Metadata/style update BitLocker

2025-05-13 13:57:22 +00:00 · 2022-11-07 22:31:39 -05:00 · 2022-11-07 22:31:39 -05:00 · a9dd8ff4db
commit a9dd8ff4db
parent b9f9fe55d7
35 changed files with 726 additions and 722 deletions
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@ -1,260 +1,258 @@
 ---
 title: BCD settings and BitLocker (Windows 10)
-description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
+description: This article for IT professionals describes the BCD settings that are used by BitLocker.
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

 # Boot Configuration Data settings and BitLocker

-**Applies to**
+This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.

-This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
+When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.

 ## BitLocker and BCD Settings

 In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.

-In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. 
+In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences.
 If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.

 ### When secure boot is enabled

 Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.

-One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system.
+One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.

 ## Customizing BCD validation settings

 To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.

-For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog:
+For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:

-   winload
-   winresume
-   memtest
-   all of the above
+- winload
+- winresume
+- memtest
+- all of the above

-All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."

 The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.

-You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”.
+You can quickly obtain the friendly name for the BCD settings on your computer by using the command `bcdedit.exe /enum all`.

 Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.

 When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:

-   Prefix the setting with the boot application prefix
-   Append a colon ‘:’
-   Append either the hex value or the friendly name
-   If entering more than one BCD setting, you will need to enter each BCD setting on a new line
+- Prefix the setting with the boot application prefix
+- Append a colon `:`
+- Append either the hex value or the friendly name
+- If entering more than one BCD setting, you'll need to enter each BCD setting on a new line

-For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value.
+For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yields the same value.

-A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
+A setting that applies to all boot applications may be applied only to an individual application; however, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.

 > [!NOTE]
 > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
- 
+
 ### Default BCD validation profile

 The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:

 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x11000001 | all | device| 
-| 0x12000002 | all | path| 
+| 0x11000001 | all | device|
+| 0x12000002 | all | path|
 | 0x12000030 | all | loadoptions|
-| 0x16000010 | all | bootdebug| 
-| 0x16000040 | all | advancedoptions| 
-| 0x16000041 | all| optionsedit| 
-| 0x16000048| all| nointegritychecks| 
-| 0x16000049| all| testsigning| 
-| 0x16000060| all| isolatedcontext| 
+| 0x16000010 | all | bootdebug|
+| 0x16000040 | all | advancedoptions|
+| 0x16000041 | all| optionsedit|
+| 0x16000048| all| nointegritychecks|
+| 0x16000049| all| testsigning|
+| 0x16000060| all| isolatedcontext|
 | 0x1600007b| all| forcefipscrypto|
-| 0x22000002| winload| systemroot| 
-| 0x22000011| winload| kernel| 
-| 0x22000012| winload| hal| 
-| 0x22000053| winload| evstore| 
-| 0x25000020| winload| nx| 
-| 0x25000052| winload| restrictapiccluster| 
-| 0x26000022| winload| winpe| 
-| 0x26000025 |winload|lastknowngood| 
-| 0x26000081| winload| safebootalternateshell| 
-| 0x260000a0| winload| debug| 
-| 0x260000f2| winload| hypervisordebug| 
-| 0x26000116| winload| hypervisorusevapic| 
-| 0x21000001| winresume| filedevice| 
-| 0x22000002| winresume| filepath| 
-| 0x26000006| winresume| debugoptionenabled| 
+| 0x22000002| winload| systemroot|
+| 0x22000011| winload| kernel|
+| 0x22000012| winload| hal|
+| 0x22000053| winload| evstore|
+| 0x25000020| winload| nx|
+| 0x25000052| winload| restrictapiccluster|
+| 0x26000022| winload| winpe|
+| 0x26000025 |winload|lastknowngood|
+| 0x26000081| winload| safebootalternateshell|
+| 0x260000a0| winload| debug|
+| 0x260000f2| winload| hypervisordebug|
+| 0x26000116| winload| hypervisorusevapic|
+| 0x21000001| winresume| filedevice|
+| 0x22000002| winresume| filepath|
+| 0x26000006| winresume| debugoptionenabled|

 ### Full list of friendly names for ignored BCD settings

-This following is a full list of BCD settings with friendly names, which are ignored by default. These settings are not part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker–protected operating system drive to be unlocked.
+The following list is a full list of BCD settings with friendly names, which are ignored by default. These settings aren't part of the default BitLocker validation profile, but can be added if you see a need to validate any of these settings before allowing a BitLocker-protected operating system drive to be unlocked.

 > [!NOTE]
 > Additional BCD settings exist that have hex values but do not have friendly names. These settings are not included in this list.

