Personal Data Encryption (PDE) is a security feature introduced in Windows 11 22H2. PDE provides an easy to manage, simple to use, user authenticated data encryption mechanism. PDE relies on Windows Hello for Business for user authentication, this eliminates the need for IT Admins to manage another set of login credentials for encryption, thereby reducing the overall burden for Enterprise IT admins. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials.
PDE, although an encryption solution, is an independent solution from Bitlocker. Bitlocker provides full volume encryption and Bitlocker protected data is available when the device device boots up, whereas PDE protected data is available only after the user authenticates to Windows Hello for Business at login or to unlock the screen. PDE along with Bitlocker is the recommended protection as it provides comprehensive security during rest and when the device is in use.
PDE uses AES-CBC with a 256-bit key to encrypt data. There are two levels of protection that PDE offers. Level 1 and Level 2. Level 1(L1) security protects contents during the early boot stage - from the time that the machines boots, until the user logs in using Windows Hello for Business credentials. Level 2(L2) security protects data from the time the user’s device locks till the device is unlocked using Windows Hello for Business credentials.
PDE policies can be fully managed at scale from the Microsoft Endpoint Manager console. This enables the IT Admins to apply specific protection policies to user data. Enabling PDE policy for the user enables both L1 and L2 security levels. For L1 protection, the IT Admin gets the option to set policy in which they can choose from the list of Known Windows Folders (Documents, Desktop and Pictures). App developers can leverage both L1 and L2 security levels using the PDE API to make their application secure.
L2 security gets applied when the device screen is locked. App developers can use the public PDE API (https://learn.microsoft.com/en-us/uwp/api/windows.security.dataprotection?view=winrt-22621) to secure contents related to the application, driving value to the customer in terms security when the device is locked.
As part of Windows 11 22H2, only the PDE API is available to the end user, which can be enabled using OMA-URI. With updates to the Intune console, the IT Admin will be able to enable the PDE API on an end user’s device as a policy. The next release of PDE features folder level protection to Known Windows Folders, and can be applied as a policy to a group of users by the IT Admin.
Learn more about PDE, its pre-requisites and inner working in the Microsoft Learn site, https://learn.microsoft.com/en-us/windows/security/information-protection/personal-data-encryption/o.... Also stay tuned for more contents outlining the details involved in securing personal data.
