Windows Error Reporting (WER)
    2. Next to Description, enter a description

  7. Select Next

  8. In Configuration settings, select Add settings

  9. In the Settings picker window, under Browse by category, expand to Administrative Templates > Windows Components, and then select Windows Error Reporting

  10. When the settings appear under Setting name, select Disable Windows Error Reporting, and then select the X in the top right corner of the Settings picker window to close the window

  11. Change Disable Windows Error Reporting to Enabled, and then select Next

  12. In Scope tags, configure if necessary and then select Next

  13. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the disable WER dumps policy should be deployed to
    3. Select Select
    4. Select Next

  14. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

Disable hibernation

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Settings catalog, and then select Create

  6. In Basics:

    1. Next to Name, enter Disable Hibernation
    2. Next to Description, enter a description

  7. Select Next

  8. In Configuration settings, select Add settings

  9. In the Settings picker window, under Browse by category, select Power

  10. When the settings appear under Setting name, select Allow Hibernate, and then select the X in the top right corner of the Settings picker window to close the window

  11. Change Allow Hibernate to Block, and then select Next

  12. In Scope tags, configure if necessary and then select Next

  13. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the disable hibernation policy should be deployed to
    3. Select Select
    4. Select Next

  14. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

Disable allowing users to select when a password is required when resuming from connected standby

  1. Sign into Intune admin center.

  2. Navigate to Devices > Configuration Profiles

  3. Select Create profile

  4. Under Platform, select Windows 10 and later

  5. Under Profile type, select Settings catalog, and then select Create

  6. In Basics:

    1. Next to Name, enter Disable allowing users to select when a password is required when resuming from connected standby
    2. Next to Description, enter a description

  7. Select Next

  8. In Configuration settings, select Add settings

  9. In the Settings picker window, under Browse by category, expand to Administrative Templates > System, and then select Logon

  10. When the settings appear under Setting name, select Allow users to select when a password is required when resuming from connected standby, and then select the X in the top right corner of the Settings picker window to close the window

  11. Make sure that Allow users to select when a password is required when resuming from connected standby is left at the default of Disabled, and then select Next

  12. In Scope tags, configure if necessary and then select Next

  13. In Assignments:

    1. Under Included groups, select Add groups
    2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
    3. Select Select
    4. Select Next

  14. In Review + create, review the configuration to make sure everything is configured correctly, and then select Create

See also