configure article

windows/security/operating-system-security/data-protection/bitlocker/configure.md

@@ -9,30 +9,31 @@ ms.date: 10/03/2023
 
 To configure BitLocker, you can use one of the following options:
 
-- Configuration Service Provider (CSP): this option is usually used for devices that are managed by a Mobile Device Management (MDM) solution, like Microsoft Intune
+- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune
-- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain or managed by Microsoft Configuration Manager. GPO can also be used for devices that are not joined to an Active Directory domain, using the local group policy editor
+- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
+- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent
 
-The following table describes the common options to configure BitLocker, depending on the devices' join type:
+The following table describes the options to configure BitLocker, depending on the devices' join type:
 
-| Join type | Configuration option |
+| Join type | CSP | GPO | Configuration Manager |
-|-|-|
+|-|-| - |-|
-| *Microsoft Entra joined* | CSP |
+| *Microsoft Entra joined* | ✅ | ❌ | ❌ |
-| *Microsoft Entra registered* | CSP |
+| *Microsoft Entra registered* | ✅ | ❌ | ❌ |
-| *Microsoft Entra hybrid joined* | CSP if the devices are enrolled in a MDM solution, otherwise GPO |
+| *Microsoft Entra hybrid joined* | ✅ | ✅ | ✅ |
-| *Active Directory joined devices* | GPO |
+| *Active Directory joined devices* | ❌ | ✅ | ✅ |
 
 > [!NOTE]
 > Windows Server doesn't support the configuration of BitLocker using CSP. Use GPO instead.
 
-While many of the BitLocker policy settings can be configure using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the reference article [BitLocker policy settings](policy-settings.md).
+While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the reference article [BitLocker policy settings](policy-settings.md).
 
 [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
 
 ## Configure devices using CSP
 
-The configuration of devices using CSP is a good option for devices that are managed by a MDM solution, like Microsoft Intune. These are usually devices that are *Microsoft Entra joined*, *Microsoft Entra registered* or *Microsoft Entra hybrid joined*.
+The configuration of devices using CSP is a good option for devices that managed by an MDM solution, like Microsoft Intune. These are *Microsoft Entra joined*, *Microsoft Entra registered* or *Microsoft Entra hybrid joined* devices.
 
-The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can leverage the BitLocker status in [compliance polices](/mem/intune/protect/device-compliance-get-started). Compliance policies can then be combined with [Conditional Access](/azure/active-directory/conditional-access/overview), which can prevent access to services like Exchange Online and SharePoint Online, based on the status of BitLocker.
+The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance polices](/mem/intune/protect/compliance-policy-create-windows#encryption), combining them with [Conditional Access](/azure/active-directory/conditional-access/overview). Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker.
 
 > [!NOTE]
 > For hardware that is compliant with Modern Standby and HSTI, [device encryption](device-encryption.md) is automatically turned on whenever a user Microsoft Entra joins a device. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery keys for self-service, if necessary.
@@ -41,10 +42,15 @@ To learn more about the Intune options to configure and monitor BitLocker, check
 
 - [Manage BitLocker policy for Windows devices with Intune](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
 - [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor)
+- [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)
 
 ## Configure devices using GPO
 
-Organizations that image their device using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE), and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, an organization could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md).
+
+To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management](/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent).
+
+> [!TIP]
+> Organizations that image their device using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE), and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, an organization could also decide to use Configuration Manager to pre-set any desired [BitLocker policy settings](policy-settings.md).
 
 
 ### Configure and manage servers
@@ -57,3 +63,10 @@ If a server is being installed manually, such as a stand-alone server, then choo
 
  Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](network-unlock.md).
 
+## Next steps
+
+> [!div class="nextstepaction"]
+> Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.
+>
+>
+> [BitLocker operations guide >](operations-guide.md)