 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
-| 0x12000004 | all | description | 
-| 0x12000005 | all | locale | 
-| 0x12000016 | all | targetname | 
-| 0x12000019| all| busparams| 
-| 0x1200001d| all| key| 
-| 0x1200004a| all| fontpath| 
-| 0x14000006| all| inherit| 
-| 0x14000008| all| recoverysequence| 
-| 0x15000007| all| truncatememory| 
-| 0x1500000c| all| firstmegabytepolicy| 
-| 0x1500000d| all| relocatephysical| 
-| 0x1500000e| all| avoidlowmemory| 
-| 0x15000011| all| debugtype| 
-| 0x15000012 |all|debugaddress| 
-| 0x15000013| all| debugport| 
-| 0x15000014|all|baudrate| 
-| 0x15000015 | all| channel| 
-| 0x15000018 | all| debugstart| 
-| 0x1500001a | all| hostip| 
-| 0x1500001b | all| port| 
-| 0x15000022 | all| emsport| 
-| 0x15000023 | all| emsbaudrate| 
-| 0x15000042 | all| keyringaddress| 
-| 0x15000047 | all| configaccesspolicy| 
-| 0x1500004b | all| integrityservices| 
-| 0x1500004c | all| volumebandid| 
-| 0x15000051 | all| initialconsoleinput| 
-| 0x15000052 | all| graphicsresolution| 
-| 0x15000065 | all| displaymessage| 
+| 0x12000004 | all | description |
+| 0x12000005 | all | locale |
+| 0x12000016 | all | targetname |
+| 0x12000019| all| busparams|
+| 0x1200001d| all| key|
+| 0x1200004a| all| fontpath|
+| 0x14000006| all| inherit|
+| 0x14000008| all| recoverysequence|
+| 0x15000007| all| truncatememory|
+| 0x1500000c| all| firstmegabytepolicy|
+| 0x1500000d| all| relocatephysical|
+| 0x1500000e| all| avoidlowmemory|
+| 0x15000011| all| debugtype|
+| 0x15000012 |all|debugaddress|
+| 0x15000013| all| debugport|
+| 0x15000014|all|baudrate|
+| 0x15000015 | all| channel|
+| 0x15000018 | all| debugstart|
+| 0x1500001a | all| hostip|
+| 0x1500001b | all| port|
+| 0x15000022 | all| emsport|
+| 0x15000023 | all| emsbaudrate|
+| 0x15000042 | all| keyringaddress|
+| 0x15000047 | all| configaccesspolicy|
+| 0x1500004b | all| integrityservices|
+| 0x1500004c | all| volumebandid|
+| 0x15000051 | all| initialconsoleinput|
+| 0x15000052 | all| graphicsresolution|
+| 0x15000065 | all| displaymessage|
 | 0x15000066 | all| displaymessageoverride|
 | 0x15000081 | all| logcontrol|
-| 0x16000009 | all| recoveryenabled| 
-| 0x1600000b | all| badmemoryaccess| 
-| 0x1600000f | all| traditionalkseg| 
-| 0x16000017 | all| noumex| 
-| 0x1600001c | all| dhcp| 
-| 0x1600001e | all| vm| 
-| 0x16000020 | all| bootems| 
-| 0x16000046 | all| graphicsmodedisabled| 
-| 0x16000050 | all| extendedinput| 
-| 0x16000053 | all| restartonfailure| 
-| 0x16000054 | all| highestmode| 
-| 0x1600006c | all| bootuxdisabled| 
-| 0x16000072 | all| nokeyboard| 
-| 0x16000074 | all| bootshutdowndisabled| 
-| 0x1700000a | all| badmemorylist| 
-| 0x17000077 | all| allowedinmemorysettings| 
-| 0x22000040 | all| fverecoveryurl| 
-| 0x22000041 | all| fverecoverymessage| 
-| 0x31000003 | all| ramdisksdidevice| 
+| 0x16000009 | all| recoveryenabled|
+| 0x1600000b | all| badmemoryaccess|
+| 0x1600000f | all| traditionalkseg|
+| 0x16000017 | all| noumex|
+| 0x1600001c | all| dhcp|
+| 0x1600001e | all| vm|
+| 0x16000020 | all| bootems|
+| 0x16000046 | all| graphicsmodedisabled|
+| 0x16000050 | all| extendedinput|
+| 0x16000053 | all| restartonfailure|
+| 0x16000054 | all| highestmode|
+| 0x1600006c | all| bootuxdisabled|
+| 0x16000072 | all| nokeyboard|
+| 0x16000074 | all| bootshutdowndisabled|
+| 0x1700000a | all| badmemorylist|
+| 0x17000077 | all| allowedinmemorysettings|
+| 0x22000040 | all| fverecoveryurl|
+| 0x22000041 | all| fverecoverymessage|
+| 0x31000003 | all| ramdisksdidevice|
 | 0x32000004 | all| ramdisksdipath|
-| 0x35000001| all | ramdiskimageoffset| 
-| 0x35000002 | all| ramdisktftpclientport| 
-| 0x35000005 | all| ramdiskimagelength| 
-| 0x35000007 | all| ramdisktftpblocksize| 
-| 0x35000008 | all| ramdisktftpwindowsize| 
-| 0x36000006 | all| exportascd| 
-| 0x36000009 | all| ramdiskmcenabled| 
-| 0x3600000a | all| ramdiskmctftpfallback| 
-| 0x3600000b | all| ramdisktftpvarwindow| 
-| 0x21000001 | winload| osdevice| 
-| 0x22000013 | winload| dbgtransport| 
-| 0x220000f9 | winload| hypervisorbusparams| 
-| 0x22000110 | winload| hypervisorusekey| 
+| 0x35000001| all | ramdiskimageoffset|
+| 0x35000002 | all| ramdisktftpclientport|
+| 0x35000005 | all| ramdiskimagelength|
+| 0x35000007 | all| ramdisktftpblocksize|
+| 0x35000008 | all| ramdisktftpwindowsize|
+| 0x36000006 | all| exportascd|
+| 0x36000009 | all| ramdiskmcenabled|
+| 0x3600000a | all| ramdiskmctftpfallback|
+| 0x3600000b | all| ramdisktftpvarwindow|
+| 0x21000001 | winload| osdevice|
+| 0x22000013 | winload| dbgtransport|
+| 0x220000f9 | winload| hypervisorbusparams|
+| 0x22000110 | winload| hypervisorusekey|
 | 0x23000003  |winload| resumeobject|
-| 0x25000021| winload| pae| 
-| 0x25000031 |winload| removememory| 
-| 0x25000032 | winload| increaseuserva| 
-| 0x25000033 | winload| perfmem| 
-| 0x25000050 | winload| clustermodeaddressing| 
-| 0x25000055 | winload| x2apicpolicy| 
-| 0x25000061 | winload| numproc| 
+| 0x25000021| winload| pae|
+| 0x25000031 |winload| removememory|
+| 0x25000032 | winload| increaseuserva|
+| 0x25000033 | winload| perfmem|
+| 0x25000050 | winload| clustermodeaddressing|
+| 0x25000055 | winload| x2apicpolicy|
+| 0x25000061 | winload| numproc|
 | 0x25000063 | winload| configflags|
 | 0x25000066| winload| groupsize|
 | 0x25000071 | winload| msi|
-| 0x25000072 | winload| pciexpress| 
-| 0x25000080 | winload| safeboot| 
-| 0x250000a6 | winload| tscsyncpolicy| 
-| 0x250000c1| winload| driverloadfailurepolicy| 
-| 0x250000c2| winload| bootmenupolicy| 
-| 0x250000e0  |winload| bootstatuspolicy| 
-| 0x250000f0 | winload| hypervisorlaunchtype| 
-| 0x250000f3 | winload| hypervisordebugtype| 
-| 0x250000f4 | winload| hypervisordebugport| 
