From 9f3216729231ee730a622c6ac447335feadb1a91 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com>
Date: Mon, 14 Mar 2022 16:21:55 +0530
Subject: [PATCH] updates as per Internal review feedback
---
.../mdm/assignedaccess-csp.md | 33 ++---
.../mdm/assignedaccess-ddf.md | 4 +-
.../client-management/mdm/bitlocker-csp.md | 136 +++++++++++-------
3 files changed, 98 insertions(+), 75 deletions(-)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index f4e1f54716..fd89c3803d 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -14,7 +14,7 @@ ms.date: 09/18/2018
# AssignedAccess CSP
-The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](/windows/configuration/kiosk-single-app)
@@ -24,10 +24,10 @@ In Windows 10, version 1709, the AssignedAccess configuration service provider (
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
-> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
+> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a appropriate PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
-> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709, it is supported in Windows 10 Pro and Windows 10 S. Starting from Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following shows the AssignedAccess configuration service provider in tree format
@@ -73,7 +73,7 @@ Here's an example:
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> [!Note]
-> The domain name can be optional if the user name is unique across the system.
+> The domain name can be optional, if the user name is unique across the system.
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
@@ -82,11 +82,6 @@ The supported operations are Add, Delete, Get and Replace. When there's no confi
**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
-> [!Note]
-> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
->
-> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
-
Enterprises can use this to easily configure and manage the curated lockdown experience.
Supported operations are Add, Get, Delete, and Replace.
@@ -113,7 +108,7 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
| 2 | KioskModeAppNotFound |
| 3 | KioskModeAppActivationFailure |
-Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error.
+Additionally, the status payload includes a profileId that can be used by the MDM server to correlate as to which kiosk app caused the error.
In Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
@@ -136,18 +131,18 @@ In Windows 10, version 1809, Assigned Access runtime status supports monitoring
Additionally, the Status payload includes the following fields:
-- profileId: can be used by the MDM server to correlate which account caused the error.
-- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist.
+- profileId: It can be used by the MDM server to correlate which account caused the error.
+- OperationList: It gives the list of failed operations that occurred while applying the assigned access CSP, if any exist.
Supported operation is Get.
**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
-Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
+Added in Windows 10, version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllauncher).
> [!Note]
> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
>
-> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
+> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature, if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
>
>The ShellLauncher node is not supported in Windows 10 Pro.
@@ -156,7 +151,7 @@ Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml a
By default the StatusConfiguration node doesn't exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
-Optionally, the MDM server can opt in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
+Optionally, the MDM server can opt in to the MDM alert, so that MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
@@ -507,7 +502,7 @@ Schema for Windows 10 prerelease
```
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. for example, to configure auto-launch feature, which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature, which is added in 1809 release, the below can be used to notice that an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
@@ -119,7 +119,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
- This read only node contains kiosk health event xml
+ This read only node contains kiosk health event in xml
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index d50e0b5c2d..281321adf7 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -14,7 +14,7 @@ ms.collection: highpri
---
# BitLocker CSP
-The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
+The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting from Windows 10, version 1809, it's supported in Windows 10 Pro.
> [!NOTE]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
@@ -23,7 +23,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
A `Get` operation on any of the settings, except for `RequireDeviceEncryption` and `RequireStorageCardEncryption`, returns the setting configured by the admin.
-For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
+For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, whether Trusted Platform Module (TPM) protection and encryption is required. And, if the device has BitLocker enabled but with password protector, the status reported will be 0. A Get operation on RequireDeviceEncryption doesn't verify that a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following shows the BitLocker configuration service provider in tree format.
@@ -60,7 +60,7 @@ BitLocker
```
> [!TIP]
-> These are ADMX-backed policies and for a step-by-step guide to enable them, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
@@ -68,7 +68,7 @@ Defines the root node for the BitLocker configuration service provider.
**RequireDeviceEncryption**
-Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
+Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption.
@@ -84,7 +84,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
Data type is integer. Sample value for this node to enable this policy: 1.
Supported operations are Add, Get, Replace, and Delete.
-Status of OS volumes and encryptable fixed data volumes are checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
+The status of OS volumes and encryptable fixed data volumes is checked with a Get operation. Typically, BitLocker/Device Encryption will follow whichever value [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) policy is set to. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet more criteria to be considered encryptable:
@@ -153,7 +153,7 @@ ADMX Info:
This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
-If you enable this setting you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
+If you enable this setting, you'll be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that aren't running Windows 10, version 1511.
