Metadata/style update BitLocker 11

windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md

@@ -358,7 +358,7 @@ BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 t
 ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
 
 > [!IMPORTANT]
-> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
+> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft account.
 
 There are rules governing which hint is shown during the recovery (in the order of processing):
 

windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md

@@ -17,19 +17,27 @@ ms.technology: itpro-security
 
 # Breaking out of a BitLocker recovery loop
 
-Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating.
+Sometimes, following a crash, the operating system might not be able to successful boot due to the recovery screen repeatedly prompting to enter a recovery key. This experience can be frustrating.
 
-If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop.
+If the correct BitLocker recovery key has been entered multiple times but are unable to continue past the initial recovery screen, follow these steps to break out of the loop:
 
 > [!NOTE]
-> Try these steps only after you have restarted your device at least once.
+> Try these steps only after the device has been restarted at least once.
 
-1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**.
+1. On the initial recovery screen, don't enter The recovery key. Instead, select **Skip this drive**.
 
 2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**.
 
-3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp <recovery password>`
+3. From the WinRE command prompt, manually unlock the drive with the following command:
 
-4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:`
+``` syntax
+manage-bde.exe -unlock C: -rp <recovery password>
+```
 
-5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system.
+4. Suspend the protection on the operating system with the following command:
+
+``` syntax
+manage-bde.exe -protectors -disable C:
+```
+
+5. Once the command is run, exit the command prompt and continue to boot into the operating system.

windows/security/information-protection/bitlocker/bitlocker-security-faq.yml

@@ -37,17 +37,17 @@ sections:
       - question: |
           What is the best practice for using BitLocker on an operating system drive?
         answer: |
-          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
+          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
 
       - question: |
           What are the implications of using the sleep or hibernate power management options?
         answer: |
-          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
+          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
           
       - question: |
           What are the advantages of a TPM?
         answer: |
-          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually are not as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
+          Most operating systems use a shared memory space and rely on the operating system to manage physical memory. A TPM is a hardware component that uses its own internal firmware and logic circuits for processing instructions, thus shielding it from external software vulnerabilities. Attacking the TPM requires physical access to the computer. Additionally, the tools and skills necessary to attack hardware are often more expensive, and usually aren't as available as the ones used to attack software. And because each TPM is unique to the computer that contains it, attacking multiple TPM computers would be difficult and time-consuming.
           
           > [!NOTE]
           > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks.

windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml

@@ -37,4 +37,4 @@ sections:
            
           Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
           
-          As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
+          As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.

windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml

@@ -45,12 +45,12 @@ sections:
           No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
           Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
           
-          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don't want to suspend BitLocker protection.
+          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
           -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
           -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
-          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
+          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
-           -	You can check if BitLocker uses Secure Boot for integrity validation with manage-bde -protectors -get C: (and see if "Uses Secure Boot for integrity validation" is reported).
+           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
           
           
           > [!NOTE]
-          > If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.

windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md

@@ -32,96 +32,108 @@ Both manage-bde and the BitLocker cmdlets can be used to perform any task that c
 
 Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
 
-1. [Manage-bde](#bkmk-managebde)
+1. [Manage-bde](#manage-bde)
-2. [Repair-bde](#bkmk-repairbde)
+2. [Repair-bde](#repair-bde)
-3. [BitLocker cmdlets for Windows PowerShell](#bkmk-blcmdlets)
+3. [BitLocker cmdlets for Windows PowerShell](#bitlocker-cmdlets-for-windows-powershell)
 
-## <a href="" id="bkmk-managebde"></a>Manage-bde
+## Manage-bde
 
-Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
+Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
 
 Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
 
 ### Using manage-bde with operating system volumes
 
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.
 
