moved links to bottom of articles

windows/security/operating-system-security/data-protection/bitlocker/configure.md

@@ -9,14 +9,14 @@ ms.date: 10/30/2023
 
 To configure BitLocker, you can use one of the following options:
 
-- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance polices](/mem/intune/protect/compliance-policy-create-windows#encryption), combining them with [Conditional Access](/azure/active-directory/conditional-access/overview). Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
+- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP][WIN-1] is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance polices][INT-1], combining them with [Conditional Access][ENTRA-1]. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
 
-    - [Manage BitLocker policy for Windows devices with Intune](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
-    - [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor)
-    - [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)
+    - [Manage BitLocker policy for Windows devices with Intune][INT-2]
+    - [Monitor device encryption with Intune][INT-3]
+    - [Use compliance policies to set rules for devices you manage with Intune][INT-4]
 
 - Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
-- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management](/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent)
+- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management][MCM-1]
 
 > [!NOTE]
 > Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
@@ -169,7 +169,7 @@ Servers are often deployed, configured, and managed using PowerShell. The recomm
 
 BitLocker is an optional component in Windows Server. Follow the directions in [Install BitLocker on Windows Server](install-server.md) to add the BitLocker optional component.
 
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). If a server is installed manually, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core][WIN-2] installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images][ARC-1] and [How to update local source media to add roles and features][ARC-2]. If a server is installed manually, then choosing [Server with Desktop Experience][WIN-3] is the easiest path because it avoids performing the steps to add a GUI to Server Core.
 
  Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [Network Unlock](network-unlock.md).
 
@@ -180,3 +180,17 @@ The Minimal Server Interface is a prerequisite for some of the BitLocker adminis
 >
 >
 > [BitLocker operations guide >](operations-guide.md)
+
+<!--links-->
+
+[ARC-1]: /archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images
+[ARC-2]: /archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features
+[ENTRA-1]: /entra/identity/conditional-access/overview
+[INT-1]: /mem/intune/protect/compliance-policy-create-windows#encryption
+[INT-2]: /mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys
+[INT-3]: /mem/intune/protect/encryption-monitor
+[INT-4]: /mem/intune/protect/device-compliance-get-started
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
+[WIN-1]: /windows/client-management/mdm/bitlocker-csp
+[WIN-2]: /windows-server/get-started/getting-started-with-server-core/
+[WIN-3]: /windows-server/get-started/getting-started-with-server-with-desktop-experience/

windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md

@@ -13,7 +13,7 @@ Windows uses hardware solutions and security features that protect BitLocker enc
 
 Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot:
 
-- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
+- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module][WIN-1]
 - *Unified Extensible Firmware Interface (UEFI)* is a programmable boot environment that initializes devices and starts the operating system's bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md)
 - *Secure Boot* blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key
 
@@ -37,7 +37,7 @@ On devices with a compatible TPM, operating system drives that are BitLocker-pro
 
 - **TPM-only**: this option doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. The user must then enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor
 - **TPM with startup key**: in addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a *startup key*. Data on the encrypted volume can't be accessed without the startup key
-- **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN
+- **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection][WIN-2] that is designed to prevent brute force attacks that attempt to determine the PIN
 - **TPM with startup key and PIN**: in addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the PIN is also required
 
 Preboot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Preboot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
@@ -63,7 +63,7 @@ A physically present attacker might attempt to install a bootkit or rootkit-like
 > [!NOTE]
 > BitLocker protects against this attack by default.
 
-A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device][WIN-3].
 
 ### Brute force attacks against a PIN
 
@@ -144,3 +144,9 @@ For secure administrative workstations, it's recommended to:
 > Learn how to plan for a BitLocker deployment in your organization:
 >
 > [BitLocker planning guide >](planning-guide.md)
+
+<!--links-->
+
+[WIN-1]: /windows/device-security/tpm/trusted-platform-module-overview
+[WIN-2]: /windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering
+[WIN-3]: /windows-hardware/design/device-experiences/oem-highly-secure

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -63,7 +63,7 @@ BitLocker has the following requirements:
     > [!NOTE]
     > TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the *secure boot* feature.
     >
-    > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
+    > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`][WIN-1] before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
 
 - The hard disk must be partitioned with at least two drives:
   - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
@@ -76,7 +76,7 @@ BitLocker has the following requirements:
     > [!IMPORTANT]
     > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
     >
-    > If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. `BdeHdCfg.exe` can create the volume. For more information about using the tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
+    > If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. `BdeHdCfg.exe` can create the volume. For more information about using the tool, see [Bdehdcfg][WIN-2] in the Command-Line Reference.
 