If you disable or don't configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.
@@ -163,9 +163,9 @@ If you disable or don't configure this policy setting, BitLocker will use the de
```
-EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
-EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
-EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
+- EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
+- EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
+- EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
The possible values for 'xx' are:
@@ -194,7 +194,9 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**IdentificationField**
@@ -222,7 +224,7 @@ ADMX Info:
-This setting is used to establish an identifier that is applied to all drives that are encrypted in your organization.
+This setting is used to establish an identifier that is applied to all encrypted drives in your organization.
Identifiers are usually stored as the identification field and the allowed identification field. You can configure the following identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde):
@@ -243,8 +245,8 @@ Sample value for this node to enable this policy is:
Data Id:
-- IdentificationField: BitLocker identification field
-- SecIdentificationField: Allowed BitLocker identification field
+- IdentificationField: This is a BitLocker identification field.
+- SecIdentificationField: This is an allowed BitLocker identification field.
If you disable or don't configure this setting, the identification field isn't required.
@@ -450,7 +452,9 @@ ADMX Info:
-This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+This policy setting is applied when you turn on BitLocker. Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress.
+
+Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.
@@ -464,7 +468,7 @@ If this policy is disabled, the BitLocker Setup Wizard asks the user to select t
>[!Note]
>This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method.
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@@ -498,7 +502,7 @@ ADMX Info:
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you're using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
> [!NOTE]
-> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
+> Only one of the additional authentication options is required at startup, otherwise an error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password, then you'll need to use one of the BitLocker recovery options to access the drive.
@@ -561,7 +565,9 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
@@ -597,7 +603,7 @@ This setting allows you to configure a minimum length for a Trusted Platform Mod
>
>In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. This does not apply to TPM 1.2.
-If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.
+If you enable this setting, you will require a minimum number of digits to set the startup PIN.
If you disable or don't configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.
@@ -624,7 +630,9 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
@@ -698,9 +706,11 @@ Disabling the policy will let the system choose the default behaviors. If you w
```
> [!NOTE]
-> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test the characters you use for the custom message or URL to appear correctly on the pre-boot recovery screen.
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**SystemDrivesRecoveryOptions**
@@ -728,7 +738,7 @@ ADMX Info:
-This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
+This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
@@ -738,7 +748,7 @@ Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wi
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
-Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
+Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker, unless the computer is connected to domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!NOTE]
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
@@ -766,8 +776,8 @@ The possible values for 'yy' are:
The possible values for 'zz' are:
-- 2 = Store recovery passwords only
-- 1 = Store recovery passwords and key packages
+- 2 = Store recovery passwords only.
+- 1 = Store recovery passwords and key packages.
Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
@@ -786,7 +796,9 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesRecoveryOptions**
@@ -875,7 +887,9 @@ Disabling the policy will let the system choose the default behaviors. If you wa
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesRequireEncryption**
@@ -930,7 +944,9 @@ If you disable or don't configure this setting, all fixed data drives on the com
```
-Data type is string. Supported operations are Add, Get, Replace, and Delete.
+Data type is string.
+
+Supported operations are Add, Get, Replace, and Delete.
**FixedDrivesEncryptionType**
@@ -958,9 +974,9 @@ ADMX Info:
-This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
+This policy setting is applied when you turn on BitLocker and controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection is displayed to the user.
-Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+Changing the encryption type will have no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only a portion of the drive that is used to store data is encrypted when BitLocker is turned on.
If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.
@@ -973,8 +989,8 @@ Sample value for this node to enable this policy is:
If this policy is disabled, the BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.
>[!Note]
->This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
->For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde -w. If the volume is shrunk, no action is taken for the new free space.
+>This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method.
+>For example, when a drive that is using Used Space Only encryption is expanded, the new free space is not wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
@@ -1028,7 +1044,7 @@ The possible values for 'xx' are:
- false = Policy not set
-Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
+Disabling the policy will let the system choose the default behaviors. If you want to disable this policy, use the following SyncML:
```xml
@@ -1073,7 +1089,7 @@ ADMX Info:
This policy controls whether removed data drives utilize Full encryption or Used Space Only encryption, and is applied when you turn on BitLocker. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
+Changing the encryption type will no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require only the portion of the drive that is used to store data is encrypted when BitLocker is turned on.
