Intune – Enable Personal Data Encryption for added security

As you know, Windows devices with OneDrive client allows your end-users to redirect their personal folders (Documents, Desktop….) to OneDrive.

This allows leveraging some security capabilities provided by SharePoint Online/OneDrive, such as versioning or ability to recover complete OneDrive space in case of corruption or encryption by malware.

This also replace the ‘old school’ roaming profile or home drive in Active Directory world.

While Windows devices should be already protected by implementing BitLocker for disk encryption, your end-users personal folders may contains sensitive information which may require additional level of protection.

Even with BitLocker, other users logging on the device may be able to access the personal folders of a user (for example a local administrator user)

Well, you can now add an additional level of security by implementing the Personal Data Encryption (PDE) to add an additional level of encryption linked with the user account’s Windows Hello details.

Once PDE is implemented, personal folders are encrypted using the Windows Hello keys and only accessible when only during the logged on user session; even during a locked session, personal content will not be available to any other users logged on.

First things first, here are the requirements:

  • Windows 11 24H2 (or later) Enterprise
  • Entra ID Joined or Hybrid Joined devices
  • User must sign in using Windows Hello (no password)

Additional recommendations should be implemented:

Once you are ready, connect to your Intune portal and create a Personal Data Encryption profile from the Endpoint Security\Disk Encryption blade

image  image

You can then choose to turn on PDE on Pictures, Documents and Desktop folder.

image

Once the profile has been deployed and applied, end users will see a Lock on top right of these folders and a new option “File Ownership”

image  image

When a user is trying to logon on the device using their password, user will get a notification “You need to sign in with Windows Hello”

image

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.