Microsoft introduces Personal Data Encryption, which protects devices from sophisticated cyber attacks

It uses Windows Hello for Business to link data encryption keys with user credentials.

Reading time icon 3 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Personal Data Encryption

If you’re a developer who constantly seeks methods to enhance the security of data managed by your application, Microsoft has introduced something that could spark your interest: Personal Data Encryption (PDE).

This clever feature, combined with BitLocker, already familiar to many users, promises an enhanced safeguard for Windows devices’ contents.

BitLocker is commonly used for encrypting complete volumes, which is useful to avoid dangers connected with misplaced or stolen devices.

However, in the cybersecurity world, there always seems to be a “but.” Particular situations such as TPM bus sniffing and Direct Memory Access (DMA) attacks might put at risk BitLocker shielded data. Also, as apps and browsers use AI in recommendation engines, it is very important to keep users’ private data.

PDE enters the scene, bringing an extra layer of security when your device is locked but still turned on. This helps to protect it from advanced physical attacks. The interesting part about PDE is that it uses Windows Hello for Business, which directly connects data encryption keys with user credentials.

So, once a person signs in using Windows Hello for Business, their encrypted data can be accessed. If you are thinking, Personal Data Encryption and BitLocker can be separate or together. However, having both is strongly advised for added assurance.

PDE is more than just a single feature. It provides a full API for developers to encrypt users’ end data, with encryption keys kept safe by using their Windows Hello details. It’s worth mentioning PDE only exists in Windows Enterprise and Education versions.

As far as securing content-generating applications, the PDE API supports two security levels: L1 (AfterFirstUnlock) and L2 (WhileUnlocked), where data protection depends on device lock status.

For developers ready to start, starting with Personal Data Encryption means turning it on your device through a Microsoft Device Management solution such as Intune. When you have enabled PDE, you can protect files, folders, and buffers at different levels of security and unprotect them when needed.

The whole process—from protecting a folder to unprotecting buffers—is described in the documentation, including code pieces and samples.

So, whether you are making applications for defense, banking, health care, or insurance areas – adding PDE to your projects might greatly improve the safety of important data. And for people who want to dig deeper into it all, the full code and more materials can be found on GitHub. They are prepared for you to include them in your future Windows application project.

In a world where data breaches are common, tools such as Personal Data Encryption could be highly appreciated. What do you think of it?

You can read the full blog post here.

More about the topics: Business software, microsoft

User forum

0 messages