Use Personal Data Encryption in Windows 11 to Protect Files When You Sign Out
Difficulty: Intermediate | Time Required: 15 minutesPersonal Data Encryption, or PDE, is one of the newer security features in Windows 11 designed to protect your files at the user level instead of just the drive level. In plain English, it means your protected files can become inaccessible as soon as you sign out, even if someone else signs into the same PC.
That makes PDE especially useful on work laptops, shared devices, and any Windows 11 system that stores sensitive documents, desktop files, or personal pictures. It also works well alongside BitLocker rather than replacing it.
This tutorial walks through what PDE does, what you need before you start, and how it’s typically enabled on supported Windows 11 systems.
What Personal Data Encryption does
Unlike BitLocker, which protects an entire drive, Personal Data Encryption protects files and folders. Windows ties the decryption keys to your Windows Hello for Business sign-in. When you sign in with Hello, your protected content becomes available. When you sign out, the keys are discarded and your protected content is locked again.On Windows 11 version 24H2 and later, Microsoft also added PDE for known folders, which can automatically protect:
- Desktop
- Documents
- Pictures
Prerequisites
Before you begin, make sure your PC meets these requirements:- Windows 11 version 22H2 or later
- Windows 11 Enterprise or Education
- PDE is not supported on Windows Pro
- Device must be:
- Microsoft Entra joined, or
- Microsoft Entra hybrid joined
- You must sign in using Windows Hello for Business
- ARSO must be disabled
- ARSO = Automatic Restart Sign-On
Important: If you sign in with a regular password instead of Windows Hello, you won’t be able to access PDE-protected content.
Version note: Automatic protection for Desktop, Documents, and Pictures requires Windows 11 24H2 or later.
Step 1: Confirm your Windows edition and version
First, verify that your system actually supports PDE.- Press Windows + R to open Run.
- Type winver and press Enter.
- Confirm you are running:
- Windows 11
- Version 22H2 or later
- Next, go to Settings > System > About.
- Under Windows specifications, confirm your edition is:
- Enterprise, or
- Education
Warning: If you’re on Windows 11 Pro, PDE isn’t available even if you’re on the right feature update.
Step 2: Make sure Windows Hello is set up
PDE depends on Windows Hello sign-in.- Open Settings.
- Go to Accounts > Sign-in options.
- Check that you have at least one Windows Hello method configured, such as:
- PIN
- Fingerprint recognition
- Facial recognition
- If Windows Hello isn’t set up yet, follow the prompts to configure it.
Note: PDE is designed around Windows Hello for Business, which is usually configured in managed work or school environments. On a personal, unmanaged PC, you may not have all the required enterprise components.
Step 3: Check whether your device is organization-managed
PDE is mainly intended for business and education deployments.- Open Settings.
- Go to Accounts > Access work or school.
- Look for a connected work or school account.
- Confirm the device is managed through your organization.
- Microsoft Entra joined
- Microsoft Entra hybrid joined
- Managed through Intune or another MDM platform
Helpful tip: Most home users won’t manually turn on PDE from a normal Settings page. In most cases, it is deployed by IT through Microsoft Intune or an MDM policy.
Step 4: Ensure ARSO is disabled
Microsoft states that PDE requires Automatic Restart Sign-On (ARSO) to be disabled.On managed devices, IT typically handles this through policy. If you’re checking from the user side:
- Open Settings.
- Go to Accounts > Sign-in options.
- Review sign-in and restart-related options.
- If your PC is company-managed, confirm with IT that ARSO has been disabled by policy.
Step 5: Have your administrator enable Personal Data Encryption
This is the key step: PDE is not usually enabled manually by a local home user interface. It’s commonly turned on by an administrator using Intune or CSP policy.If you’re the device admin or documenting this for a work environment, the usual configuration includes:
- Enable Personal Data Encryption
- Disable Sign-in and lock last interactive user automatically after a restart
- On Windows 11 24H2 or later, optionally enable folder protection for:
- Desktop
- Documents
- Pictures
- Endpoint security > Disk encryption > Personal Data Encryption, or
- Settings catalog using the Personal Data Encryption category
./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption = 1./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop = 1./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments = 1./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures = 1
Intermediate note: Known folder protection for PDE only applies on Windows 11 24H2 and later.
Step 6: Sign out and sign back in with Windows Hello
After PDE is enabled by policy:- Save your work.
- Sign out of Windows.
- Sign back in using Windows Hello:
- PIN
- Face
- Fingerprint
If you try signing in with a password instead, protected files may remain unavailable.
Step 7: Verify that your files are protected
Once PDE is active, protected files and folders typically show a padlock icon in File Explorer or on the desktop.To check:
- Open File Explorer.
- Browse to your Desktop, Documents, or Pictures folder if folder protection has been enabled.
- Look for padlock overlays on protected items.
- Right-click a file.
- Select Properties.
- Under the General tab, click Advanced.
- Review the protection details if available.
Tips and troubleshooting
PDE is not the same as BitLocker
PDE and BitLocker do different jobs:- BitLocker protects the whole drive
- PDE protects file access based on your sign-in session
Remote access limitations
PDE-protected content is not meant for normal remote access scenarios. Microsoft notes that protected content is not accessible through:- UNC paths
- Remote Desktop sessions
- Other user accounts on the same PC
Password sign-in can cause confusion
If your files suddenly seem inaccessible, check how you signed in. If you used a password instead of Windows Hello, PDE-protected content may stay locked.Backups are essential
Microsoft recommends backing up your files, ideally with something like OneDrive. In certain cases, such as TPM reset or destructive PIN reset, PDE-related keys can be lost, which can make protected content inaccessible.Warning: If recovery keys or encryption state are lost, backup copies may be the only way to restore access.
Home users may not see PDE options
That’s normal. PDE is primarily an enterprise/security-managed feature, not a consumer-facing toggle like Storage Sense or Nearby Sharing.Conclusion
Personal Data Encryption adds a strong extra layer of protection in Windows 11 by making sensitive files unavailable when you sign out. On supported Enterprise and Education systems, it can help secure your Desktop, Documents, and Pictures without requiring separate encryption steps for each file.For organizations already using Windows Hello for Business, Microsoft Entra, and BitLocker, PDE is a smart way to reduce file exposure on shared or managed PCs.
Key Takeaways:
- Personal Data Encryption protects files when you sign out of Windows
- It relies on Windows Hello for Business to release encryption keys
- PDE works alongside BitLocker, not as a replacement
- Windows 11 24H2 adds easy protection for Desktop, Documents, and Pictures
- PDE requires Enterprise or Education editions and a managed device setup
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.