-| 0x250000f5 | winload| hypervisorbaudrate| 
-| 0x250000f6 | winload| hypervisorchannel| 
-| 0x250000f7 | winload| bootux| 
-| 0x250000fa | winload| hypervisornumproc| 
-| 0x250000fb | winload| hypervisorrootprocpernode| 
-| 0x250000fd | winload| hypervisorhostip| 
-| 0x250000fe | winload| hypervisorhostport| 
-| 0x25000100 | winload| tpmbootentropy| 
-| 0x25000113 | winload| hypervisorrootproc| 
-| 0x25000115 | winload| hypervisoriommupolicy| 
-| 0x25000120 | winload| xsavepolicy| 
-| 0x25000121 | winload| xsaveaddfeature0| 
-| 0x25000122 | winload| xsaveaddfeature1| 
-| 0x25000123 | winload| xsaveaddfeature2| 
-| 0x25000124 | winload| xsaveaddfeature3| 
-| 0x25000125 | winload| xsaveaddfeature4| 
-| 0x25000126 | winload| xsaveaddfeature5| 
-| 0x25000127 | winload| xsaveaddfeature6| 
-| 0x25000128 | winload| xsaveaddfeature7| 
-| 0x25000129 | winload| xsaveremovefeature| 
-| 0x2500012a | winload| xsaveprocessorsmask| 
-| 0x2500012b | winload| xsavedisable| 
-| 0x25000130 | winload| claimedtpmcounter| 
-| 0x26000004 | winload| stampdisks| 
-| 0x26000010 | winload| detecthal| 
-| 0x26000024 | winload| nocrashautoreboot| 
-| 0x26000030 | winload| nolowmem| 
-| 0x26000040 | winload| vga| 
-| 0x26000041 | winload| quietboot| 
-| 0x26000042 | winload| novesa| 
-| 0x26000043 | winload| novga| 
-| 0x26000051 | winload| usephysicaldestination| 
-| 0x26000054 | winload| uselegacyapicmode| 
-| 0x26000060 | winload| onecpu| 
-| 0x26000062 | winload| maxproc| 
-| 0x26000064 | winload| maxgroup| 
-| 0x26000065 | winload| groupaware| 
-| 0x26000070| winload| usefirmwarepcisettings| 
+| 0x25000072 | winload| pciexpress|
+| 0x25000080 | winload| safeboot|
+| 0x250000a6 | winload| tscsyncpolicy|
+| 0x250000c1| winload| driverloadfailurepolicy|
+| 0x250000c2| winload| bootmenupolicy|
+| 0x250000e0  |winload| bootstatuspolicy|
+| 0x250000f0 | winload| hypervisorlaunchtype|
+| 0x250000f3 | winload| hypervisordebugtype|
+| 0x250000f4 | winload| hypervisordebugport|
+| 0x250000f5 | winload| hypervisorbaudrate|
+| 0x250000f6 | winload| hypervisorchannel|
+| 0x250000f7 | winload| bootux|
+| 0x250000fa | winload| hypervisornumproc|
+| 0x250000fb | winload| hypervisorrootprocpernode|
+| 0x250000fd | winload| hypervisorhostip|
+| 0x250000fe | winload| hypervisorhostport|
+| 0x25000100 | winload| tpmbootentropy|
+| 0x25000113 | winload| hypervisorrootproc|
+| 0x25000115 | winload| hypervisoriommupolicy|
+| 0x25000120 | winload| xsavepolicy|
+| 0x25000121 | winload| xsaveaddfeature0|
+| 0x25000122 | winload| xsaveaddfeature1|
+| 0x25000123 | winload| xsaveaddfeature2|
+| 0x25000124 | winload| xsaveaddfeature3|
+| 0x25000125 | winload| xsaveaddfeature4|
+| 0x25000126 | winload| xsaveaddfeature5|
+| 0x25000127 | winload| xsaveaddfeature6|
+| 0x25000128 | winload| xsaveaddfeature7|
+| 0x25000129 | winload| xsaveremovefeature|
+| 0x2500012a | winload| xsaveprocessorsmask|
+| 0x2500012b | winload| xsavedisable|
+| 0x25000130 | winload| claimedtpmcounter|
+| 0x26000004 | winload| stampdisks|
+| 0x26000010 | winload| detecthal|
+| 0x26000024 | winload| nocrashautoreboot|
+| 0x26000030 | winload| nolowmem|
+| 0x26000040 | winload| vga|
+| 0x26000041 | winload| quietboot|
+| 0x26000042 | winload| novesa|
+| 0x26000043 | winload| novga|
+| 0x26000051 | winload| usephysicaldestination|
+| 0x26000054 | winload| uselegacyapicmode|
+| 0x26000060 | winload| onecpu|
+| 0x26000062 | winload| maxproc|
+| 0x26000064 | winload| maxgroup|
+| 0x26000065 | winload| groupaware|
+| 0x26000070| winload| usefirmwarepcisettings|
 | 0x26000090 | winload| bootlog|
-| 0x26000091 | winload| sos| 
-| 0x260000a1 | winload| halbreakpoint| 
-| 0x260000a2 | winload| useplatformclock| 
-| 0x260000a3 |winload| forcelegacyplatform| 
-| 0x260000a4 | winload| useplatformtick| 
-| 0x260000a5 | winload| disabledynamictick| 
-| 0x260000b0 | winload| ems| 
-| 0x260000c3 | winload| onetimeadvancedoptions| 
-| 0x260000c4 | winload| onetimeoptionsedit| 
-| 0x260000e1| winload| disableelamdrivers| 
-| 0x260000f8 | winload| hypervisordisableslat| 
-| 0x260000fc | winload| hypervisoruselargevtlb| 
-| 0x26000114 | winload| hypervisordhcp| 
+| 0x26000091 | winload| sos|
+| 0x260000a1 | winload| halbreakpoint|
+| 0x260000a2 | winload| useplatformclock|
+| 0x260000a3 |winload| forcelegacyplatform|
+| 0x260000a4 | winload| useplatformtick|
+| 0x260000a5 | winload| disabledynamictick|
+| 0x260000b0 | winload| ems|
+| 0x260000c3 | winload| onetimeadvancedoptions|
+| 0x260000c4 | winload| onetimeoptionsedit|
+| 0x260000e1| winload| disableelamdrivers|
+| 0x260000f8 | winload| hypervisordisableslat|
+| 0x260000fc | winload| hypervisoruselargevtlb|
+| 0x26000114 | winload| hypervisordhcp|
 | 0x21000005 | winresume| associatedosdevice|
-| 0x25000007 | winresume| bootux| 
+| 0x25000007 | winresume| bootux|
 | 0x25000008 | winresume| bootmenupolicy|
-| 0x26000003| winresume |customsettings| 
+| 0x26000003| winresume |customsettings|
 | 0x26000004 | winresume| pae|
-| 0x25000001 | memtest| passcount| 
-| 0x25000002 | memtest| testmix| 
-| 0x25000005 | memtest| stridefailcount| 
-| 0x25000006 | memtest| invcfailcount| 
-| 0x25000007 | memtest| matsfailcount| 
-| 0x25000008 | memtest| randfailcount| 
+| 0x25000001 | memtest| passcount|
+| 0x25000002 | memtest| testmix|
+| 0x25000005 | memtest| stridefailcount|
+| 0x25000006 | memtest| invcfailcount|
+| 0x25000007 | memtest| matsfailcount|
+| 0x25000008 | memtest| randfailcount|
 | 0x25000009 |memtest| chckrfailcount|
 | 0x26000003| memtest| cacheenable|
 | 0x26000004 | memtest| failuresenabled|
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml
@ -22,7 +22,7 @@ metadata:
 title: BitLocker and Active Directory Domain Services (AD DS) FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  
  

