Personal Data Encryption folder protection now available on Windows 11

The new Personal Data Encryption known folder protection capability is now available on Windows 11, version 24H2 Enterprise and Education editions. This feature uses Windows Hello authentication to add extra protection to files stored in select Windows folders.

The Secure Future Initiative at Microsoft highlights security as our top priority. That's why Windows 11 is the most secure operating system we've ever built. With an established security baseline, Windows 11 helps ensure consistent hardware security across all devices, providing confidence in the operating system and all experiences built on top of it. In addition to being more secure by default than Windows 10, we continuously add new security capabilities with each release to stay ahead of emerging threats.

Let's explore how Personal Data Encryption works and how it can help protect content for users within an organization.

What is Personal Data Encryption?​

Personal Data Encryption is a user-authenticated encryption mechanism that provides an additional layer of security on top of BitLocker. It helps protect sensitive files saved in the following known folders:

• Desktop
• Documents
• Pictures

Personal Data Encryption unlocks data encryption keys only after Windows Hello authentication, making the protected data accessible to the user.

Note: Personal Data Encryption and BitLocker are independent security features. Personal Data Encryption can be used with or without other full-disk encryption solutions. However, having disk encryption enhances device security when it is shut down.

Personal Data Encryption encrypts individual files and directories, indicated by a lock icon on the file. This feature helps ensure that even if there is a device administrator, they cannot view the file content of other users, adding a second layer of security if a device is lost or stolen.

There are two levels of protection offered by Personal Data Encryption:

• Level 1 (L1): Content becomes available after the user first signs in to their PC and will be available until they sign out or shut down.
• Level 2 (L2): Content becomes available only while the device is unlocked. When the user relocks their device, the files will be locked again.

Personal Data Encryption for known folders helps protect data with L1 protection. If you're a developer, the Personal Data Encryption API allows you to choose between L1 and L2 protection for your app data based on your needs.

To enable Personal Data Encryption for known folders, you can push a policy to users in your organization using a device management solution such as Microsoft Intune. Apply this additional protection to content in the three known Windows folders, including all file types and subfolders, to help provide additional security from startup to first sign in.

If you work in an organization that handles sensitive data, such as insurance, healthcare, defense, or financial industries, use Personal Data Encryption folder protection in conjunction with BitLocker to achieve a double layer of encryption.

Personal Data Encryption folder protection capabilities​

When you configure Personal Data Encryption for known folders, you have the following options:

• Select all, or a subset, of the three known Windows folders using Intune to apply protection for devices in your organization.
• Protect all contents (folders, subfolders, files) in the three known Windows folders to the L1 level of protection, where data becomes available after the user signs in for the first time.
• Choose to remove protection on a previously protected folder, which will remove protection on its contents, including subfolders.

Prerequisites and recommendations for Personal Data Encryption​

To enable Personal Data Encryption folder protection, ensure these three prerequisites are met:

• The device runs Windows 11 Enterprise (version 24H2 or later).
• The device is Microsoft Entra or Microsoft Entra hybrid joined.
• Users must sign in using Windows Hello and using a Microsoft Entra ID account.

In addition, we recommend the following actions when using Personal Data Encryption:

• Back up the data being protected to the cloud. Use OneDrive cloud data backup solution. It helps ensure the complete backup of Personal Data Encryption protected data in case a user cannot use Windows Hello.
• Disable FIDO authentication and Remote Desktop Protocol (RDP). At this time, FIDO authentication and RDP do not unlock the Windows Hello container, which helps protect the Personal Data Encryption keys used to protect user files. This means that protected content will not be available if someone signs in to the device using FIDO or RDP.
• Disable Winlogon automatic restart sign-on (ARSO). With ARSO disabled, the people at your organization might have to sit through an OS upgrade (as normally happens once every few years). They'll observe a flashing screen while apps migrate.
• Use the Microsoft PIN reset service to help users reset their Windows Hello for Business PIN. This helps ensure that the Personal Data Encryption keys used to protect user files can be retrieved from the Windows Hello container.
• Disable hibernation and crash dumps. This helps ensure that the Personal Data Encryption keys don't land in hibernation and crash dump files.

How to configure Personal Data Encryption folder protection​

You can apply Personal Data Encryption folder protection as a policy for a given user on a particular device using a mobile device management (MDM) service like Microsoft Intune. The MDM solution uses configuration service providers (CSPs) to help manage settings on the device. Use the Personal Data Encryption CSP to enable Personal Data Encryption.

Starting with Windows 11, version 24H2, you can choose protection for all three or a subset of the known Windows folders (Documents, Desktop and Pictures). These settings are available in Microsoft Intune as a disk encryption template named “Personal Data Encryption” beginning with the 2409 service release.

Create a policy for devices in your organization, following these steps.

1. In the Microsoft Intune admin center, navigate to Endpoint Security > Disk encryption > Create Policy.
2. Select the Windows platform and the Personal Data Encryption profile in the Create a profile popup, as shown below.
   
   
   
3. Create profile by providing a name and description.
   
   
   
4. Enable Personal Data Encryption in Configuration settings and then choose all or a subset of the known Windows folders.
   
   
   
5. Finally, select the Scope tags, followed by Users to assign this policy to. Then, Review and Create profile.
   
   
   

Note: If the prerequisites are not met and you set up Personal Data Encryption using the Intune policies as noted above, user data will be protected using Data Protection API (DPAPI). When all the prerequisites are met, the device will switch to protecting user data using Personal Data Encryption with Windows Hello.

Personal Data Encryption user experience​

Once the Personal Data Encryption policy is deployed, protection will start. The user can go about their work as normal, opening files, altering them, and closing them again. The protection effectively remains transparent to the end user. Users will see a yellow padlock badge on the protected folders and the files within those folders, which indicates that their data has an extra layer of protection as shown below.



If a local device administrator using this device tries to access these files, they will be met with an “Access-denied” message. That's because they have not authenticated using Windows Hello before attempting to access the files.

Security and innovation for a reliable digital future​

Personal Data Encryption folder protection is another step on our journey to add additional layers of protection to user data on Windows 11. Personal Data Encryption works independently of BitLocker, or any other volume-level encryption, and can be used alongside it to achieve double encryption for your files.

Nearly 40 years after its launch, Windows continues to evolve to meet the challenges of the ever-changing digital landscape and deliver on expectations for reliability and security. Security is a team effort. By collaborating with original equipment manufacturers (OEMs), partners, app developers and others, we deliver Windows from chip to cloud, secure by design and default.

Additional resources​

• Catch up on the Microsoft Ignite announcement of Personal Data Encryption for known folders.
• Learn more about the Secure Future Initiative.
• The updated Windows Security bookis available to help you understand how to stay secure with Windows.
• Learn more about Windows 11and Copilot+ PCs.
• Bookmark the Security blog to keep up with our expert coverage on security matters.
• Follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.