Microsoft has launched Personal Data Encryption for Windows 11 (version 24H2) Enterprise and Education editions, enhancing file security in known folders like Desktop and Documents. This feature uses Windows Hello for authentication, ensuring sensitive data is accessible only to authorized users. By adding a layer of protection on top of BitLocker, it helps safeguard files against unauthorized access, especially in organizations handling sensitive information.2. **:**

Personal Data Encryption: A New Era of Security for Windows 11

Microsoft has unveiled a powerful new feature in Windows 11, version 24H2: Personal Data Encryption folder protection. This capability is designed to enhance security for sensitive files stored in known folders.

What’s New?

The Personal Data Encryption feature utilizes Windows Hello authentication, providing an additional layer of security. It primarily protects files in the following folders:

• Desktop
• Documents
• Pictures

As Microsoft states,

“Windows 11 is the most secure operating system we’ve ever built.”

This new feature exemplifies that commitment to security.

Major Updates

Personal Data Encryption operates independently of BitLocker, although using both together enhances overall device security. It encrypts individual files and directories, indicated by a lock icon. This ensures that even device administrators cannot access user files, adding crucial protection if a device is lost or stolen.

Two levels of protection are available:

• Level 1 (L1): Content is accessible after the user signs in and remains available until sign-out or shutdown.
• Level 2 (L2): Content is only accessible while the device is unlocked. Once relocked, files are secured again.

What’s Important to Know?

Organizations handling sensitive data, such as in finance or healthcare, should consider using Personal Data Encryption alongside BitLocker. This dual-layer approach significantly boosts security.

To enable this feature, organizations can push a policy using Microsoft Intune. This allows for the protection of all content in the three known Windows folders, ensuring comprehensive security from startup to sign-in.

As noted in the blog,

“Personal Data Encryption helps protect sensitive files saved in known folders.”

This is particularly vital for businesses that prioritize data security.

Configuration and Recommendations

To set up Personal Data Encryption, ensure the following prerequisites are met:

• The device runs Windows 11 Enterprise (version 24H2 or later).
• The device is Microsoft Entra or Microsoft Entra hybrid joined.
• Users must sign in using Windows Hello with a Microsoft Entra ID account.

For optimal use, back up data to the cloud using OneDrive. Additionally, disabling FIDO authentication and Remote Desktop Protocol is recommended, as they currently do not unlock the Windows Hello container.

Conclusion

With Personal Data Encryption, Microsoft is taking significant steps to enhance user security in Windows 11. This feature not only protects sensitive information but also ensures that users can work seamlessly without compromising security.

Personal Data Encryption is available for Windows 11 Enterprise and Education editions, version 24H2.

It provides an additional security layer using Windows Hello authentication for known folders.

Files are indicated by a lock icon, ensuring visibility of content is restricted even to device administrators.

Two protection levels: L1 allows access post-sign-in, while L2 locks files when the device is relocked.

Organizations can manage encryption policies through Microsoft Intune for enhanced data security.

From the Windows IT Pro Blog articles

---