As you know, Windows devices with OneDrive client allows your end-users to redirect their personal folders (Documents, Desktop….) to OneDrive.
This allows leveraging some security capabilities provided by SharePoint Online/OneDrive, such as versioning or ability to recover complete OneDrive space in case of corruption or encryption by malware.
This also replace the ‘old school’ roaming profile or home drive in Active Directory world.
While Windows devices should be already protected by implementing BitLocker for disk encryption, your end-users personal folders may contains sensitive information which may require additional level of protection.
Even with BitLocker, other users logging on the device may be able to access the personal folders of a user (for example a local administrator user)
Well, you can now add an additional level of security by implementing the Personal Data Encryption (PDE) to add an additional level of encryption linked with the user account’s Windows Hello details.
Once PDE is implemented, personal folders are encrypted using the Windows Hello keys and only accessible when only during the logged on user session; even during a locked session, personal content will not be available to any other users logged on.
First things first, here are the requirements:
- Windows 11 24H2 (or later) Enterprise
- Entra ID Joined or Hybrid Joined devices
- User must sign in using Windows Hello (no password)
Additional recommendations should be implemented:
- Ensure OneDrive backup is enabled (see Back up your folders with OneDrive – Microsoft Support) which can be done either manually by end-users or using Group Policies or Intune profiles (IT Admins – Use OneDrive policies to control sync settings – SharePoint in Microsoft 365 | Microsoft Learn)
- Disable FIDO and RDP as both does not currently support unlock using Windows Hello container (FIDO2 security key sign-in to Windows – Microsoft Entra ID | Microsoft Learn and Understanding Remote Desktop Protocol (RDP) – Windows Server | Microsoft Learn)
- Disable automatic restart sign-on (usually used with Windows Update to automatically sign on after a restart) (Winlogon Automatic Restart Sign-On (ARSO) | Microsoft Learn)
- Enable PIN reset service (PIN reset | Microsoft Learn)
- Disable hibernation and crash dump to ensure PDE keys are not available in dump or hibernation (How to disable and re-enable hibernation – Windows Client | Microsoft Learn and Generate a kernel or complete crash dump – Windows Client | Microsoft Learn)
Once you are ready, connect to your Intune portal and create a Personal Data Encryption profile from the Endpoint Security\Disk Encryption blade
You can then choose to turn on PDE on Pictures, Documents and Desktop folder.
Once the profile has been deployed and applied, end users will see a Lock on top right of these folders and a new option “File Ownership”
When a user is trying to logon on the device using their password, user will get a notification “You need to sign in with Windows Hello”