From 12ceedaaf6f023e556733e611c8d5fa9b808ca03 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 14 Oct 2024 13:49:31 -0400
Subject: [PATCH] updates
---
windows/security/book/features-index.md | 2 +-
...g-system-security-encryption-and-data-protection.md | 10 ++++++++--
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/windows/security/book/features-index.md b/windows/security/book/features-index.md
index ec282da6cf..1a060271d2 100644
--- a/windows/security/book/features-index.md
+++ b/windows/security/book/features-index.md
@@ -7,4 +7,4 @@ ms.date: 09/06/2024
# Features index
-[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust in Windows](operating-system-security-system-security.md#-rust-in-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection](identity-protection-advanced-credential-protection.md#-token-protection)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print mode](operating-system-security-system-security.md#-windows-protected-print-mode)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
+[5G and eSIM](operating-system-security-network-security.md#5g-and-esim)
[Access management and control](identity-protection-advanced-credential-protection.md#access-management-and-control)
[Account lockout policies](identity-protection-advanced-credential-protection.md#account-lockout-policies)
[App containers](application-security-application-isolation.md#app-containers)
[App Control for Business](application-security-application-and-driver-control.md#app-control-for-business)
[Attack surface reduction rules](operating-system-security-virus-and-threat-protection.md#attack-surface-reduction-rules)
[BitLocker To Go](operating-system-security-encryption-and-data-protection.md#bitlocker-to-go)
[BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker)
[Bluetooth protection](operating-system-security-network-security.md#bluetooth-protection)
[Certificates](operating-system-security-system-security.md#certificates)
[Cloud-native device management](cloud-services-protect-your-work-information.md#cloud-native-device-management)
[Code signing and integrity](operating-system-security-system-security.md#code-signing-and-integrity)
[Common Criteria (CC)](security-foundation-certification.md#common-criteria-cc)
[Config Refresh](operating-system-security-system-security.md#-config-refresh)
[Controlled folder access](operating-system-security-virus-and-threat-protection.md#controlled-folder-access)
[Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard)
[Cryptography](operating-system-security-system-security.md#cryptography)
[Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption)
[Device health attestation](operating-system-security-system-security.md#device-health-attestation)
[Domain Name System (DNS) security](operating-system-security-network-security.md#domain-name-system-dns-security)
[Email encryption](operating-system-security-encryption-and-data-protection.md#email-encryption)
[Encrypted hard drive](operating-system-security-encryption-and-data-protection.md#encrypted-hard-drive)
[Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen)
[Enhanced Sign-in Security (ESS)](identity-protection-passwordless-sign-in.md#enhanced-sign-in-security-ess)
[Exploit protection](operating-system-security-virus-and-threat-protection.md#exploit-protection)
[Federal Information Processing Standard (FIPS)](security-foundation-certification.md#federal-information-processing-standard-fips)
[Federated sign-in](identity-protection-passwordless-sign-in.md#federated-sign-in)
[FIDO2](identity-protection-passwordless-sign-in.md#fido2)
[Find my device](cloud-services-protect-your-personal-information.md#find-my-device)
[Kernel Direct Memory Access (DMA) protection](hardware-security-silicon-assisted-security.md#kernel-direct-memory-access-dma-protection)
[Kiosk mode](operating-system-security-system-security.md#kiosk-mode)
[Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection)
[Microsoft Account](cloud-services-protect-your-personal-information.md#microsoft-account)
[Microsoft Authenticator](identity-protection-passwordless-sign-in.md#microsoft-authenticator)
[Microsoft Azure Attestation Service](cloud-services-protect-your-work-information.md#microsoft-azure-attestation-service)
[Microsoft Defender Antivirus](operating-system-security-virus-and-threat-protection.md#microsoft-defender-antivirus)
[Microsoft Defender for Endpoint](operating-system-security-virus-and-threat-protection.md#microsoft-defender-for-endpoint)