 > [!NOTE]
 > When installing the BitLocker optional component on a server, the *Enhanced Storage* feature must be installed. The feature is used to support hardware encrypted drives.
@@ -88,7 +88,7 @@ BitLocker has the following requirements:
 
 ## Device encryption
 
-*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
+*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
 
 > [!IMPORTANT]
 > Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
@@ -133,7 +133,7 @@ It's recommended to keep device encryption on for any systems that support it. H
 |-|-|-|-|
 | `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`| `PreventDeviceEncryption`|REG_DWORD|0x1|
 
-For more information about device encryption, see [BitLocker device encryption hardware requirements](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption).
+For more information about device encryption, see [BitLocker device encryption hardware requirements][WIN-4].
 
 ## Next steps
 
@@ -142,3 +142,10 @@ For more information about device encryption, see [BitLocker device encryption h
 >
 >
 > [BitLocker countermeasures >](countermeasures.md)
+
+<!--links-->
+
+[WIN-1]: /windows/deployment/mbr-to-gpt
+[WIN-2]: /windows-server/administration/windows-commands/bdehdcfg
+[WIN-3]: /windows-hardware/design/device-experiences/modern-standby
+[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption

windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md

@@ -22,13 +22,13 @@ This article describes the BitLocker management tools and how to use them, provi
 
 ## BitLocker PowerShell module
 
-The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article](/powershell/module/bitlocker).
+The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article][PS-1].
 
 ## BitLocker drive encryption tools
 
 The BitLocker drive encryption tools include the two command-line tools:
 
-- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11))
+- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde reference][PREV-1]
 - *Repair Tool* (`repair-bde.exe`) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console
 
 ## BitLocker Control Panel applet
@@ -611,3 +611,8 @@ BitLocker decryption using the Control Panel is done using a wizard. After openi
 Once decryption is complete, the drive updates its status in the Control Panel and becomes available for encryption.
 
 ---
+
+<!--links-->
+
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)
+[PS-1]: /powershell/module/bitlocker

windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md

@@ -103,7 +103,7 @@ For a TPM to be usable by BitLocker, it must contain an endorsement key, which i
 
 An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before you can take TPM ownership.
 
-For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<https://go.microsoft.com/fwlink/p/?linkid=69584>).
+For more information about the TPM and the TCG, see the Trusted Computing Group: [Trusted Platform Module (TPM) Specifications][FWD-1].
 
 ## Non-TPM hardware configurations
 
@@ -193,7 +193,7 @@ Organizations should carefully plan a BitLocker recovery strategy as part of the
 
 ## Monitor BitLocker
 
-Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor) and [View BitLocker reports in Configuration Manager](/mem/configmgr/protect/deploy-use/bitlocker/view-reports).
+Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune][INT-1] and [View BitLocker reports in Configuration Manager][MCM-1].
 
 ## Next steps
 
@@ -208,3 +208,9 @@ Organizations can use Microsoft Intune or Configuration Manager to monitor devic
 >
 >
 > [Configure BitLocker >](configure.md)
+
+<!--links-->
+
+[FWD-1]: https://go.microsoft.com/fwlink/p/?linkid=69584
+[INT-1]: /mem/intune/protect/encryption-monitor
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/view-reports

windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md

@@ -34,7 +34,7 @@ A recovery key can't be stored in any of the following locations:
 If BitLocker recovery keys are stored in Microsoft Entra ID, users can access them using the following URL: https://myaccount.microsoft.com. From the **Devices** tab, users can select a Windows device that they own, and select the option **View BitLocker Keys**.
 
 > [!NOTE]
-> By default, users can retrieve their BitLocker reecovery keys from Microsoft Entra ID. This behavior can be modified with the option **Restrict users from recovering the BitLocker key(s) for their owned devices**. For more information, see [Restrict member users' default permissions](/entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions).
+> By default, users can retrieve their BitLocker reecovery keys from Microsoft Entra ID. This behavior can be modified with the option **Restrict users from recovering the BitLocker key(s) for their owned devices**. For more information, see [Restrict member users' default permissions][ENTRA-1].
 
