This post introduces information about Personal Data Encryption (PDE). You can know what it is and how to enable it on Windows 11 22H2. Now, keep on your reading to get more details.

Windows 10 and Windows 11 21H2 have two kinds of encryption – BitLocker and Windows Device Encryption. starting with version 22H2, Windows 11 Enterprise, and Education editions add Personal Data Encryption.

What Is Personal Data Encryption

Personal Data Encryption (PDE) is a new security feature on Windows 22H2 that provides Windows with additional encryption capabilities. It is available on Windows Enterprise and Windows Education.

Personal Data Encryption differs from BitLocker since it encrypts individual files and content rather than entire volumes and disks. PDE leverages Windows Hello for Business to link data encryption keys with user credentials. This feature minimizes the number of credentials users must remember to access the content.

For example, when using BitLocker with a PIN, you need to authenticate twice – once with the BitLocker PIN and a second time with the Windows credentials. It requires you to remember two different credentials, while you only need to enter a set of credentials through Windows Hello for Business with Personal Data Encryption.

How to Fix Bitlocker Keeps Asking for Recovery Key on Win11/10
How to Fix Bitlocker Keeps Asking for Recovery Key on Win11/10

Bitlocker encrypts your disk. Sometimes, you may encounter the “Bitlocker keeps asking for recovery key” issue on Windows 11/10. Here is how to fix the issue.

Read More

How Does PDE Protect Files

When a file is PDE protected, its icon displays a padlock. If a user has not logged in with Windows Hello for Business, or if an unauthorized user attempts to access PDE-protected content, they will be denied access to that content. The following lists other situations that users can’t access the folders that are protected by PDE:

The user has signed in to Windows with a password instead of a Windows Hello for Business biometric or PIN.

  1. If secured by level 2 protection, when the device is locked.
  2. When trying to remotely access content on the device.
  3. Remote desktop session.
  4. Other users on the device who are not the content owner, even if they are signed in through Windows Hello for Business and have permission to navigate to PDE-protected content.

PDE vs EFS

The main difference between protecting files with PDE instead of EFS is the method they use to protect the file. PDE uses Windows Hello for Business to secure the keys that protect the files. EFS uses certificates to secure and protect the files.

How to check if a file/folder is protected with PDE or with EFS:

  1. Right-click the file/folder to choose Properties.
  2. Under the General tab, select Advanced….
  3. In the Advanced Attributes windows, select Details.

For the files protected by PDE, there will be an item listed as Personal Data Encryption is: under Protection status: and it will have the attribute of On.

For the files protected by EFS, there will be a Certificate thumbprint next to the users with access to the file under Users who can access this file. There will also be a section at the bottom under the Recovery certificates for this file as defined by recovery policy: part.

check if a file/folder is protected with PDE or EFS

How to Enable Personal Data Encryption

How to enable Personal Data Encryption? Follow the guide below:

1.  Log into the Microsoft Intune Admin Center.

2. Go to Devices > Windows > Configuration profiles > Create a profile.

3. Click the Platform drop-down menu to choose Windows 10 and later. Click the Profile type drop-down menu to choose Settings catalog. Then, click Create.

create a profile

4. Under the Basics part, type Personal Data Encryption and click Next.

type Personal Data Encryption

5. Now in Configuration settings, you should click Add Settings.

6. Type Personal Data Encryption in the search box and select PDE

7. Personal Data Encryption is disabled by default. Turn on Enable Personal Data Encryption (User) and click the Next button.

8. Follow the on-screen instructions to finish the rest steps.

Security Hardening Recommendations

To prevent Personal Data Encryption working failure, it’s recommended to do the following things:

  • Kernel-mode crash dumps and live dumps can expose keys that PDE uses to protect content. For maximum security, disable kernel-mode crash dumps and live dumps.
  • Disable Windows Error Reporting to prevent user-mode crash dumps.
  • Hibernating files may result in the exposure of keys used by PDE to protect content. For maximum security, disable hibernation.
  • Disable allowing users to select when a password is required when resuming from connected standby.
Tips:
If you want to provide better security for your files and folders, you can back up them to the external hard drive. To do this task, you can try MiniTool ShadowMaker Free, which supports enabling password protection for the image.

MiniTool ShadowMaker TrialClick to Download100%Clean & Safe

New Security Features in Windows 11 22H2: Data Protection Matters
New Security Features in Windows 11 22H2: Data Protection Matters

In this post, we will introduce the new security features in the Windows 11 2022 Update and the ways to recover lost and deleted files on Windows 11.

Read More

Final Words

What Is Personal Data Encryption? How does Personal Data Encryption work? How to enable Personal Data Encryption on Windows 11? The above content provides answers for you. I hope you can find the information you need here.

  • linkedin
  • reddit

About The Author

Daisy
Daisy

Position: Columnist

Having been an editor at MiniTool since graduating college as an English major, Daisy specializes in writing about data backups, disk cloning, and file syncing as well as general computer knowledge and issues. In her free time, Daisy enjoys running and going with friends to the amusement park.