[Microsoft Defender SmartScreen](operating-system-security-virus-and-threat-protection.md#microsoft-defender-smartscreen)
[Microsoft Entra ID](cloud-services-protect-your-work-information.md#microsoft-entra-id)
[Microsoft Intune](cloud-services-protect-your-work-information.md#microsoft-intune)
[Microsoft Offensive Research and Security Engineering](security-foundation-offensive-research.md#microsoft-offensive-research-and-security-engineering)
[Microsoft Pluton security processor](hardware-security-hardware-root-of-trust.md#microsoft-pluton-security-processor)
[Microsoft security baselines](cloud-services-protect-your-work-information.md#microsoft-security-baselines)
[Microsoft Security Development Lifecycle (SDL)](security-foundation-offensive-research.md#microsoft-security-development-lifecycle-sdl)
[Microsoft vulnerable driver blocklist](application-security-application-and-driver-control.md#microsoft-vulnerable-driver-blocklist)
[Network protection](operating-system-security-virus-and-threat-protection.md#network-protection)
[OneDrive for personal](cloud-services-protect-your-personal-information.md#onedrive-for-personal)
[OneDrive for work or school](cloud-services-protect-your-work-information.md#onedrive-for-work-or-school)
[OneDrive Personal Vault](cloud-services-protect-your-personal-information.md#onedrive-personal-vault)
[OneFuzz service](security-foundation-offensive-research.md#onefuzz-service)
[Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde)
[Privacy dashboard and report](privacy-controls.md#privacy-dashboard-and-report)
[Privacy resource usage](privacy-controls.md#privacy-resource-usage)
[Privacy transparency and controls](privacy-controls.md#privacy-transparency-and-controls)
[Remote Credential Guard](identity-protection-advanced-credential-protection.md#remote-credential-guard)
[Remote Wipe](cloud-services-protect-your-work-information.md#remote-wipe)
[Rust in Windows](operating-system-security-system-security.md#-rust-in-windows)
[Secure Future Initiative (SFI)](security-foundation-offensive-research.md#secure-future-initiative-sfi)
[Secured kernel](hardware-security-silicon-assisted-security.md#secured-kernel)
[Secured-core PC](hardware-security-silicon-assisted-security.md#secured-core-pc)
[Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services)
[Smart App Control](application-security-application-and-driver-control.md#smart-app-control)
[Smart cards](identity-protection-passwordless-sign-in.md#smart-cards)
[Software bill of materials (SBOM)](security-foundation-secure-supply-chain.md#software-bill-of-materials-sbom)
[Tamper protection](operating-system-security-virus-and-threat-protection.md#tamper-protection)
[Token protection (preview)](identity-protection-advanced-credential-protection.md#token-protection-preview)
[Transport Layer Security (TLS)](operating-system-security-network-security.md#transport-layer-security-tls)
[Trusted Boot (Secure Boot + Measured Boot)](operating-system-security-system-security.md#trusted-boot-secure-boot--measured-boot)
[Trusted Platform Module (TPM)](hardware-security-hardware-root-of-trust.md#trusted-platform-module-tpm)
[Trusted signing](application-security-application-and-driver-control.md#-trusted-signing)
[Universal Print](cloud-services-protect-your-work-information.md#universal-print)
[User Account Control](application-security-application-and-driver-control.md#user-account-control)
[VBS key protection](identity-protection-advanced-credential-protection.md#-vbs-key-protection)
[Virtual private networks (VPN)](operating-system-security-network-security.md#virtual-private-networks-vpn)
[Virtualization-based security enclaves](application-security-application-isolation.md#-virtualization-based-security-enclaves)
[Web sign-in](identity-protection-passwordless-sign-in.md#web-sign-in)
[Wi-Fi connections](operating-system-security-network-security.md#wi-fi-connections)
[Win32 app isolation](application-security-application-isolation.md#-win32-app-isolation)
[Windows App software development kit (SDK)](security-foundation-secure-supply-chain.md#windows-app-software-development-kit-sdk)
[Windows Autopatch](cloud-services-protect-your-work-information.md#windows-autopatch)
[Windows Autopilot](cloud-services-protect-your-work-information.md#windows-autopilot)
[Windows diagnostic data processor configuration](privacy-controls.md#windows-diagnostic-data-processor-configuration)
