Microsoft just announced that they will release another layer of data encryption within the Windows operating system. This is called Personal Data Encryption (PDE) and will be available from Windows 11 22H2. PDE is an extra layer over the BitLocker disk encryption. The purpose of this it to protect personal data to be accessed either remotely (RDP, File share etc) or locally by another user on the same device.
Personal data locations will be able to be customized later on but is normally “My Documents, desktop and pictures folders.
The encryption is like EFS with a randomized unique 256 bits AES key per file that is protected with Windows Hello for business (instead of certificate-based protection that uses for EFS). To be able to decrypt any file the end user needs to sign in with Windows Hello for Business. This means that the data at rest will be protected before the user login into Windows and as soon as the user lock the machine. Personal Data Encrypted data will only be available when the user signs in with Windows Hello For Business.
The encryption is not a replacement for BitLocker, it should be used in a combination with PDE to fully protect the device and all data. It can’t be combined with standard EFS or Windows Information Protection (WIP).
I personally recommend organizations that using WIP or EFS to replace this with Microsoft Purview Information Protection to be able to identify, classify and protect sensitive content during the entire data life cycle.
For more information and how to test this out follow these links: