deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-13 09:33:20 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md
MandiOhlinger 8c027710f6 find & replace
2023-02-09 19:20:29 -05:00

264 lines
9.2 KiB
Markdown
Raw Blame History

---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rhonnegowda
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 12/13/2022
---
<!-- Max 5963468 OS 32516487 -->
<!-- Max 6946251 -->
# Configure Personal Data Encryption (PDE) policies in Intune
## Required prerequisites
### Enable Personal Data Encryption (PDE)
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Custom**, and then select **Create**
7. In **Basics**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
8. Select **Next**
9. In **Configuration settings**, select **Add**
10. In **Add Row**:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
11. Select **Save**, and then select **Next**
12. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
13. In **Applicability Rules**, configure if necessary and then select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Winlogon automatic restart sign-on (ARSO)
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Administrative templates**, and then select **Create**
7. In **Basics**:
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
8. Select **Next**
9. In **Configuration settings**, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart**
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
12. Select **Next**
13. In **Scope tags**, configure if necessary and then select **Next**
14. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
15. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## Security hardening recommendations
### Disable kernel-mode crash dumps and live dumps
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, select **Memory Dump**
10. When the settings appear under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable Windows Error Reporting (WER)/Disable user-mode crash dumps
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **Windows Components**, and then select **Windows Error Reporting**
10. When the settings appear under **Setting name**, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Disable Windows Error Reporting** to **Enabled**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable WER dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable hibernation
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, select **Power**
10. When the settings appear under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
### Disable allowing users to select when a password is required when resuming from connected standby
1. Sign into [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. In **Basics**:
1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**
2. Next to **Description**, enter a description
7. Select **Next**
8. In **Configuration settings**, select **Add settings**
9. In the **Settings picker** window, under **Browse by category**, expand to **Administrative Templates** > **System**, and then select **Logon**
10. When the settings appear under **Setting name**, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Make sure that **Allow users to select when a password is required when resuming from connected standby** is left at the default of **Disabled**, and then select **Next**
12. In **Scope tags**, configure if necessary and then select **Next**
13. In **Assignments**:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the disable Allow users to select when a password is required when resuming from connected standby policy should be deployed to
3. Select **Select**
4. Select **Next**
14. In **Review + create**, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
Reference in New Issue View Git Blame Copy Permalink