updates

windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md

@@ -1,49 +1,42 @@
 ---
 title: BitLocker deployment comparison 
-description: This article shows the BitLocker deployment comparison chart.
+description: Learn about the differences between Microsoft Intune and Microsoft Configuration Manager when managing BitLocker.
 ms.topic: conceptual
-ms.date: 11/08/2022
+ms.date: 10/02/2023
 ---
 
 # BitLocker deployment comparison
 
-This article depicts the BitLocker deployment comparison chart.
+This article compares the BitLocker management options between Microsoft Intune and Microsoft Configuration Manager.
 
-## BitLocker deployment comparison chart
+| Requirements | Microsoft Intune | Microsoft Configuration Manager |
-
+|--|--|--|
-| Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
+| *Supported Windows client editions* | Pro, Enterprise, Pro Education, Education | Pro, Enterprise, Pro Education, Education |
-|--|--|--|--|
+| *Windows server support* | | ✅ |
-| *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
+| *Supported domain-joined status* | Microsoft Entra joined and hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined |
-| *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
+| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom |
-| *Minimum Windows version* | 1909 | None | None |
+| *Cloud or on premises* | Cloud | On premises |
-| *Supported domain-joined status* | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory-joined, hybrid Azure AD joined | Active Directory-joined |
+| *Additional agent required?* | No (device enrollment only) | Configuration Manager client |
-| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
+| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console |
-| *Cloud or on premises* | Cloud | On premises | On premises |
+| *Compliance reporting capabilities* | ✅ | ✅ |
-| Server components required? |  | ✅ | ✅ |
+| *Force encryption* | ✅ | ✅ |
-| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
+| *Allow recovery password* | ✅ | ✅ |
-| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
+| *Manage startup authentication* | ✅ | ✅ |
-| *Administrative portal installation required* |  | ✅ | ✅ |
+| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ |
-| *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
+| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ |
-| *Force encryption* | ✅ | ✅ | ✅ |
+| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ |
-| *Encryption for storage cards (mobile)* | ✅ | ✅ |  |
+| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database |
-| *Allow recovery password* | ✅ | ✅ | ✅ |
+| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Both | Active Directory only |
-| *Manage startup authentication* | ✅ | ✅ | ✅ |
+| *Customize preboot message and recovery link* | ✅ | ✅ |
-| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
+| *Allow/deny key file creation* | ✅ | ✅ |
-| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
+| *Deny Write permission to unprotected drives* | ✅ | ✅ |
-| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
+| *Can be administered outside company network* | ✅ | ✅ |
-| *Standard recovery password storage location* | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
+| *Support for organization unique IDs* | ✅ | ✅ |
-| *Store recovery password for operating system and fixed drives to Azure AD or Active Directory* | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
+| *Self-service recovery* | ✅ | ✅ |
-| *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
+| *Recovery password rotation for fixed and operating environment drives* | ✅ | ✅ |
-| *Allow/deny key file creation* | ✅ | ✅ | ✅ |
+| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ |  |
-| *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
+| *Wait to complete encryption until recovery information is backed up to Active Directory* | ✅ | ✅ |
-| *Can be administered outside company network* | ✅ | ✅ |  |
+| *Allow or deny Data Recovery Agent* | ✅ | |
-| *Support for organization unique IDs* |  | ✅ | ✅ |
+| *Unlock a volume using certificate with custom object identifier* |  | ✅ |
-| *Self-service recovery* | Yes (through Azure AD or Company Portal app) | ✅ | ✅ |
+| *Prevent memory overwrite on restart* | ✅ | ✅ |
-| *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
+| *Manage auto-unlock functionality* | ✅ | ✅ |
-| *Wait to complete encryption until recovery information is backed up to Azure AD* | ✅ |  |  |
-| *Wait to complete encryption until recovery information is backed up to Active Directory* |  | ✅ | ✅ |
-| *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
-| *Unlock a volume using certificate with custom object identifier* |  | ✅ | ✅ |
-| *Prevent memory overwrite on restart* |  | ✅ | ✅ |
-| *Configure custom Trusted Platform Module Platform Configuration Register profiles* |  |  | ✅ |
-| *Manage auto-unlock functionality* |  | ✅ | ✅ |

windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md

@@ -4,29 +4,25 @@ description: Learn how to recover BitLocker keys from Microsoft Entra ID and Act
 ms.collection: 
   - highpri
   - tier1
-ms.topic: howto
+ms.topic: how-to
 ms.date: 09/29/2023
 ---
 
 # BitLocker recovery guide
 
+Organizations can use BitLocker recovery information saved in Microsoft Entra ID and Active Directory Domain Services (AD DS) to access BitLocker-protected drives. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
+
 This article describes how to recover BitLocker keys from Microsoft Entra ID and Active Directory Domain Services (AD DS).
 