If you enable this policy setting, the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.
@@ -1130,8 +1146,8 @@ Sample value for this node to enable this policy is:
Data id:
-- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives
-- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives
+- RDVAllowBDE_Name: Allow users to apply BitLocker protection on removable data drives.
+- RDVDisableBDE_Name: Allow users to suspend and decrypt BitLocker on removable data drives.
If this policy is disabled, users can’t use BitLocker on removable disk drives.
@@ -1141,7 +1157,7 @@ If you don't configure this policy setting, users can use BitLocker on removable
**AllowWarningForOtherDiskEncryption**
-Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
+Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is set to 1.
> [!IMPORTANT]
> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](/windows/device-security/bitlocker/bitlocker-overview).
@@ -1193,7 +1209,7 @@ The following list shows the supported values:
**AllowStandardUserEncryption**
-Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
+Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user of Azure AD account.
> [!NOTE]
@@ -1258,15 +1274,17 @@ This setting initiates a client-driven recovery password refresh after an OS dri
-Value type is int. Supported operations are Add, Delete, Get, and Replace.
+Value type is int.
+
+Supported operations are Add, Delete, Get, and Replace.
Supported values are:
-- 0 – Refresh off (default)
-- 1 – Refresh on for Azure AD-joined devices
-- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices
+- 0 – Refresh off (default).
+- 1 – Refresh on for Azure AD-joined devices.
+- 2 – Refresh on for both Azure AD-joined and hybrid-joined devices.
@@ -1286,7 +1304,7 @@ Policy type is Execute. When “Execute Policy” is pushed, the client sets the
Server can call Get on the RotateRecoveryPasswordsRotationStatus node to query the status of the refresh.
-Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can’t refresh recovery passwords if they're only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
+Recovery password refresh will only occur for devices that are joined to Azure AD or joined to both Azure AD and on-premises (hybrid Azure AD-joined) that run a Windows 10 edition with the BitLocker CSP (Pro/Enterprise). Devices can’t refresh recovery passwords if they are only registered in Azure AD (also known as workplace-joined) or signed in with a Microsoft account.
Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
- RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
@@ -1303,20 +1321,24 @@ Each server-side recovery key rotation is represented by a request ID. The serve
-Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
+Value type is string.
+
+Supported operation is Execute. Request ID is expected as a parameter.
> [!TIP]
> Key rotation feature will only work when:
>
> - For Operating system drives:
-> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required")
-> - OSActiveDirectoryBackup_Name is set to true
+> - OSRequireActiveDirectoryBackup_Name is set to 1 ("Required").
+> - OSActiveDirectoryBackup_Name is set to true.
> - For Fixed data drives:
-> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required")
-> - FDVActiveDirectoryBackup_Name is set to true
+> - FDVRequireActiveDirectoryBackup_Name is set to 1 = ("Required").
+> - FDVActiveDirectoryBackup_Name is set to true.
**Status**
-Interior node. Supported operation is Get.
+Interior node.
+
+Supported operation is Get.
@@ -1338,7 +1360,9 @@ This node reports compliance state of device encryption on the system.
-Value type is int. Supported operation is Get.
+Value type is int.
+
+Supported operation is Get.
Supported values:
@@ -1347,7 +1371,7 @@ Supported values:
| Bit | Error Code |
|-----|------------|
-| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.|
+| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume, but the user didn't consent.|
| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
| 2 |The OS volume is unprotected.|
| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
@@ -1358,7 +1382,7 @@ Supported values:
| 8 |Recovery key backup failed.|
| 9 |A fixed drive is unprotected.|
| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
-| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
+| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
| 12 |Windows Recovery Environment (WinRE) isn't configured.|
| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
| 14 |The TPM isn't ready for BitLocker.|
@@ -1395,7 +1419,9 @@ Status code can be one of the following:
-Value type is int. Supported operation is Get.
+Value type is int.
+
+Supported operation is Get.
@@ -1419,7 +1445,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
-Value type is string. Supported operation is Get.
+Value type is string.
+
+Supported operation is Get.
### SyncML example