There’s
a
new,
more
secure
way
to
encrypt
files
in
Windows
11,
but
it’s
only
an
option
for
building
secure
applications,
not
a
replacement
for
BitLocker.
Windows
10
already
has
two
flavours
of
encryption
—
BitLocker
and
Windows
Device
Encryption
—
and
as
of
the
22H2
release,
Windows
11
Enterprise
and
Education
adds
Personal
Data
Encryption.
BitLocker
and
Device
Encryption
are
effectively
the
same
full
disk
encryption
technology,
but
there
are
management
tools
for
BitLocker
(which
is
only
available
in
Windows
Pro,
Enterprise
and
Education)
that
let
admins
control
whether
one
or
more
drives
on
a
system
are
encrypted,
as
well
as
backing
up
and
recovering
the
keys.
Device
Encryption
is
included
in
Windows
Home
and
encrypts
all
the
drives
on
the
PC,
with
no
option
to
exclude
secondary
drives.
The
name
is
different
because
calling
it
BitLocker
would
make
people
think
they
were
getting
the
same
management
tools
and
options.
Personal
Data
Encryption
doesn’t
replace
either
of
them
because
it
doesn’t
encrypt
a
whole
drive;
instead,
it
protects
individual
files
and
folders
using
256-bit
AES-CBC
encryption
keys
that
are
protected
by
Windows
Hello
for
Business,
but
only
through
applications
that
are
built
to
use
it.
Jump
to:
File
encryption
in
Windows
You
could
already
encrypt
a
selection
of
files
in
Windows
by:
-
Selecting
them
in
File
Explorer. -
Right-clicking
and
choosing
Properties. -
Clicking
the
Advanced
button
in
the
Attributes
section
of
the
General
tab. -
Checking
the
‘Encrypt
contents
to
secure
data’
checkbox.
That
uses
the
Encrypting
File
System
built
into
Windows,
but
it
has
several
drawbacks.
Complications
from
encrypting
via
EFS
EFS
dates
back
to
Windows
2000,
long
before
TPMs
were
common
in
PCs,
so
it
doesn’t
use
hardware
security
to
protect
the
encryption
keys.
They’re
stored
in
Windows,
and
an
attacker
could
potentially
extract
them
—
or
they
could
just
try
to
hack
into
your
Windows
account.
Files
encrypted
with
EFS
can
also
be
accessed
only
by
the
user
account
that
encrypted
them.
That’s
seamless:
As
soon
as
you
log
in
with
that
user
account
you
can
access
encrypted
files
without
doing
anything
extra,
but
if
you
log
in
with
a
different
account,
you
can’t
open
them
at
all.
PDE
uses
Windows
Hello
for
more
secure
keys
BitLocker
unlocks
the
encrypted
drive
as
soon
as
you
boot
Windows:
PDE
only
unlocks
encrypted
files
when
the
user
logs
in
—
and
logs
in
using
Windows
Hello.
By
using
Windows
Hello
for
Business,
Personal
Data
Encryption
puts
the
encryption
keys
into
secure
hardware
where
they’re
only
released
when
you
authenticate
either
biometrically
or
with
a
PIN,
which
is
also
protected
by
hardware
security
and
unlike
a
password,
doesn’t
roam
to
other
devices
you
use
that
account
with.
That’s
more
secure,
but
also
more
transparent
for
users
—
although
you
do
have
to
get
used
to
not
seeing
Personal
Data
Encryption-protected
files
if
you
decide
to
sign
in
to
your
account
using
your
password
instead.
Turning
on
Personal
Data
Encryption
There
are
some
limitations
for
using
Personal
Data
Encryption.
The
PC
has
to
be
joined
to
Azure
AD
and
not
be
a
hybrid
device
(i.e.,
one
that’s
joined
to
your
organization’s
Active
Directory
but
also
registered
with
Azure
AD).