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
+This article assumes that it's understood how to configure devices to automatically backup BitLocker recovery information, and what types of recovery information are saved to Microsoft Entra ID and AD DS.
-
-This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
-
-This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
 
 ## What is BitLocker recovery?
 
-BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
+BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
 
-- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
+- **The user can supply the recovery password**: if the organization allows users to print or store recovery passwords, the users can enter the 48-digit recovery password
-
+- **Data recovery agents can use their credentials to unlock the drive:** if the drive is an operating system drive, the drive must be mounted as a data drive on another device for the data recovery agent to unlock it
-- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
+- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive:** storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method requires to enable the recovery method **Choose how BitLocker-protected operating system drives can be recovered**. For more information, review [BitLocker policy settings](policy-settings.md).
-
-- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker policy settings](policy-settings.md).
 
 ### What causes BitLocker recovery?
 

windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md

@@ -1,26 +1,17 @@
 ---
 title: BitLocker countermeasures
-description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key. 
+description: Learn about technologies and features to protect against attacks on the BitLocker encryption key. 
 ms.topic: conceptual
-ms.date: 11/08/2022
+ms.date: 10/02/2023
 ---
 
 # BitLocker countermeasures
 
-Windows uses technologies including *trusted platform module (TPM)*, *Secure Boot*, and *Measured Boot* to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen device is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the device or by transferring the device's hard disk to a different device.
+Windows uses hardware solutions and security features that protect BitLocker encryption keys against attacks. These technologies include *Trusted Platform Module (TPM)*, *Secure Boot*, and *Measured Boot*.
-
-BitLocker helps mitigate unauthorized data access on lost or stolen devices before the authorized operating system is started. This mitigation is done by:
-
-- **Encrypting volumes.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive, or removable data drive (such as a USB flash drive, SD card, etc.). Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
-- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
-
-The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
-
-For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 
 ## Protection before startup
 
-Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. These features help ensure that the device hasn't been tampered with while the system was offline. The following sections provide more details about how Windows uses these features to protect against attacks on the BitLocker encryption keys.
+Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. These features ensure that the device hasn't been tampered with while the system was offline.
 
 ### Trusted Platform Module
 
@@ -59,33 +50,15 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
 
 - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
 
-In the following group policy example, TPM + PIN is required to unlock an operating system drive:
-
-![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
-
 Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
 
-On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
+On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN must be entered when a device reboots or resumes from hibernation.
 
 To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
 
-### Protecting Thunderbolt and other DMA ports
+### Protect DMA ports
 
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
+It's important to protect DMA ports, as external peripherals may gain unauthorized access to memory. Depending on the device capabilities, there are different options to protect DMA ports. To learn more, see the policy setting [Disable new DMA devices when this computer is locked](policy-settings.md?tabs=common#disable-new-dma-devices-when-this-computer-is-locked).
-
-You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
-
-![Kernel DMA protection.](images/kernel-dma-protection.png)
-
-If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
-
-1. Require a password for BIOS changes
-
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
-
-3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): [Disable new DMA devices when this computer is locked](policy-settings.md)
-
-For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
 
 ## Attack countermeasures
 

windows/security/operating-system-security/data-protection/bitlocker/includes/disable-new-dma-devices-when-this-computer-is-locked.md

@@ -15,6 +15,9 @@ Devices that were already enumerated when the device was unlocked will continue
 
 This policy setting is only enforced when BitLocker or device encryption is enabled.
 
+> [!IMPORTANT]
+> This policy is not compatible with *Kernel DMA Protection*. It's recommended to disable this policy if the system supports Kernel DMA Protection, as Kernel DMA Protection provides higher security for the system. For more information about Kernel DMA Protection, see [Kernel DMA Protection](../../../../hardware-security/kernel-dma-protection-for-thunderbolt.md).
+
 |  | Path |
 |--|--|
 | **CSP** | Not available |

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -13,32 +13,38 @@ ms.date: 09/25/2023
 BitLocker is a Windows security feature that provides encryption for entire volumes.\
 BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
 
+## Practical applications
+
+Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
+
+## BitLocker and TPM
+
 BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
 
 On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. However, this implementation requires the user to insert a USB key to start the device or when resuming from hibernation. A password can also be used to protect the OS volume on a device without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
 
 In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the device won't start or resume from hibernation until the correct PIN or startup key is presented.
 
-## Practical applications
-
-Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
-
 ## System requirements
 
-BitLocker has the following hardware requirements:
+BitLocker has the following requirements:
 
 - For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker
 - A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
 - The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, including reading small files on a USB drive in the pre-operating system environment
 
     > [!NOTE]
-    > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
+    > TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
     >
-    > Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
+    > Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
 
 - The hard disk must be partitioned with at least two drives:
   - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
-  - The *system drive* contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
+  - The *system drive* contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
+    - must not be encrypted
+    - must differ from the operating system drive
+    - must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware
+    - it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
 
 > [!IMPORTANT]
 > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.