@ -41,11 +41,11 @@ sections:
      - question: |
          What if BitLocker is enabled on a computer before the computer has joined the domain?
        answer: |
-          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
          
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          
-          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
          
          ```PowerShell
          $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@ -56,29 +56,29 @@ sections:
          ```
          
          > [!IMPORTANT]
-          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
           
      - question: |
          Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
        answer: |
-          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
+          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it is also possible that the log entry could be spoofed.
          
-          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
+          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
          
      - question: |
-          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
+          If I change the BitLocker recovery password on my computer and store the new password in AD DS, will AD DS overwrite the old password?
        answer: |
-          No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
+          No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.

      - question: |
          What happens if the backup initially fails? Will BitLocker retry it?
        answer: |
-          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
+          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
          
-          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
          
          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
          
-          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
+          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
          
          
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@ -4,23 +4,19 @@ description: This article for the IT professional explains how BitLocker feature
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

 # BitLocker basic deployment

-**Applies to**
-
-   Windows 10
-   Windows 11
-   Windows Server 2016 and above
+(*Applies to: Windows 10, Windows 11, Windows Server 2016 and above*)

 This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.

@ -35,14 +31,14 @@ If the drive was prepared as a single contiguous space, BitLocker requires a new

 BitLocker encryption can be done using the following methods:

-   BitLocker control panel
-   Windows Explorer
-   `manage-bde` command-line interface
-   BitLocker Windows PowerShell cmdlets
+- BitLocker control panel
+- Windows Explorer
+- `manage-bde` command-line interface
+- BitLocker Windows PowerShell cmdlets

 ### Encrypting volumes using the BitLocker control panel

-Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.

 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).

@ -54,9 +50,9 @@ When the BitLocker Drive Encryption Wizard launches, it verifies the computer me
 |--- |--- |
 |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
 |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
-|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
+|Hardware TPM|TPM version 1.2 or 2.0. <br><br> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
 |BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li>|
-|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
+|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
 |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|

 Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
@ -64,8 +60,8 @@ Once a strong password has been created for the volume, a recovery key will be g

 You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.

-   Encrypt used disk space only - Encrypts only disk space that contains data
-   Encrypt entire drive - Encrypts the entire volume including free space
+- Encrypt used disk space only - Encrypts only disk space that contains data
+- Encrypt entire drive - Encrypts the entire volume including free space

 It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option.

@ -74,7 +70,6 @@ It's recommended that drives with little to no data use the **used disk space on

 Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.

-
 After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.

 Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
@ -91,17 +86,17 @@ With an encryption method chosen, a final confirmation screen is displayed befor

 Encryption status displays in the notification area or within the BitLocker control panel.

-### <a href="" id="-onedrive-option-"></a> OneDrive option
+### OneDrive option

 There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.

-Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
+Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.

 ### Using BitLocker within Windows Explorer

 Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.

-## <a href="" id="bkmk-dep2"></a>Down-level compatibility
+## Down-level compatibility

 The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.

@ -114,67 +109,73 @@ Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8,
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
 |Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|

-## <a href="" id="bkmk-dep3"></a>Encrypting volumes using the manage-bde command-line interface
+## Encrypting volumes using the manage-bde command-line interface

 Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).

-Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.

 Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.

-### Operating system volume
+### Operating system volume commands

-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.

-**Determining volume status**
+#### Determining volume status

 A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:

-`manage-bde -status`
+`manage-bde.exe -status`

 This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.

-**Enabling BitLocker without a TPM**
+#### Enabling BitLocker without a TPM

-For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process.
+For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the -protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process.

 ```powershell
-manage-bde –protectors -add C: -startupkey E:
-manage-bde -on C:
+manage-bde.exe -protectors -add C: -startupkey E:
+manage-bde.exe -on C:
 ```

-**Enabling BitLocker with a TPM only**
+#### Enabling BitLocker with a TPM only

 It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:

-`manage-bde -on C:`
+``` syntax
+manage-bde.exe -on C:
+```

-This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:
+This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command:

-`manage-bde -protectors -get <volume>`
+``` syntax
+manage-bde.exe -protectors -get <volume>
+```

-**Provisioning BitLocker with two protectors**
+#### Provisioning BitLocker with two protectors

-Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:

-`manage-bde -protectors -add C: -pw -sid <user or group>`
+``` syntax
+manage-bde.exe -protectors -add C: -pw -sid <user or group>
+```

-This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.

-### Data volume
+### Data volume commands

-Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde.exe -on <drive letter>` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.

-**Enabling BitLocker with a password**
+#### Enabling BitLocker with a password

 A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.

 ```powershell
-manage-bde -protectors -add -pw C:
-manage-bde -on C:
+manage-bde.exe -protectors -add -pw C:
+manage-bde.exe -on C:
 ```

-## <a href="" id="bkmk-dep4"></a>Encrypting volumes using the BitLocker Windows PowerShell cmdlets
+## Encrypting volumes using the BitLocker Windows PowerShell cmdlets

 Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.

@ -205,7 +206,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
 ```powershell
 Get-BitLockerVolume C: | fl
 ```
-If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this action requires the GUID associated with the protector to be removed.
 A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:

 ```powershell
@ -219,12 +221,13 @@ Using this information, we can then remove the key protector for a specific volu
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
+
 > [!NOTE]
 > The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.

-### Operating system volume
+### Operating system volume PowerShell cmdlets

-Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
+Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.

 To enable BitLocker with just the TPM protector, use this command:

@ -238,11 +241,10 @@ The example below adds one additional protector, the StartupKey protectors, and
 Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
 ```

-### Data volume
+### Data volume PowerShell cmdlets

 Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.

-
 ```powershell
 $pw = Read-Host -AsSecureString
 <user inputs password>
@ -251,7 +253,7 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw

 ### Using an SID-based protector in Windows PowerShell

-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.

 > [!WARNING]
 > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
@ -267,6 +269,7 @@ For users who wish to use the SID for the account or group, the first step is to
 ```powershell
 Get-ADUser -filter {samaccountname -eq "administrator"}
 ```
+
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.

@ -278,10 +281,11 @@ In the example below, the user wishes to add a domain SID-based protector to the
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
 ```
+
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.

-## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
+## Checking BitLocker status

 To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.

@ -310,7 +314,7 @@ Administrators who prefer a command-line interface can utilize manage-bde to che
 To check the status of a volume using manage-bde, use the following command:

 ```powershell
-manage-bde -status <volume>
+manage-bde.exe -status <volume>
 ```

 > [!NOTE]
@ -325,11 +329,12 @@ Using the Get-BitLockerVolume cmdlet, each volume on the system displays its cur
 ```powershell
 Get-BitLockerVolume <volume> -Verbose | fl
 ```
+
 This command displays information about the encryption method, volume type, key protectors, etc.

 ### Provisioning BitLocker during operating system deployment

-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.