Remote
Desktop
connections
aren’t
supported,
you
can’t
see
Personal
Data
Encryption-protected
files
through
a
network
share,
and
you
can’t
use
a
FIDO
key
instead
of
Windows
Hello
for
Business
or
automatic
restart
sign-on
to
Windows.
To
make
sure
the
Personal
Data
Encryption
keys
aren’t
accidentally
exposed,
you
will
want
to
disable
hibernation,
crash
dumps
and
Windows
Error
Reporting:
You
can
do
that
through
the
same
MDM
solution
you
use
to
enable
Personal
Data
Encryption
(whether
that’s
Intune
or
through
Group
Policy
with
a
CSP).
You
can
also
decide
whether
you
want
encrypted
files
to
be
available
when
Windows
is
locked
or
not.
If
you
choose
level
two
protection,
encrypted
files
will
be
accessible
for
one
minute
after
the
Windows
lock
screen
appears
but
then
the
decryption
keys
will
be
discarded.
You
don’t
have
to
use
OneDrive
for
it,
but
you
will
want
to
make
sure
that
you
have
backups
in
case
the
Personal
Data
Encryption
keys
are
lost.
Unlike
EFS,
once
you’ve
enabled
Personal
Data
Encryption,
you
don’t
encrypt
files
through
File
Explorer:
In
fact,
there’s
no
user
interface
for
Personal
Data
Encryption
at
all.
That’s
because
it’s
controlled
through
APIs
that
developers
use
in
applications;
the
first
to
enable
PDA
is
the
built-in
Mail
app,
which
can
encrypt
both
email
messages
and
attachments.
PDE
is
a
partner
to
BitLocker
Again,
Personal
Data
Encryption
doesn’t
replace
BitLocker:
It’s
designed
to
be
used
alongside
it
for
files
that
organizations
decide
need
the
extra
protection.
If
you
have
a
line
of
business
application
that
handles
particularly
sensitive
information,
you
can
use
the
PDE
APIs
to
make
sure
the
files
can
only
be
accessed
by
employees
who
are
supposed
to
have
access
and
only
on
managed
devices
that
are
Azure
AD
joined.
You
want
that
to
be
set
by
your
compliance
policies,
rather
than
to
give
individual
employees
a
tool
for
encrypting
files
—
which
could
be
used
by
malicious
insiders
to
hide
data
they
shouldn’t
have
on
their
devices
and
might
be
trying
to
take
outside
the
organization.
Unlike
files
that
are
protected
by
tools
like
Azure
Information
Protection
or
Purview
Information
Protection
where
sensitivity
labels
and
encryption
are
enforced
on
files
permanently,
users
can
decrypt
files
protected
with
Personal
Data
Encryption
manually
in
File
Explorer.
Here’s
how:
-
Right-click
on
the
file. -
Choose
Properties. -
Click
the
Advanced
button
on
the
General
tab
—
the
same
place
you
apply
EFS
encryption. -
Uncheck
the
option
Encrypt
contents
to
secure
data.
Remember,
you
can’t
encrypt
the
file
again
the
same
way;
that
can
only
be
done
by
an
application.
If
you
have
a
lot
of
encrypted
files,
you
can
use
the
CIPHER
command
to
decrypt
one
or
more
files
in
a
folder.
You
can
only
do
that
when
you’ve
logged
in
with
Windows
Hello
for
Business
and
already
have
access.
This
is
not
a
security
flaw,
because
if
you
had
access,
you
could
just
copy
and
paste
the
contents
of
the
file
elsewhere
anyway.
The
Personal
Data
Encryption
name
is
rather
confusing:
It’s
personal
because
it’s
tied
to
the
way
a
person
logs
in
with
Windows
Hello
for
Business,
but
it’s
not
something
an
individual
can
choose
to
use
and
it’s
not
for
protecting
personal
files.
Instead,
it’s
another
building
block
for
making
Windows
a
more
secure
way
to
handle
information
—
but
only
once
there
are
more
applications
that
make
use
of
it.