Personal Data Encryption in Windows 11: A Deep Dive into Benefits, and Deployment

Microsoft has introduced a significant new feature in Windows 11, version 24H2: Personal Data Encryption (PDE). This feature strengthens file-level security, providing an effective solution for safeguarding sensitive data. Let’s explore PDE’s what, why, and how with a closer look at its protection levels and implementation.

What is Personal Data Encryption?

Personal Data Encryption (PDE) is a file-level encryption feature that protects user data stored in the following known folders:

• Desktop – where users often store essential files and shortcuts.
• Documents – are commonly used to store text files, reports, and other critical documents.
• Pictures – a repository for personal images, photos, and visual media.

The main advantage of PDE lies in its focus on file-level encryption, which is different from full-disk encryption solutions like BitLocker or other file encryption methods like the Encrypting File System (EFS). While full-disk encryption secures the entire drive, PDE concentrates on individual files. This unique approach means that even if an administrator or someone with physical access decrypts the whole disk, the files protected by PDE remain safe and inaccessible. They can only be accessed by entering the appropriate user credentials, which adds a significant layer of security an it could become a part of our Security Baseline

This feature is especially beneficial for individuals who need to safeguard sensitive information from unauthorized access while allowing ease of use for their day-to-day activities. By leveraging personal data encryption, users can confidently store valuable files in their Desktop, Documents, and Pictures folders without worrying about potential breaches or data theft.

PDE works by leveraging Windows Hello authentication, ensuring that encryption keys for protected files are unlocked only when the user authenticates successfully.

How PDE Differs from BitLocker and EFS

• BitLocker:
  Secures the entire disk, including the operating system, applications, and user data. BitLocker is ideal for protecting data at rest by making the entire drive inaccessible without proper authentication. However, once a disk is decrypted (e.g., when the system is running), all files on the disk are accessible to authorized users.
• Encrypting File System (EFS):
  EFS allows users to encrypt specific files or folders manually. While it provides flexibility in choosing what to encrypt, it requires users or administrators to manage encryption certificates. EFS does not provide automatic encryption for predefined folders, and its functionality depends heavily on proper certificate management.
• Personal Data Encryption (PDE):
  PDE bridges the gap by automatically encrypting files in predefined folders like Desktop, Documents, and Pictures. Unlike BitLocker, PDE remains effective even if the whole disk is decrypted because it operates at the file level. Unlike EFS, PDE does not require manual setup or certificate management, making it a simpler and more user-friendly option.

How Personal Data Encryption Works

PDE leverages Windows Hello authentication to ensure that the encryption keys for protected files are only unlocked when the user successfully authenticates. This integration enhances security while providing a seamless user experience. There’s no need to manage certificates manually (as required with EFS) or worry about the entire disk being accessible after login (as with BitLocker).

By focusing on the known folders where users typically store personal data, PDE offers a simple, effective way to safeguard sensitive information. It allows users to confidently store files without disrupting their day-to-day activities, balancing security and usability.

Why Use Personal Data Encryption?

In today’s world, where protecting sensitive information is critical, PDE offers a range of practical benefits:

1. Exclusive Access: PDE ensures that only the user authenticated with Windows Hello can access their encrypted files on their device. Even someone with local admin rights on the device won’t have access.
2. Focused Protection: By targeting specific files and folders, PDE provides more precise security than full-disk encryption methods, which protect the entire drive without distinction.
3. Layered Security: Pairing PDE with BitLocker adds a second layer of protection—one for the drive and another for individual files.
4. Effortless Use: PDE is straightforward for end users. Once authenticated, they can work with their files without additional steps.
5. Industry Compliance: Sectors like healthcare, finance, and defense can use PDE to meet strict data protection standards by isolating and encrypting sensitive files within designated folders.

However, it’s important to note that PDE’s protection applies only on the device. If a file is transferred to another device, it will no longer be encrypted by PDE and can be accessed without restrictions. Similarly, PDE encrypts files on a per-user basis, meaning other users, even those with elevated rights, cannot access another user’s PDE-protected files on the same device.

Deploying and Configuring PDE

Prerequisites

Before enabling PDE, ensure the following requirements are met:

• Operating System: Windows 11 Enterprise or Education (version 24H2 Insider build).
• Device Join State: Microsoft Entra (formerly Azure AD) joined or hybrid joined.
• Authentication: Users must sign in using Windows Hello (PIN, fingerprint, or facial recognition), so Windows has to be configured.

Deploying PDE Using Intune

To get PDE to work in Intune, we need to create an encryption. Therefore, we need to go to Endpoint security | Disk encryption, click + Create Policy, choose the Windows platform, and select Profile Personal Data Encryption. Under Configuration settings, enable Personal Data Encryption (User) and set the settings as shown in the picture below.

Assign the policy to your liking; we placed it in a user group.

Admin check Personal Data Protection.

When the Intune policy sets the settings on the device, a new registry key will be created under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\PDE, where we can also see the folders mentioned earlier.

In the event viewer, we can explore detailed logs that provide valuable insights into the encryption process. By examining these logs, we can identify specific files or folders that are currently being encrypted. This information is crucial for understanding the extent of the encryption activity and can help in managing files effectively. It’s essential to regularly monitor the event viewer to stay informed about any changes to your data, ensuring that you remain aware of which files are affected during the encryption process.

If we need extra information on how things work in the backend, Rudy Ooms wrote it all down on the Patch my PC blog

User Experience

Personal Data Encryption (PDE) provides an enhanced layer of security without disrupting the user’s daily workflow. Here’s how PDE integrates into the user experience

Once enabled, PDE automatically encrypts files stored in the Desktop, Documents, and Pictures folders. Users don’t need to take any additional steps to secure their data, no manual configuration or file selection is required. This automatic protection ensures that the most commonly used folders are always secure.

For the user, this means:

• Files in these folders are always encrypted and secure by default.
• There’s no need to remember extra passwords or manually encrypt files.

PDE operates silently in the background, making the encrypted files appear no different from unencrypted ones during regular use. When a user accesses their files, they are automatically decrypted, provided the user has authenticated through Windows Hello or their system credentials.

From the user’s perspective:

• They interact with their files as they usually would, without any noticeable performance impact.
• No additional steps are required to open or save files in the protected folders.

Conclusion

Personal Data Encryption (PDE) offers a modern and user-friendly solution for securing sensitive files on Windows devices. By focusing on file-level encryption in commonly used folders such as Desktop, Documents, and Pictures, PDE ensures that personal data remains protected even in scenarios where full-disk encryption may fall short. Its seamless integration with Windows Hello and automatic encryption make it an excellent choice for users who want robust security without compromising usability.

While PDE does not replace full-disk encryption like BitLocker or selective encryption solutions like EFS, it complements these tools by addressing specific use cases where individual file security is paramount. Whether for personal use or organizational deployment, PDE provides peace of mind by safeguarding critical files from unauthorized access.

For users and administrators alike, PDE delivers the perfect balance of security and simplicity, proving to be a valuable addition to Windows’ data protection arsenal. It’s an essential feature for anyone looking to secure their most important files with minimal effort.