 ### Decrypting BitLocker volumes

@ -349,12 +354,13 @@ Once decryption is complete, the drive updates its status in the control panel a
 Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:

 ```powershell
-manage-bde -off C:
+manage-bde.exe -off C:
 ```
+
 This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:

 ```powershell
-manage-bde -status C:
+manage-bde.exe -status C:
 ```

 ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
@ -373,7 +379,7 @@ If a user didn't want to input each mount point individually, using the `-MountP
 Disable-BitLocker -MountPoint E:,F:,G:
 ```

-## See also
+## Related articles

 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@ -4,13 +4,13 @@ description: Windows uses technologies including TPM, Secure Boot, Trusted Boot,
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -18,19 +18,19 @@ ms.custom: bitlocker

 **Applies to**

-   Windows 10
-   Windows 11
-   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above

 Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. 
 BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. 
 Data on a lost or stolen computer is vulnerable. 
-For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. 
+For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer. 

 BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:

 - **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
+- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
 
 The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.

@ -49,7 +49,7 @@ For more info about TPM, see [Trusted Platform Module](/windows/device-security/

 ### UEFI and secure boot

-Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. 
+Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader. 

 The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). 
 Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. 
@ -74,7 +74,7 @@ Pre-boot authentication with BitLocker is a policy setting that requires the use
 The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. 

 BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. 
-If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
+If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.

 Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. 
 This helps mitigate DMA and memory remanence attacks.
@ -94,7 +94,7 @@ Pre-boot authentication with a PIN can mitigate an attack vector for devices tha
 Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 

 On the other hand, Pre-boot authentication-prompts can be inconvenient to users. 
-In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. 
+In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. 
 Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. 

 To address these issues, you can deploy [BitLocker Network Unlock](./bitlocker-how-to-enable-network-unlock.md). 
@ -120,8 +120,8 @@ If kernel DMA protection is *not* enabled, follow these steps to protect Thunder
    - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy 
    - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)

-For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
-For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the "Thunderbolt Mitigation" section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+For SBP-2 and 1394 (a.k.a. Firewire), refer to the "SBP-2 Mitigation" section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
 
 ## Attack countermeasures

--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
@ -20,7 +20,7 @@ metadata:
 title: BitLocker frequently asked questions (FAQ)
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  

 sections:
@ -55,17 +55,17 @@ sections:
          
      - question: What is Used Disk Space Only encryption?
        answer: |
-          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
          
      - question: What system changes would cause the integrity check on my operating system drive to fail?
        answer: |
          The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
          
-          -   Moving the BitLocker-protected drive into a new computer.
-          -   Installing a new motherboard with a new TPM.
-          -   Turning off, disabling, or clearing the TPM.
-          -   Changing any boot configuration settings.
-          -   Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+          - Moving the BitLocker-protected drive into a new computer.
+          - Installing a new motherboard with a new TPM.
+          - Turning off, disabling, or clearing the TPM.
+          - Changing any boot configuration settings.
+          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
          
      - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
        answer: |
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@ -3,12 +3,12 @@ title: BitLocker deployment comparison (Windows 10)
 description: This article shows the BitLocker deployment comparison chart.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: lovina-saldanha
-ms.author: v-lsaldanha
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 05/20/2021
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -16,9 +16,9 @@ ms.custom: bitlocker

 **Applies to**

-   Windows 10
-   Windows 11
-   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above

 This article depicts the BitLocker deployment comparison chart.

--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@ -3,33 +3,33 @@ title: Overview of BitLocker Device Encryption in Windows
 description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 03/10/2022
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

 # Overview of BitLocker Device Encryption in Windows

 **Applies to**
-   Windows 10
-   Windows 11
-   Windows Server 2016 and later 
+- Windows 10
+- Windows 11
+- Windows Server 2016 and later 

 This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). 

-When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
+When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.

-Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
+Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.

-**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
+**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**

-| Windows 7 | Windows 11 and Windows 10 |
+| Windows 7 | Windows 11 and Windows 10 |
 |---|---|
 | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
 | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
@ -41,17 +41,17 @@ Table 2 lists specific data-protection concerns and how they're addressed in Win

 ## Prepare for drive and file encryption

-The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
-Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
+The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid.
+Whether you're planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.

 ### TPM pre-provisioning

-In Windows 7, preparing the TPM for use offered a couple of challenges:
+In Windows 7, preparing the TPM for use offered a couple of challenges:

 * You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows.
 * When you enable the TPM, it may require one or more restarts.

-Basically, it was a hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or leave BitLocker disabled.
+Basically, it was a hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users' hands, those users would have struggled with the technical challenges and would either call IT for support or leave BitLocker disabled.

 Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.

@ -63,7 +63,7 @@ With earlier versions of Windows, administrators had to enable BitLocker after W

 ## BitLocker device encryption 

-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.

 Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption.

@ -92,21 +92,21 @@ Exercise caution when encrypting only used space on an existing volume on which

 ## Encrypted hard drive support

-SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use,  whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
+SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use,  whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
 For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).

 ## Preboot information protection

 An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
 It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
-Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
+Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).

 ## Manage passwords and PINs

 When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files.

-Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
+Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second "something you know"). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
 Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
 For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).

--- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
@ -22,19 +22,19 @@ metadata:
 title: BitLocker frequently asked questions (FAQ) resources
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  
  This topic links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on your computer to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they are decommissioned because it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
  
-  -   [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
-  -   [Upgrading](bitlocker-upgrading-faq.yml)
-  -   [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
-  -   [Key management](bitlocker-key-management-faq.yml)
-  -   [BitLocker To Go](bitlocker-to-go-faq.yml)
-  -   [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