[Windows enrollment attestation](cloud-services-protect-your-work-information.md#windows-enrollment-attestation)
[Windows Firewall](operating-system-security-network-security.md#windows-firewall)
[Windows Hello for Business](identity-protection-passwordless-sign-in.md#windows-hello-for-business)
[Windows Hello](identity-protection-passwordless-sign-in.md#windows-hello)
[Windows Insider and Bug Bounty program](security-foundation-offensive-research.md#windows-insider-and-bug-bounty-program)
[Windows Local Administrator Password Solution (LAPS)](cloud-services-protect-your-work-information.md#windows-local-administrator-password-solution-laps)
[Windows presence sensing](identity-protection-passwordless-sign-in.md#windows-presence-sensing)
[Windows protected print mode](operating-system-security-system-security.md#-windows-protected-print-mode)
[Windows Sandbox](application-security-application-isolation.md#windows-sandbox)
[Windows security policy settings and auditing](operating-system-security-system-security.md#windows-security-policy-settings-and-auditing)
[Windows security settings](operating-system-security-system-security.md#windows-security-settings)
[Windows Subsystem for Linux (WSL)](application-security-application-isolation.md#windows-subsystem-for-linux-wsl)
[Windows Update for Business](cloud-services-protect-your-work-information.md#windows-update-for-business)
diff --git a/windows/security/book/operating-system-security-encryption-and-data-protection.md b/windows/security/book/operating-system-security-encryption-and-data-protection.md
index b9521afa4c..aee0eae02e 100644
--- a/windows/security/book/operating-system-security-encryption-and-data-protection.md
+++ b/windows/security/book/operating-system-security-encryption-and-data-protection.md
@@ -13,13 +13,19 @@ When people travel with their PCs, their confidential information travels with t
## BitLocker
-BitLocker is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker uses the AES algorithm in XTS or CBC mode of operation with 128-bit or 256-bit key length to encrypt data on the volume. BitLocker can save its recovery password to a Microsoft account for retrieval if needed. This happens automatically during the initial setup when BitLocker is enabled in OOE (Out of Box Experience) on modern devices and the user signs into their Microsoft account for the first time. Additionally, users have the option to export the recovery password if they have manually enabled BitLocker. Cloud storage on Microsoft OneDrive or Azure[\[7\]](conclusion.md#footnote7) can be used to save recovery key content. BitLocker can be managed by a device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7) using a configuration service provider (CSP). BitLocker provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies like Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+BitLocker is a data protection feature that integrates with the operating system to address the threats of data theft or exposure from lost, stolen, or improperly decommissioned devices. It uses the AES algorithm in XTS or CBC mode with 128-bit or 256-bit key lengths to encrypt data on the volume. During the initial setup, when BitLocker is enabled during OOBE and the user signs into their Microsoft account for the first time, BitLocker automatically saves its recovery password to the Microsoft account for retrieval if needed. Users also have the option to export the recovery password if they manually enable BitLocker. Recovery key content can be saved to cloud storage on OneDrive or Azure[\[7\]](conclusion.md#footnote7).
+
+For organizations, BitLocker can be managed via group policy or with a device management solution like Microsoft Intune[\[7\]](conclusion.md#footnote7). It provides encryption for the OS, fixed data, and removable data drives (BitLocker To Go), using technologies such as Hardware Security Test Interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+[!INCLUDE [new-24h2](includes/new-24h2.md)]
+
+The BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
[!INCLUDE [learn-more](includes/learn-more.md)]
- [BitLocker overview](../operating-system-security/data-protection/bitlocker/index.md)
-## BitLocker To Go
+### BitLocker To Go
BitLocker To Go refers to BitLocker on removable data drives. BitLocker To Go includes the encryption of USB flash drives, SD cards, and external hard disk drives. Drives can be unlocked using a password, certificate on a smart card, or recovery password.