diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bitlocker-recovery-screen-msa-backup-24h2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlocker-recovery-screen-msa-backup-24h2.png new file mode 100644 index 0000000000..415996c485 Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlocker-recovery-screen-msa-backup-24h2.png differ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md index e9e9e7bdb7..69d9822b91 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/index.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md @@ -85,10 +85,11 @@ BitLocker has the following requirements: ## Device encryption -*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. +*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives. > [!IMPORTANT] -> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives. +> Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed. As a result, more devices are eligible for automatic and manual device encryption. +> For more information, see [BitLocker drive encryption in Windows 11 for OEMs](/windows-hardware/design/device-experiences/oem-bitlocker). Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md index 24437bd519..aaadd7678e 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md @@ -99,6 +99,14 @@ There are rules governing which hint is shown during the recovery (in the order :::image type="content" source="images/preboot-recovery-custom-url-single-backup.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL and the hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-custom-url-single-backup.png" border="false"::: :::column-end::: :::row-end::: +:::row::: + :::column span="2"::: + Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information. + :::column-end::: + :::column span="2"::: + :::image type="content" source="images/bitlocker-recovery-screen-msa-backup-24h2.png" alt-text="Screenshot of the BitLocker recovery screen showing a Microsoft account hint where the BitLocker recovery key was saved." lightbox="images/bitlocker-recovery-screen-msa-backup-24h2.png" border="false"::: + :::column-end::: +:::row-end::: :::row::: :::column span="4"::: #### Example: single recovery password in AD DS and single backup