-  -   [Security](bitlocker-security-faq.yml)
-  -   [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
-  -   [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
+  - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml)
+  - [Upgrading](bitlocker-upgrading-faq.yml)
+  - [Deployment and administration](bitlocker-deployment-and-administration-faq.yml)
+  - [Key management](bitlocker-key-management-faq.yml)
+  - [BitLocker To Go](bitlocker-to-go-faq.yml)
+  - [Active Directory Domain Services (AD DS)](bitlocker-and-adds-faq.yml)
+  - [Security](bitlocker-security-faq.yml)
+  - [BitLocker Network Unlock](bitlocker-network-unlock-faq.yml)
+  - [Using BitLocker with other programs and general questions](bitlocker-using-with-other-programs-faq.yml)
  
  

@ -44,11 +44,11 @@ sections:
      - question: |
          More information
        answer: |
-          -   [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-          -   [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-          -   [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
-          -   [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-          -   [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
-          -   [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
-          -   [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
-          -   [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
+          - [Prepare your organization for BitLocker: Planning and Policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+          - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
+          - [BCD settings and BitLocker](bcd-settings-and-bitlocker.md)
+          - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
+          - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
+          - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
+          - [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md)
+          - [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps&preserve-view=true)
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@ -4,14 +4,14 @@ description: This article for IT professionals describes the function, location,
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 04/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -43,60 +43,60 @@ The following sections provide a comprehensive list of BitLocker group policy se

 The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.

-   [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
-   [Allow network unlock at startup](#bkmk-netunlock)
-   [Require additional authentication at startup](#bkmk-unlockpol1)
-   [Allow enhanced PINs for startup](#bkmk-unlockpol2)
-   [Configure minimum PIN length for startup](#bkmk-unlockpol3)
-   [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
-   [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
-   [Configure use of passwords for operating system drives](#bkmk-ospw)
-   [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
-   [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5)
-   [Configure use of passwords on fixed data drives](#bkmk-unlockpol6)
-   [Configure use of smart cards on removable data drives](#bkmk-unlockpol7)
-   [Configure use of passwords on removable data drives](#bkmk-unlockpol8)
-   [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9)
-   [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates)
+- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
+- [Allow network unlock at startup](#bkmk-netunlock)
+- [Require additional authentication at startup](#bkmk-unlockpol1)
+- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
+- [Configure minimum PIN length for startup](#bkmk-unlockpol3)
+- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
+- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
+- [Configure use of passwords for operating system drives](#bkmk-ospw)
+- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
+- [Configure use of smart cards on fixed data drives](#bkmk-unlockpol5)
+- [Configure use of passwords on fixed data drives](#bkmk-unlockpol6)
+- [Configure use of smart cards on removable data drives](#bkmk-unlockpol7)
+- [Configure use of passwords on removable data drives](#bkmk-unlockpol8)
+- [Validate smart card certificate usage rule compliance](#bkmk-unlockpol9)
+- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#bkmk-slates)

 The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.

-   [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1)
-   [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2)
-   [Control use of BitLocker on removable drives](#bkmk-driveaccess3)
+- [Deny write access to fixed drives not protected by BitLocker](#bkmk-driveaccess1)
+- [Deny write access to removable drives not protected by BitLocker](#bkmk-driveaccess2)
+- [Control use of BitLocker on removable drives](#bkmk-driveaccess3)

 The following policy settings determine the encryption methods and encryption types that are used with BitLocker.

-   [Choose drive encryption method and cipher strength](#bkmk-encryptmeth)
-   [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd)
-   [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd)
-   [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd)
-   [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd)
-   [Enforce drive encryption type on operating system drives](#bkmk-detypeosd)
-   [Enforce drive encryption type on removable data drives](#bkmk-detyperdd)
+- [Choose drive encryption method and cipher strength](#bkmk-encryptmeth)
+- [Configure use of hardware-based encryption for fixed data drives](#bkmk-hdefxd)
+- [Configure use of hardware-based encryption for operating system drives](#bkmk-hdeosd)
+- [Configure use of hardware-based encryption for removable data drives](#bkmk-hderdd)
+- [Enforce drive encryption type on fixed data drives](#bkmk-detypefdd)
+- [Enforce drive encryption type on operating system drives](#bkmk-detypeosd)
+- [Enforce drive encryption type on removable data drives](#bkmk-detyperdd)

 The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

-   [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1)
-   [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
-   [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
-   [Choose default folder for recovery password](#bkmk-rec4)
-   [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6)
-   [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7)
-   [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot)
+- [Choose how BitLocker-protected operating system drives can be recovered](#bkmk-rec1)
+- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#bkmk-rec2)
+- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#bkmk-rec3)
+- [Choose default folder for recovery password](#bkmk-rec4)
+- [Choose how BitLocker-protected fixed drives can be recovered](#bkmk-rec6)
+- [Choose how BitLocker-protected removable drives can be recovered](#bkmk-rec7)
+- [Configure the pre-boot recovery message and URL](#bkmk-configurepreboot)

 The following policies are used to support customized deployment scenarios in your organization.

-   [Allow Secure Boot for integrity validation](#bkmk-secboot)
-   [Provide the unique identifiers for your organization](#bkmk-depopt1)
-   [Prevent memory overwrite on restart](#bkmk-depopt2)
-   [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios)
-   [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
-   [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi)
-   [Reset platform validation data after BitLocker recovery](#bkmk-resetrec)
-   [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd)
-   [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
-   [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
+- [Allow Secure Boot for integrity validation](#bkmk-secboot)
+- [Provide the unique identifiers for your organization](#bkmk-depopt1)
+- [Prevent memory overwrite on restart](#bkmk-depopt2)
+- [Configure TPM platform validation profile for BIOS-based firmware configurations](#bkmk-tpmbios)
+- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#bkmk-depopt3)
+- [Configure TPM platform validation profile for native UEFI firmware configurations](#bkmk-tpmvaluefi)
+- [Reset platform validation data after BitLocker recovery](#bkmk-resetrec)
+- [Use enhanced Boot Configuration Data validation profile](#bkmk-enbcd)
+- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
+- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)

 ### <a href="" id="bkmk-hstioptout"></a>Allow devices with secure boot and protected DMA ports to opt out of preboot PIN

@ -160,33 +160,33 @@ If you want to use BitLocker on a computer without a TPM, select **Allow BitLock

 On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:

-   Only the TPM
-   Insertion of a USB flash drive containing the startup key
-   The entry of a 4-digit to 20-digit personal identification number (PIN)
-   A combination of the PIN and the USB flash drive
+- Only the TPM
+- Insertion of a USB flash drive containing the startup key
+- The entry of a 4-digit to 20-digit personal identification number (PIN)
+- A combination of the PIN and the USB flash drive

 There are four options for TPM-enabled computers or devices:

-   Configure TPM startup
+- Configure TPM startup

-    -   Allow TPM
-    -   Require TPM
-    -   Do not allow TPM
-   Configure TPM startup PIN
+    - Allow TPM
+    - Require TPM
+    - Do not allow TPM
+- Configure TPM startup PIN

-    -   Allow startup PIN with TPM
-    -   Require startup PIN with TPM
-    -   Do not allow startup PIN with TPM