-A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
+A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
 
-```powershell
+``` syntax
-manage-bde -status
+manage-bde.exe -status
 ```
 
 This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
 
 ![Using manage-bde to check encryption status.](images/manage-bde-status.png)
 
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
 
-```powershell
+``` syntax
-manage-bde -protectors -add C: -startupkey E:
+manage-bde.exe -protectors -add C: -startupkey E:
-manage-bde -on C:
+manage-bde.exe -on C:
 ```
 
 > [!NOTE]
 > After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
 
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:
 
-```powershell
+``` syntax
-manage-bde -protectors -add C: -pw -sid <user or group>
+manage-bde.exe -protectors -add C: -pw -sid <user or group>
 ```
 
-This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
+The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on.
 
-On computers with a TPM, it's possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
+On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:
 
-```powershell
+``` syntax
-manage-bde -on C:
+manage-bde.exe -on C:
 ```
 
-This command encrypts the drive using the TPM as the default protector. If you aren't sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:
 
-```powershell
+``` syntax
- manage-bde -protectors -get <volume>
+ manage-bde.exe -protectors -get <volume>
 ```
+
 ### Using manage-bde with data volumes
 
-Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde.exe -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
 
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
+`manage-bde.exe -on <drive letter>`
 
-```powershell
+or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
-manage-bde -protectors -add -pw C:
+
-manage-bde -on C:
+A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.
+
+``` syntax
+manage-bde.exe -protectors -add -pw C:
+manage-bde.exe -on C:
 ```
 
-## <a href="" id="bkmk-repairbde"></a>Repair-bde
+## Repair-bde
 
-You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.
+Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.
 
-The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
+The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted with BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. This key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With this key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package will work only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
 
 > [!TIP]
-> If you aren't backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde.exe -KeyPackage` to generate a key package for a volume.
+> If recovery information is not being backed up to AD DS or if key packages need to be saved in an alternative way, the command:
+>
+> `manage-bde.exe -KeyPackage`
+>
+> can be used to generate a key package for a volume.
 
-The Repair-bde command-line tool is intended for use when the operating system doesn't start or when you can't start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
+The Repair-bde command-line tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde if the following conditions are true:
 
-- You have encrypted the drive by using BitLocker Drive Encryption.
+- The drive has been encrypted using BitLocker Drive Encryption.
-- Windows doesn't start, or you can't start the BitLocker recovery console.
+
-- You don't have a copy of the data that is contained on the encrypted drive.
+- Windows doesn't start, or the BitLocker recovery console can't be started.
+
+- There isn't a backup copy of the data that is contained on the encrypted drive.
 
 > [!NOTE]
-> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
 
 The following limitations exist for Repair-bde:
 
--   The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
+- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
--   The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
+
+- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
 
 For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
 
-## <a href="" id="bkmk-blcmdlets"></a>BitLocker cmdlets for Windows PowerShell
+## BitLocker cmdlets for Windows PowerShell
 
 Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 
@@ -142,28 +154,29 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
 
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLockerVolume` cmdlet.
+A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet.
 
 The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details.
 
 > [!TIP]
-> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
+> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors:
-`Get-BitLockerVolume C: | fl`
+> 
+> `Get-BitLockerVolume C: | fl`
 
-If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
 
 A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
 
-```powershell
+``` powershell
 $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 
-By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector.
 
-By using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, the key protector for a specific volume can be removed using the command:
 
-```powershell
+``` powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
 
@@ -172,17 +185,17 @@ Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 
 ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
 
-Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
 
 The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
 
-```powershell
+``` powershell
 Enable-BitLocker C:
 ```
 
 In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
 
-```powershell
+``` powershell
 Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
 ```
 
@@ -191,7 +204,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTes
 Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
 SecureString value to store the user-defined password.
 
-```powershell
+``` powershell
 $pw = Read-Host -AsSecureString
 <user inputs password>
 Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
@@ -199,14 +212,14 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 
 ### Using an AD Account or Group protector in Windows PowerShell
 
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster.
 
 > [!WARNING]
 > The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
 
 To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 
-```powershell
+``` powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
 ```
 
@@ -215,7 +228,7 @@ For users who wish to use the SID for the account or group, the first step is to
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
 
-```powershell
+``` powershell
 get-aduser -filter {samaccountname -eq "administrator"}
 ```
 
