OpenIntuneBaseline icon indicating copy to clipboard operation
OpenIntuneBaseline copied to clipboard
verified publisher icon SkipToTheEndpoint

[Bug] - Personal Data Encryption Conflict

Open Confrigid opened this issue 3 months ago • 1 comments

Baseline Info (please complete the following information):

  • OS: Windows 11 - 25H2
  • Version: 3.7

Describe the bug For Personal Data Encryption to turn on, it requires the setting "Sign-in and lock last interactive user automatically after a restart" to be disabled

To Reproduce Steps to reproduce the behaviour: Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1 has the setting "Sign-in and lock last interactive user automatically after a restart" set to Enabled.

Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4 is setup to enable personal data encryption.

Looking at files protected by the PDE lock and right clicking the file, selecting advanced under attributes, selecting Details under Compress or Encrypt attributes reports that Personal Data Encryption is off.

Expected behaviour Enabling PDE places a lock on files and upon right clicking the file, selecting advanced under attributes, selecting Details under Compress or Encrypt attributes it should show that PDE is ON.

Screenshots Link from Rudy Ooms detailing the issue at his patchmypc blog.

Additional context Microsoft documentation describing requirement for ARSO to be turned off This change would also meet compliance for: CIS Ref 3.11.50.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' Net positive on user experience and benefits patch compliance without user interruption. Only enabled when BitLocker is on and not suspended. Win - OIB - SC - Device Security - D - Login and Lock Screen

Confrigid avatar Oct 22 '25 15:10 Confrigid

Hey @Confrigid

I'll be straight-up and say I was somewhat aware of the ARSO requirement on PDE but chose to not specifically resolve it given the low number of people who want to currently enable PDE as well as the fact the feature itself is still developing.

I was very much aware that CIS have it turned off and I believe the user experience benefits of ARSO outweigh the potential security risks which is why I've deviated.

I think the best course of action (for now) is to just document the conflict in the PDE policy description to make people aware, rather than over-complicating it by having multiple policy versions. I'm definitely keeping close to the development of PDE because I see it as bridging the gap between BitLocker pre-boot PINs and still securing corp data.

SkipToTheEndpoint avatar Oct 29 '25 10:10 SkipToTheEndpoint