-   Configure TPM startup key
+    - Allow startup PIN with TPM
+    - Require startup PIN with TPM
+    - Do not allow startup PIN with TPM
+- Configure TPM startup key

-    -   Allow startup key with TPM
-    -   Require startup key with TPM
-    -   Do not allow startup key with TPM
-   Configure TPM startup key and PIN
+    - Allow startup key with TPM
+    - Require startup key with TPM
+    - Do not allow startup key with TPM
+- Configure TPM startup key and PIN

-    -   Allow TPM startup key with PIN
-    -   Require startup key and PIN with TPM
-    -   Do not allow TPM startup key with PIN
+    - Allow TPM startup key with PIN
+    - Require startup key and PIN with TPM
+    - Do not allow TPM startup key with PIN

 ### <a href="" id="bkmk-unlockpol2"></a>Allow enhanced PINs for startup

@ -308,9 +308,9 @@ Passwords must be at least eight characters. To configure a greater minimum leng

 When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to:

-   Allow password complexity
-   Deny password complexity
-   Require password complexity
+- Allow password complexity
+- Deny password complexity
+- Require password complexity

 ### <a href="" id="bkmk-unlockpol4"></a>Require additional authentication at startup (Windows Server 2008 and Windows Vista)

@ -334,16 +334,16 @@ A USB drive that contains a startup key is needed on computers without a compati

 There are two options for TPM-enabled computers or devices:

-   Configure TPM startup PIN
+- Configure TPM startup PIN

-    -   Allow startup PIN with TPM
-    -   Require startup PIN with TPM
-    -   Do not allow startup PIN with TPM
-   Configure TPM startup key
+    - Allow startup PIN with TPM
+    - Require startup PIN with TPM
+    - Do not allow startup PIN with TPM
+- Configure TPM startup key

-    -   Allow startup key with TPM
-    -   Require startup key with TPM
-    -   Do not allow startup key with TPM
+    - Allow startup key with TPM
+    - Require startup key with TPM
+    - Do not allow startup key with TPM

 These options are mutually exclusive. If you require the startup key, you must not allow the startup PIN. If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error will occur.

@ -510,9 +510,9 @@ When the Windows Recovery Environment isn't enabled and this policy isn't enable

 If you don't enable this policy setting, the following options in the **Require additional authentication at startup** policy might not be available:

-   Configure TPM startup PIN: Required and Allowed
-   Configure TPM startup key and PIN: Required and Allowed
-   Configure use of passwords for operating system drives
+- Configure TPM startup PIN: Required and Allowed
+- Configure TPM startup key and PIN: Required and Allowed
+- Configure use of passwords for operating system drives

 ### <a href="" id="bkmk-driveaccess1"></a>Deny write access to fixed drives not protected by BitLocker

@ -537,9 +537,9 @@ Conflict considerations include:
 1.  When this policy setting is enabled, users receive "Access denied" error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
 2.  If BdeHdCfg.exe is run on a computer when this policy setting is enabled, you could encounter the following issues:

-    -   If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
-    -   If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
-    -   If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."
+    - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
+    - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker."
+    - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker."

 3.  If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers.

@ -593,8 +593,8 @@ For information about suspending BitLocker protection, see [BitLocker Basic Depl

 The options for choosing property settings that control how users can configure BitLocker are:

-   **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
-   **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
+- **Allow users to apply BitLocker protection on removable data drives**   Enables the user to run the BitLocker Setup Wizard on a removable data drive.
+- **Allow users to suspend and decrypt BitLocker on removable data drives**   Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.

 ### <a href="" id="bkmk-encryptmeth"></a>Choose drive encryption method and cipher strength

@ -632,7 +632,7 @@ This policy controls how BitLocker reacts to systems that are equipped with encr

 |    | &nbsp; |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
+|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Fixed data drives|
 |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives|
@ -648,8 +648,8 @@ This policy controls how BitLocker reacts to systems that are equipped with encr

 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:

-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

 ### <a href="" id="bkmk-hdeosd"></a>Configure use of hardware-based encryption for operating system drives

@ -657,7 +657,7 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper

 |    | &nbsp; |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Operating system drives|
 |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
@ -675,8 +675,8 @@ If hardware-based encryption isn't available, BitLocker software-based encryptio

 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:

-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

 ### <a href="" id="bkmk-hderdd"></a>Configure use of hardware-based encryption for removable data drives

@ -684,7 +684,7 @@ This policy controls how BitLocker reacts to encrypted drives when they're used

 |    | &nbsp; |
 |:---|:---|
-|**Policy description**|With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
+|**Policy description**|With this policy setting, you can manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.|
 |**Introduced**|Windows Server 2012 and Windows 8|
 |**Drive type**|Removable data drive|
 |**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives|
@ -702,8 +702,8 @@ If hardware-based encryption isn't available, BitLocker software-based encryptio

 The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:

-   Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-   AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
+- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
+- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

 ### <a href="" id="bkmk-detypefdd"></a>Enforce drive encryption type on fixed data drives

@ -724,7 +724,7 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.

 > [!NOTE]
-> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.

 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).

@ -747,7 +747,7 @@ This policy controls whether operating system drives utilize Full encryption or
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.

 > [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.

 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).

@ -770,7 +770,7 @@ This policy controls whether fixed data drives utilize Full encryption or Used S
 This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.

 > [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space.
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.

 For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).

@ -861,7 +861,7 @@ BitLocker recovery information includes the recovery password and unique identif

 If you select **Require BitLocker backup to AD DS**, BitLocker can't be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.

-A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive’s BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
+A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.

 If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
 TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services** to ensure that TPM information is also backed up.
@ -974,9 +974,9 @@ Enabling the **Configure the pre-boot recovery message and URL** policy setting

 Once you enable the setting, you have three options:

-   If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
-   If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
-   If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.
+- If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
+- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
+- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.

 > [!IMPORTANT]
 > Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen.
@ -1077,32 +1077,32 @@ This policy setting doesn't apply if the computer doesn't have a compatible TPM

 A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:

-   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-   Option ROM Code (PCR 2)
-   Master Boot Record (MBR) Code (PCR 4)
-   NTFS Boot Sector (PCR 8)
-   NTFS Boot Block (PCR 9)
-   Boot Manager (PCR 10)
-   BitLocker Access Control (PCR 11)
+- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+- Option ROM Code (PCR 2)
+- Master Boot Record (MBR) Code (PCR 4)
+- NTFS Boot Sector (PCR 8)
+- NTFS Boot Block (PCR 9)
+- Boot Manager (PCR 10)
+- BitLocker Access Control (PCR 11)

 > [!NOTE]
-> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.

 The following list identifies all of the available PCRs:

-   PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
-   PCR 1: Platform and motherboard configuration and data.
-   PCR 2: Option ROM code
-   PCR 3: Option ROM data and configuration
-   PCR 4: Master Boot Record (MBR) code
-   PCR 5: Master Boot Record (MBR) partition table
-   PCR 6: State transition and wake events
-   PCR 7: Computer manufacturer-specific
