windows-itpro-docs/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md

title, description, ms.topic, ms.date

title	description	ms.topic	ms.date
Enable Personal Data Encryption (PDE) in Intune	Enable Personal Data Encryption (PDE) in Intune	how-to	03/13/2023

Enable Personal Data Encryption (PDE)

By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE can be used on a device, it needs to be enabled. This can be done via a custom OMA-URI policy assigned to the device.

Note

Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the PDE APIs. The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled.

Enable Personal Data Encryption (PDE) in Intune

To enable Personal Data Encryption (PDE) using Intune, follow the below steps:

1. Sign in to the Microsoft Intune admin center.
2. In the Home screen, select Devices in the left pane
3. In the Devices | Overview screen, under Policy, select Configuration Profiles
4. In the Devices | Configuration profiles screen, make sure Profiles is selected at the top, and then select Create profile
5. In the Create profile window that opens:
   1. Under Platform, select Windows 10 and later
   2. Under Profile type, select Templates
   3. When the templates appears, under Template name, select Custom
   4. Select Create to close the Create profile window
6. The Custom screen will open. In the Basics page:
   1. Next to Name, enter Personal Data Encryption
   2. Next to Description, enter a description
   3. Select Next
7. In Configuration settings page:
   1. Next to OMA-URI Settings, select Add
   2. In the Add Row window that opens:
   3. Next to Name, enter Personal Data Encryption
   4. Next to Description, enter a description
   5. Next to OMA-URI, enter in: ./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption
   6. Next to Data type, select Integer
   7. Next to Value, enter in 1
   8. Select Save to close the Add Row window
   9. Select Next
8. In the Assignments page:
   1. Under Included groups, select Add groups

      Note

      Make sure to add the correct groups under Included groups and not under Excluded groups. Accidentally adding the desired device groups under Excluded groups will result in those devices being excluded and they won't receive the configuration profile.

   2. In the Select groups to include window that opens, select the groups that the configuration profile should be assigned to, and then select Select to close the Select groups to include window
   3. Under Included groups > Groups, ensure the correct group(s) are selected, and then select Next
9. In Applicability Rules, configure if necessary and then select Next
10. In Review + create page, review the configuration to make sure everything is configured correctly, and then select Create

Additional PDE configurations in Intune

The following PDE configurations can also be configured using Intune:

Prerequisites

• Disable Winlogon automatic restart sign-on (ARSO)

Security hardening recommendations

• Disable kernel-mode crash dumps and live dumps
• Disable Windows Error Reporting (WER)/user-mode crash dumps
• Disable hibernation
• Disable allowing users to select when a password is required when resuming from connected standby

More information

• Personal Data Encryption (PDE)
• Personal Data Encryption (PDE) FAQ