 ### Self-recovery with USB flash drive
 
@@ -65,11 +65,11 @@ The following list can be used as a template for creating a recovery process for
 
 ### Helpdesk recovery in Microsoft Entra ID
 
-There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator](/entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator)* or *[Helpdesk Administrator](/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator)* built-in roles, you can also [create a custom role](/entra/identity/role-based-access-control/custom-create), delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
+There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
 
-The [Microsoft Entra admin center](https://entra.microsoft.com) allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys](/entra/identity/devices/manage-device-identities#view-or-copy-bitlocker-keys). Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey](/graph/api/bitlockerrecoverykey-get).
+The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].
 
-In the following example, we use Microsoft Graph PowerShell cmdlet [`Get-MgInformationProtectionBitlockerRecoveryKey`](powershell/module/microsoft.graph.identity.signins/get-mginformationprotectionbitlockerrecoverykey) to build a PowerShell function that retrieves recovery passwords from Microsoft Entra ID:
+In the following example, we use Microsoft Graph PowerShell cmdlet [`Get-MgInformationProtectionBitlockerRecoveryKey`][PS-1] to build a PowerShell function that retrieves recovery passwords from Microsoft Entra ID:
 
 ``` PowerShell
 function Get-EntraBitLockerKeys{
@@ -113,11 +113,11 @@ Device name: DESKTOP-53O32QI
 ```
 
 > [!NOTE]
-> For devices that are managed by Microsoft Intune, BitLocker recovery passwords can be retrieved from the device properties in the Microsoft Intune admin center. For more information, see [View details for recovery keys](/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys).
+> For devices that are managed by Microsoft Intune, BitLocker recovery passwords can be retrieved from the device properties in the Microsoft Intune admin center. For more information, see [View details for recovery keys][INT-1].
 
 ### Helpdesk recovery in Active Directory Domain Services
 
-To export a recovery password from AD DS, you must have *read access* to objects stored in AD DS. By default, only *Domain Administrators* have access to BitLocker recovery information, but [access can be delegated](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information) to specific security principals.
+To export a recovery password from AD DS, you must have *read access* to objects stored in AD DS. By default, only *Domain Administrators* have access to BitLocker recovery information, but [access can be delegated][ARC-1] to specific security principals.
 
 To facilitate the retrieval of BitLocker recovery passwords from AD DS, you can use the *BitLocker Recovery Password Viewer* tool. The tool is included with the *Remote Server Administration Tools (RSAT)*, and it's an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in.
 
@@ -258,8 +258,8 @@ Another option is to initiate the rotation of recovery passwords for individual
 
 To learn more how to rotate BitLocker recovery passwords using Microsoft Intune or Microsoft Configuration Manager, see:
 
-- [Microsoft Intune documentation](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
-- [Microsoft Configuration Manager documentation](/mem/configmgr/protect/deploy-use/bitlocker/recovery-service#rotate-keys)
+- [Microsoft Intune documentation][INT-1]
+- [Microsoft Configuration Manager documentation][MCM-1]
 
 ## BitLocker Repair tool
 
@@ -281,7 +281,22 @@ The following limitations exist for Repair-bde:
 - it can't repair a drive that failed *during* the encryption or decryption process
 - it assumes that if the drive has any encryption, then the drive is fully encrypted
 
-For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
+For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference][PREV-1].
 
 > [!NOTE]
-> To export a key package from AD DS, you must have *read* access to the BitLocker recovery passwords and key packages that are stored in AD DS. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
+> To export a key package from AD DS, you must have *read* access to the BitLocker recovery passwords and key packages that are stored in AD DS. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others][ARC-1].
+
+<!--links-->
+
+[ARC-1]: /archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information
+[ENTRA-1]: /entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions
+[ENTRA-2]: /entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator
+[ENTRA-3]: /entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator
+[ENTRA-4]: /entra/identity/devices/manage-device-identities#view-or-copy-bitlocker-keys
+[ENTRA-5]: /entra/identity/role-based-access-control/custom-create
+[ENTRA]: https://entra.microsoft.com
+[GRAPH-1]: /graph/api/bitlockerrecoverykey-get
+[INT-1]: /mem/intune/protect/encrypt-devices#view-details-for-recovery-keys
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/recovery-service#rotate-keys
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)
+[PS-1]: /powershell/module/microsoft.graph.identity.signins/get-mginformationprotectionbitlockerrecoverykey