Imagine you’ve got a box of top-secret snacks in your office. BitLocker is like locking the office door, but Personal Data Encryption? That’s like locking the snack box and only giving the key to your fingerprint. Welcome to the snack-safe future of file security.
In this post, we’re unpacking Microsoft’s new Personal Data Encryption (PDE) feature in Windows 11 24H2 and showing you how to roll it out using Intune. We’ll also peek at what happens when users (or sneaky admins) try to bypass it. Let’s dive in.
What’s Personal Data Encryption, Anyway?
Personal Data Encryption is Microsoft’s answer to “What if someone else logs into my device?” Unlike BitLocker, which locks down the whole drive, PDE zooms in and encrypts individual folders like your Desktop, Documents, and Pictures and ties them directly to your Windows Hello credentials (PIN or biometric).
So even if someone with admin rights tries to poke around while you’re logged off, your files stay sealed tighter than grandma’s cookie jar.
Why Should You Care?
Glad you asked. PDE is built to:
- Stop nosy insiders and malware from reading your stuff
- Toss the decryption keys the moment you sign out
- Make sure even IT admins can’t snoop without your Hello login
It’s like having a guard dog that only listens to your face. Yes, it fits right into a Zero Trust strategy because trust is earned, not assumed.
Before You Flip the Switch: What You’ll Need
Before you go turning this feature on, here’s your quick checklist:
- Windows 11 Enterprise or Education (24H2 or later) – Don’t be scared off by the “Windows Insider” tag in Intune. It works without Insider enrollment.
- Proper Licensing – Make sure the user has a license that includes PDE. No magic here, just check your SKU.
- Entra ID Join & Hello Credentials – The device must be Entra ID joined (cloud or hybrid). No love for old-school domain joins. Yes, users need to use Windows Hello.
- Hardware – TPM 2.0? Check. Fingerprint or PIN? Check. If the device runs Windows 11, you’re probably good to go.
Configuring Personal Data Encryption Policies in Microsoft Intune
Microsoft Intune makes it straightforward to deploy and manage Personal Data Encryption settings across your Windows 11 devices.
- Navigate to Disk Encryption Policies: In the Microsoft Intune admin center, go to Endpoint security > Disk encryption, then choose + Create Policy
- Choose Platform and Profile: In the Create a profile dialog, select Platform: Windows and for Profile pick Personal Data Encryption
- Name the Policy and add a description.
- Configuration Settings – Enable PDE: On the Configuration settings page, you will see options to turn on Personal Data Encryption. Set “Enable Personal Data Encryption (User)” to Enabled. This master switch turns on PDE for the user context. Once enabled, additional settings for known folders become available. Choose which known folders to encrypt. Intune provides separate toggles for Protect Pictures (User), Protect Documents (User), and Protect Desktop (User). Set each of these to Enable PDE on folder as needed.
- Assign and Create the Policy
Once deployed, the device will start encrypting selected folders quietly in the background. Users might notice a new file icon or quick notification but otherwise, it’s business as usual.
Hello or Bust: How PDE Actually Works
Here’s where things get interesting. PDE is tightly married to Windows Hello. If you don’t use Hello to sign in? No dice.
- Log in with Hello – Files decrypt and act normal. Smooth sailing.
- Log in with a password – Files stay locked. Think of it like ringing the doorbell to your own house, but forgetting your keys.
- Remote Desktop? Nope. – RDP won’t unlock files either. No Hello handshake, no access.
- Admin Access? Still Nope. – Even your local admin account won’t cut it unless it’s your Hello credentials.
So, if someone thinks they’re being clever and logs in another way surprise! It’s encrypted.
User Experience: What They’ll Notice (or Not)
To better illustrate the impact of Personal Data Encryption, let’s walk through a scenario of a user with PDE enabled on their device, showing what happens to their data in two situations: when they sign in normally with Windows Hello, and when they do not.
Logging in with Windows Hello:
Logging in without Windows Hello (password-only):
Side note: It took everything in me to login with a password.
Access by another user or administrator:
My LAPS account in this case.
Why It Matters: Security & Compliance Wins
Here’s what you gain with PDE:
- Double Encryption Defense – BitLocker secures the whole drive; PDE guards the crown jewels inside.
- Zero Trust in Action – Every access attempt is validated with Hello.
- Compliance Confidence – PDE helps with GDPR, HIPAA, and other regulations.
- Peace of Mind – Lost laptop? Malicious admin? Doesn’t matter the files are unreadable without Hello.
Wrapping It Up
Personal Data Encryption in Windows 11 24H2 is like giving every user their own personal vault. Even if someone gets into the house, they can’t open the safe without the right face (or finger, or PIN).
For IT pros, it’s an easy win configure the policy once in Intune and rest easy knowing that sensitive data is protected on a user-by-user basis.
So go ahead, flip that switch, and give your users (and your compliance officer) something to smile about.
