Windows 11 24H2 introduced quite a few new features, and especially on the security front. One of the features that is exciting is the new feature called Personal Data Encryption (PDE). This is a new feature available to those running the Enterprise or Education versions of Windows 11 24H2. What is this new feature and how can it be used to bolster security?
What is Personal Data Encryption (PDE)?
Personal Data Encryption (PDE) protects data at the file level. It helps to make sure that only authorized access is granted through Windows Hello authentication. PDE works by encrypting files and folders, including common locations for personal data storage, such as the Desktop, Documents, and Pictures locations. When enabled it will display a lock icon to show that folders are protected with PDE.
Microsoft has strongly integrated the new solution with Windows Hello. As most know, Windows Hello makes it easier to implement biometric 2-factor authentication using things like face recognition which helps to lower the barrier to implementing 2FA and diminishes impacts to enhanced security on productivity.
Before users can access their encrypted files, they must authenticate themselves with PDE. Even other users with administrative permissions on the system cannot bypass the requirement for authentication to decrypt files. If a device is lost or stolen, it means these folders will remain inaccessible and will help to add an extra layer of protection on top of existing protections organizations may be using.
Key Advantages of Personal Data Encryption
What are some of the advantages of the PDE solution compared to previous security and data protection solutions?
1. File-Level Encryption
One of the advantages of PDE is that unlike other solutions like BitLocker which protects the entire hard drive, PDE encrypts individual files. Why is this important? This helps to take a more granular approach to protect sensitive data. It helps to leave other files unencrypted that are not sensitive and helps with overall performance for the underlying storage.
2. Multi-User Environments
In environments with hot desking and other situations where multiple users share the same workstation, PDE prevents other users from browsing the local disk and viewing sensitive files of other users.
3. Can be layered
Organizations can view PDE as another layer of protection and not necessarily a replacement for technologies like BitLocker. BitLocker can protect an entire disk from compromise. Adding PDE on top of BitLocker creates an additional protection that adds file-level security on top of that.
Prerequisites for implementing PDE
There are a few prerequisites to note for the PDE solution, including the following:
- You need to be running Windows 11 Education or Enterprise (version 24H2 or later)
- Devices will need to be joined to Microsoft Entra, renamed from Azure Active Directory, or Microsoft Entra hybrid join
- Users must be using Windows Hello to authenticate using their Microsoft Entra ID accounts
Personal Data Encryption protection levels
Interestingly, Microsoft has introduced two levels of protection offered by PDE. Note the description below of each protection level:
- Level 1 (L1): in this level, files that are unlocked once the user signs in will remain unlocked and accessible until they sign out or shut down the computer. This level of protection of PDE is the default level enabled. This level helps to introduce a really good layer of protection without compromising convenience.
- Level 2 (L2): In this heightened level of PDE protection, the files are only accessible when the device is unlocked. If the system is locked, the files are re-encrypted. This is a really good level of protection for environments with highly sensitive file data that needs to have continuous protection.
Organizations and developers can utilize the Personal Data Encryption API to tailor these protection levels to specific needs, applying them to either default Windows folders or application data.
How is it enabled?
The new PDE solution can be deployed using Microsoft Intune. Since many organizations are transitioning over to using Intune for endpoint management, this will be a natural progression. Note the steps below to implement the solution using Intune:
Open the Microsoft Intune admin center and navigate to Endpoint Security > Disk encryption > Create Policy.
Select Windows as the platform and Personal Data Encryption as the profile type.
Name the profile and configure a description.
Under the configuration settings, first, enable the PDE toggle, then select enable personal data encryption on the folder option.
Assign the policy to the desired user or device groups in the profile settings. Review the configuration and create the policy.
After deploying, check to see if users have the yellow lock icon to note that PDE is enabled for their personal folders.
Use cases and where PDE will be beneficial
We have already touched on a few use cases of PDE, but let’s talk about ideal scenarios in more detail. Note the following use case examples:
1. Remote work environments
With the huge shift to a remote workforce environment, organizations are now supporting and need to secure remote workers who may be located at home, at remote office locations, or basically any location with Internet connectivity. Personal Data Encryption helps to make sure that any corporate data that may exist on the remote user’s device is secured properly. If the device is lost or stolen, the sensitive data will remain secure.
2. Compliance regulations
Compliance regulations are becoming more and more stringent in the security requirements that are required. Common frameworks today are GDPR, HIPAA, and CCPA to name just a few. These require very strict protection measures for data. PDE can help organizations meet the challenges of these regulatory requirements and others by providing an easy way to encrypt personal data and audit data access and security controls.
3. Education and Research organizations
The sectors of education and research are two sectors where PDE can help protect end-user data. Students and faculty typically share devices to access their data. This will help to make sure that individual student’s data and faculty member’s data remains secure even with shared desktop environments.
4. Hotdesk environments
Businesses that make use of hot desk configurations such as call centers will also greatly benefit from the protections of PDE. It makes sure the personal data on these shared devices remains protected between different user logins and sessions.
Considerations when rolling out Personal Data Protection
There are a few requirements and considerations that organizations need to note when using PDE in their environments. Note the following requirements that should be considered:
- Windows Hello is required – To roll out PDE in your organization, Windows Hello is a requirement that needs to be met. Windows Hello has its own requirements that must be considered. Organizations will want to factor this into the decision to implement PDE on end-user devices.
- Compatibility – Certain software applications may run into issues when PDE is implemented on personal data folders. It will be important for admins to investigate compatibility with PDE for any third-party applications that may require constant access to a user’s personal data folders. It will be important before rolling out the solution to test compatibility with software applications.
- End-user training – Training will be needed, especially if users are not familiar with the workflow of Windows Hello authentication. While the experience is made fairly seamless, training users to understand the process will minimize the impact on productivity and unnecessary helpdesk calls.
What about existing tools?
If organizations are already using existing tools in their security environment, how does Personal Data Encryption complement or augment the tools that are already in available and that organizations may already be using?
- BitLocker can be used with PDE. Since BitLocker encrypts an entire hard drive, PDE complements this by offering file-specific encryption. By using both together, organizations can add a layered security for securing sensitive data
- Microsoft Defender for Endpoint can be combined with PDE to help enhance threat detection and response. It helps to make sure that encrypted files can be protected even during a cyberattack
- Cloud Integration – When PDE is used with Microsoft Entra, it helps organizations make sure that they are using streamlined policy enforcement and they can manage policies and security tools like PDE, from a central location.
Wrapping up
Personal Data Encryption (PDE) in Windows 11 24H2 is a great new feature that will be another tool that SecOps and Ops teams can use as an additional security layer. It also ties in nicely with Windows Hello which helps to make 2FA authentication more feasible and less disruptive to users. All of the policy settings can be controlled from Microsoft Intune that makes it a cloud-managed solution.
Learn more about Personal Data Encryption here: Personal Data Encryption | Microsoft Learn.
from StarWind Blog https://ift.tt/vsRJTAP
via IFTTT
No comments:
Post a Comment