Introduction
In an era where data breaches and cyber threats are increasingly common, protecting your personal files has never been more important.
With the release of Windows 11 24H2, Microsoft has introduced enhanced features for personal data encryption, making it easier than ever to secure your sensitive information.
This blog post will guide you through the process of encrypting your files located in Desktop, Documents, and Photos using Personal Data Encryption and Microsoft Intune.
Microsoft Intune
The configuration settings for Personal Data Encryption can be found within Microsoft Intune, as indicated in the screenshot below:
To enable Personal Data Encryption (PDE) on the default locations—Desktop, Documents, and Photos—configure the policy to “Enable PDE on the folder” for each respective location, as illustrated in the screenshot below:
Hardening of Personal Data Encryption
Microsoft recommends some additional configuration in order to improve Personal Data Encryption‘s security.
Those recommendations are mentioned in detail in the official documentation here: Personal Data Encryption settings and configuration | Microsoft Learn
Personally, I have configurated the recommended hardening in a separate configuration policy within Microsoft Intune, as illustrated per below screenshots:
End-user experience
Personal Data Encryption (PDE) encrypts all files and folders within the Desktop, Documents, and Photos directories. This ensures that the contents of these files are accessible only to the authenticated user, provided they are signed in using Windows Hello for Business.
If an attempt is made to access any files within these folders by a user other than the one currently authenticated with Windows Hello for Business (WHfB), an “Access is denied” message is correctly displayed:
Windows will notify the user of the requirement to use Windows Hello for Business (WHfB) to access encrypted files if an attempt is made to sign in using a regular password.