@@ -224,14 +237,14 @@ get-aduser -filter {samaccountname -eq "administrator"}
 
 The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
 
-```powershell
+``` powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
 ```
 
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
 
-## More information
+## Related articles
 
 - [BitLocker overview](bitlocker-overview.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)

windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md

@@ -1,6 +1,6 @@
 ---
 title: BitLocker Use BitLocker Recovery Password Viewer (Windows 10)
-description: This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer.
+description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
@@ -24,44 +24,50 @@ ms.technology: itpro-security
 - Windows 11
 - Windows Server 2016 and above
 
-This topic describes how to use the BitLocker Recovery Password Viewer.
+This article describes how to use the BitLocker Recovery Password Viewer.
 
-The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID).
+The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS) be located and viewed. This tool can be used to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, a computer object's **Properties** dialog box can be examined to view the corresponding BitLocker recovery passwords.
 
-## Before you start
+Additionally a domain container can be searched for BitLocker recovery password across all the domains in the Active Directory forest via a right-click. Passwords can also be searched by password identifier (ID).
 
-To complete the procedures in this scenario:
+## Before starting
 
-- You must have domain administrator credentials.
+To complete the procedures in this scenario, the following requirements must be met:
-- Your test computers must be joined to the domain.
+
+- Domain administrator credentials.
+- Test computers must be joined to the domain.
 - On the domain-joined test computers, BitLocker must have been turned on.
 
 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
 
-**To view the recovery passwords for a computer**
+### To view the recovery passwords for a computer
 
-1. In **Active Directory Users and Computers**, locate and then click the container in which the computer is located.
+1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located.
-2. Right-click the computer object, and then click **Properties**.
-3. In the **Properties** dialog box, click the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
 
-**To copy the recovery passwords for a computer**
+2. Right-click the computer object, and then select **Properties**.
+
+3. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer.
+
+### To copy the recovery passwords for a computer
 
 1. Follow the steps in the previous procedure to view the BitLocker recovery passwords.
-2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that you want to copy, and then click **Copy Details**.
+
+2. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**.
+
 3. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet.
 
-**To locate a recovery password by using a password ID**
+### To locate a recovery password by using a password ID
 
-1. In Active Directory Users and Computers, right-click the domain container, and then click **Find BitLocker Recovery Password**.
+1. In Active Directory Users and Computers, right-click the domain container, and then select **Find BitLocker Recovery Password**.
-2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then click **Search**.
-By completing the procedures in this scenario, you have viewed and copied the recovery passwords for a computer and used a password ID to locate a recovery password.
 
-## More information
+2. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and then select **Search**.
+
+By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password.
+
+## Replated articles
 
 - [BitLocker Overview](bitlocker-overview.md)
 - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
 - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- 
- 

windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml

@@ -1,7 +1,7 @@
 ### YamlMime:FAQ
 metadata:
   title: Using BitLocker with other programs FAQ (Windows 10)
-  description: Learn how to integrate BitLocker with other software on your device.
+  description: Learn how to integrate BitLocker with other software on a device.
   ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
   ms.reviewer: 
   ms.prod: m365-security
@@ -31,12 +31,12 @@ sections:
       - question: |
           Can I use EFS with BitLocker?
         answer: |
-          Yes, you can use Encrypting File System (EFS) to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. You can also use EFS in Windows to encrypt files on other drives that are not encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
+          Yes, Encrypting File System (EFS) can be used to encrypt files on a BitLocker-protected drive. BitLocker helps protect the entire operating system drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker. The root secrets of EFS are stored by default on the operating system drive; therefore, if BitLocker is enabled for the operating system drive, data that is encrypted by EFS on other drives is also indirectly protected by BitLocker.
 
       - question: |
           Can I run a kernel debugger with BitLocker?
         answer: |
-          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If you need to turn debugging on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting your computer into recovery mode.
+          Yes. However, the debugger should be turned on before enabling BitLocker. Turning on the debugger ensures that the correct measurements are calculated when sealing to the TPM, allowing the computer to start properly. If debugging needs to be turned on or off when using BitLocker, be sure to suspend BitLocker first to avoid putting the computer into recovery mode.
 
       - question: |
           How does BitLocker handle memory dumps?
@@ -46,50 +46,50 @@ sections:
       - question: |
           Can BitLocker support smart cards for pre-boot authentication?
         answer: |
-          BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
+          BitLocker doesn't support smart cards for pre-boot authentication. There's no single industry standard for smart card support in the firmware, and most computers either don't implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
 
       - question: |
