diff --git a/includes/licensing/_edition-requirements.md b/includes/licensing/_edition-requirements.md index 207141f3e5..9fb8926776 100644 --- a/includes/licensing/_edition-requirements.md +++ b/includes/licensing/_edition-requirements.md @@ -13,7 +13,8 @@ ms.topic: include |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes| |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes| |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes| -|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes| +|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes| +|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes| |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md index a27829cbab..7f4033aa4b 100644 --- a/includes/licensing/_licensing-requirements.md +++ b/includes/licensing/_licensing-requirements.md @@ -13,7 +13,8 @@ ms.topic: include |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes| |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes| |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes| -|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes| +|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes| |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes| |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes| |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes| diff --git a/includes/licensing/bitlocker.md b/includes/licensing/bitlocker-enablement.md similarity index 86% rename from includes/licensing/bitlocker.md rename to includes/licensing/bitlocker-enablement.md index cf1f80b079..4f0645fe52 100644 --- a/includes/licensing/bitlocker.md +++ b/includes/licensing/bitlocker-enablement.md @@ -7,13 +7,13 @@ ms.topic: include ## Windows edition and licensing requirements -The following table lists the Windows editions that support BitLocker: +The following table lists the Windows editions that support BitLocker enablement: |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| |:---:|:---:|:---:|:---:| |Yes|Yes|Yes|Yes| -BitLocker license entitlements are granted by the following licenses: +BitLocker enablement license entitlements are granted by the following licenses: |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| |:---:|:---:|:---:|:---:|:---:| diff --git a/includes/licensing/bitlocker-management.md b/includes/licensing/bitlocker-management.md new file mode 100644 index 0000000000..ec1d957938 --- /dev/null +++ b/includes/licensing/bitlocker-management.md @@ -0,0 +1,22 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 05/04/2023 +ms.topic: include +--- + +## Windows edition and licensing requirements + +The following table lists the Windows editions that support BitLocker management: + +|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education| +|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes| + +BitLocker management license entitlements are granted by the following licenses: + +|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5| +|:---:|:---:|:---:|:---:|:---:| +|Yes|Yes|Yes|Yes|Yes| + +For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing). diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 93dc998a8a..8f46db3e99 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -1,6 +1,6 @@ --- -title: BitLocker Management Recommendations for Enterprises (Windows 10) -description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. +title: BitLocker management +description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers. ms.prod: windows-client ms.localizationpriority: medium author: frankroj @@ -12,12 +12,14 @@ ms.custom: bitlocker ms.technology: itpro-security --- -# BitLocker management for enterprises +# BitLocker management The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. +[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)] + ## Managing domain-joined computers and moving to cloud Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md). @@ -35,11 +37,6 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. -> [!NOTE] -> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users: -> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). -> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). - ## Managing workplace-joined PCs and phones For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index d6c02185e3..9f04e173a3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -48,11 +48,7 @@ There are two additional tools in the Remote Server Administration Tools that ca - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console. -## New and changed functionality - -To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker). - -[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker.md)] +[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)] ## System requirements diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml index 56500215a0..89647a44e4 100644 --- a/windows/security/operating-system-security/data-protection/toc.yml +++ b/windows/security/operating-system-security/data-protection/toc.yml @@ -35,7 +35,7 @@ items: href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md - name: Deploy BitLocker on Windows Server 2012 and later href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md - - name: BitLocker management for enterprises + - name: BitLocker management href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md - name: Enable Network Unlock with BitLocker href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md diff --git a/windows/whats-new/windows-licensing.md b/windows/whats-new/windows-licensing.md index 212d022557..1af9776fe0 100644 --- a/windows/whats-new/windows-licensing.md +++ b/windows/whats-new/windows-licensing.md @@ -199,7 +199,7 @@ To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Win [MEM-3]: /mem/intune/protect/windows-update-compatibility-reports [UP-1]: /universal-print/ [WIN-1]: /windows/security/identity-protection/credential-guard/credential-guard -[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-overview +[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises [WIN-3]: /windows/security/information-protection/personal-data-encryption/overview-pde [WIN-4]: /windows/client-management/mdm/policy-csp-experience [WIN-5]: /windows/deployment/windows-10-subscription-activation