           Can I use a non-Microsoft TPM driver?
         answer: |
-          Microsoft does not support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM is not present on the computer and not allow the TPM to be used with BitLocker.
+          Microsoft doesn't support non-Microsoft TPM drivers and strongly recommends against using them with BitLocker. Attempting to use a non-Microsoft TPM driver with BitLocker may cause BitLocker to report that a TPM isn't present on the computer and not allow the TPM to be used with BitLocker.
 
       - question: |
           Can other tools that manage or modify the master boot record work with BitLocker?
         answer: |
-          We do not recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for a number of security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally, as well as complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
+          We don't recommend modifying the master boot record on computers whose operating system drives are BitLocker-protected for several security, reliability, and product support reasons. Changes to the master boot record (MBR) could change the security environment and prevent the computer from starting normally and complicate any efforts to recover from a corrupted MBR. Changes made to the MBR by anything other than Windows might force the computer into recovery mode or prevent it from booting entirely.
 
       - question: |
-          Why is the system check failing when I am encrypting my operating system drive?
+          Why is the system check failing when I'm encrypting my operating system drive?
         answer: |
-          The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
+          The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
           
-          - The computer's BIOS or UEFI firmware cannot read USB flash drives.
+          - The computer's BIOS or UEFI firmware can't read USB flash drives.
-          - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
+          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
           - There are multiple USB flash drives inserted into the computer.
-          - The PIN was not entered correctly.
+          - The PIN wasn't entered correctly.
           - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
           - The startup key was removed before the computer finished rebooting.
           - The TPM has malfunctioned and fails to unseal the keys.
           
       - question: |
-          What can I do if the recovery key on my USB flash drive cannot be read?
+          What can I do if the recovery key on my USB flash drive can't be read?
         answer: |
-          Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
+          Some computers can't read USB flash drives in the pre-boot environment. First, check the BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it isn't enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings, and then try to read the recovery key from the USB flash drive again. If the USB flash drive still can't be read, the hard drive will need to be mounted as a data drive on another computer so that there's an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, a recovery password may need to be supplied or use the recovery information that was backed up to AD DS. Also, if the recovery key is being used in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
 
       - question: |
           Why am I unable to save my recovery key to my USB flash drive?
         answer: |
-          The **Save to USB** option is not shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
+          The **Save to USB** option isn't shown by default for removable drives. If the option is unavailable, it means that a system administrator has disallowed the use of recovery keys.
 
       - question: |
           Why am I unable to automatically unlock my drive?
         answer: |
-          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+          Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If a computer is being used that doesn't have a BitLocker-protected operating system drive, then the fixed drive can't be automatically unlocked. For removable data drives, automatic unlocking can be added by right-clicking the drive in Windows Explorer and selecting **Manage BitLocker**. Password or smart card credentials that were supplied when BitLocker was turned on can still be used to unlock the removable drive on other computers.
 
       - question: |
           Can I use BitLocker in Safe Mode?
         answer: |
-          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer is not available in Safe Mode.
+          Limited BitLocker functionality is available in Safe Mode. BitLocker-protected drives can be unlocked and decrypted by using the **BitLocker Drive Encryption** Control Panel item. Right-clicking to access BitLocker options from Windows Explorer isn't available in Safe Mode.
 
       - question: |
           How do I "lock" a data drive?
@@ -110,18 +110,18 @@ sections:
       - question: |
           Can I use BitLocker with the Volume Shadow Copy Service?
         answer: |
-          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If you are using a hardware encrypted drive, the shadow copies are retained.
+          Yes. However, shadow copies made prior to enabling BitLocker will be automatically deleted when BitLocker is enabled on software-encrypted drives. If a hardware encrypted drive is being used, the shadow copies are retained.
 
       - question: |
           Does BitLocker support virtual hard disks (VHDs)?
         answer: |
           BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
-          - With TPM: Yes, it is supported.
+          - With TPM: Yes, it's supported.
-          - Without  TPM: Yes, it is supported (with password protector).
+          - Without  TPM: Yes, it's supported (with password protector).
           
-          BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
+          BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
           
       - question: |
           Can I use BitLocker with virtual machines (VMs)?
         answer: |
-          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. You can enable encryption either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or logon script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Azure AD-joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.