-   PCR 8: NTFS boot sector
-   PCR 9: NTFS boot block
-   PCR 10: Boot manager
-   PCR 11: BitLocker access control
-   PCR 12-23: Reserved for future use
+- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
+- PCR 1: Platform and motherboard configuration and data.
+- PCR 2: Option ROM code
+- PCR 3: Option ROM data and configuration
+- PCR 4: Master Boot Record (MBR) code
+- PCR 5: Master Boot Record (MBR) partition table
+- PCR 6: State transition and wake events
+- PCR 7: Computer manufacturer-specific
+- PCR 8: NTFS boot sector
+- PCR 9: NTFS boot block
+- PCR 10: Boot manager
+- PCR 11: BitLocker access control
+- PCR 12-23: Reserved for future use

 ### <a href="" id="bkmk-depopt3"></a>Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

@ -1124,32 +1124,32 @@ This policy setting doesn't apply if the computer doesn't have a compatible TPM

 A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following:

-   Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-   Option ROM Code (PCR 2)
-   Master Boot Record (MBR) Code (PCR 4)
-   NTFS Boot Sector (PCR 8)
-   NTFS Boot Block (PCR 9)
-   Boot Manager (PCR 10)
-   BitLocker Access Control (PCR 11)
+- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
+- Option ROM Code (PCR 2)
+- Master Boot Record (MBR) Code (PCR 4)
+- NTFS Boot Sector (PCR 8)
+- NTFS Boot Block (PCR 9)
+- Boot Manager (PCR 10)
+- BitLocker Access Control (PCR 11)

 > [!NOTE]
 > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.

 The following list identifies all of the available PCRs:

-   PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
-   PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
-   PCR 2: Option ROM code
-   PCR 3: Option ROM data and configuration
-   PCR 4: Master Boot Record (MBR) code or code from other boot devices
-   PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
-   PCR 6: State transition and wake events
-   PCR 7: Computer manufacturer-specific
-   PCR 8: NTFS boot sector
-   PCR 9: NTFS boot block
-   PCR 10: Boot manager
-   PCR 11: BitLocker access control
-   PCR 12 - 23: Reserved for future use
+- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
+- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
+- PCR 2: Option ROM code
+- PCR 3: Option ROM data and configuration
+- PCR 4: Master Boot Record (MBR) code or code from other boot devices
+- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
+- PCR 6: State transition and wake events
+- PCR 7: Computer manufacturer-specific
+- PCR 8: NTFS boot sector
+- PCR 9: NTFS boot block
+- PCR 10: Boot manager
+- PCR 11: BitLocker access control
+- PCR 12 - 23: Reserved for future use

 > [!WARNING]
 > Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
@ -1179,25 +1179,25 @@ A platform validation profile consists of a set of PCR indices ranging from 0 to

 The following list identifies all of the available PCRs:

-   PCR 0: Core System Firmware executable code
-   PCR 1: Core System Firmware data
-   PCR 2: Extended or pluggable executable code
-   PCR 3: Extended or pluggable firmware data
-   PCR 4: Boot Manager
-   PCR 5: GPT/Partition Table
-   PCR 6: Resume from S4 and S5 Power State Events
-   PCR 7: Secure Boot State
+- PCR 0: Core System Firmware executable code
+- PCR 1: Core System Firmware data
+- PCR 2: Extended or pluggable executable code
+- PCR 3: Extended or pluggable firmware data
+- PCR 4: Boot Manager
+- PCR 5: GPT/Partition Table
+- PCR 6: Resume from S4 and S5 Power State Events
+- PCR 7: Secure Boot State

    For more information about this PCR, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this article.

-   PCR 8: Initialized to 0 with no Extends (reserved for future use)
-   PCR 9: Initialized to 0 with no Extends (reserved for future use)
-   PCR 10: Initialized to 0 with no Extends (reserved for future use)
-   PCR 11: BitLocker access control
-   PCR 12: Data events and highly volatile events
-   PCR 13: Boot Module Details
-   PCR 14: Boot Authorities
-   PCR 15 – 23: Reserved for future use
+- PCR 8: Initialized to 0 with no Extends (reserved for future use)
+- PCR 9: Initialized to 0 with no Extends (reserved for future use)
+- PCR 10: Initialized to 0 with no Extends (reserved for future use)
+- PCR 11: BitLocker access control
+- PCR 12: Data events and highly volatile events
+- PCR 13: Boot Module Details
+- PCR 14: Boot Authorities
+- PCR 15 - 23: Reserved for future use

 > [!WARNING]
 > Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
@ -1309,20 +1309,20 @@ For more information about setting this policy, see [System cryptography: Use FI

 ## Power management group policy settings: Sleep and Hibernate

-PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.
+PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised.

 However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.

 You can disable the following Group Policy settings, which are located in **Computer Configuration\\Administrative Templates\\System\\Power Management** to disable all available sleep states:

-   Allow Standby States (S1-S3) When Sleeping (Plugged In)
-   Allow Standby States (S1-S3) When Sleeping (Battery)
+- Allow Standby States (S1-S3) When Sleeping (Plugged In)
+- Allow Standby States (S1-S3) When Sleeping (Battery)

 ## <a href="" id="bkmk-pcr"></a>About the Platform Configuration Register (PCR)

 A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.

-Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.

 **About PCR 7**

--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@ -4,18 +4,18 @@ description: This article for the IT professional explains how to deploy BitLock
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

 # BitLocker: How to deploy on Windows Server 2012 and later

-> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
+> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019

 This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.

@ -33,8 +33,8 @@ This article explains how to deploy BitLocker on Windows Server 2012 and later v
 7.  Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools 
 ** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.

-    > **Note:**      The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-     
+    > **Note:**    The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
+     
 8.  Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
 9.  If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.

@ -42,8 +42,8 @@ This article explains how to deploy BitLocker on Windows Server 2012 and later v

 Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation.

->**Note:**  You must restart the server to complete the installation of BitLocker.
- 
+>**Note:**You must restart the server to complete the installation of BitLocker.
+ 
 ### Using the servermanager module to install BitLocker

 The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. 
@ -63,13 +63,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -

 The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

-   BitLocker Drive Encryption
-   BitLocker Drive Encryption Tools
-   BitLocker Drive Encryption Administration Utilities
-   BitLocker Recovery Password Viewer
-   AD DS Snap-Ins and Command-Line Tools
-   AD DS Tools
-   AD DS and AD LDS Tools
+- BitLocker Drive Encryption
+- BitLocker Drive Encryption Tools
+- BitLocker Drive Encryption Administration Utilities
+- BitLocker Recovery Password Viewer
+- AD DS Snap-Ins and Command-Line Tools
+- AD DS Tools
+- AD DS and AD LDS Tools

 The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is:

@ -77,8 +77,8 @@ The command to complete a full installation of the BitLocker feature with all av
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
 ```

->**Important:**  Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
- 
+>**Important:**Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
+ 
 ### Using the dism module to install BitLocker

 The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system.
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@ -4,13 +4,13 @@ description: This article for the IT professional describes how BitLocker Networ
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -33,14 +33,14 @@ Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that mee

 Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:

-   Windows 8 or Windows Server 2012 as the current operating system.
-   Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients.
-   Network Unlock clients with a TPM chip and at least one TPM protector.
-   A server running the Windows Deployment Services (WDS) role on any supported server operating system.
-   BitLocker Network Unlock optional feature installed on any supported server operating system.
-   A DHCP server, separate from the WDS server.
-   Properly configured public/private key pairing.
-   Network Unlock group policy settings configured.
+- Windows 8 or Windows Server 2012 as the current operating system.
+- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients.
+- Network Unlock clients with a TPM chip and at least one TPM protector.
+- A server running the Windows Deployment Services (WDS) role on any supported server operating system.
+- BitLocker Network Unlock optional feature installed on any supported server operating system.
+- A DHCP server, separate from the WDS server.
+- Properly configured public/private key pairing.
+- Network Unlock group policy settings configured.

 The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer.

@ -135,8 +135,8 @@ A properly configured Active Directory Services Certification Authority can use
 12. On the **Edit Application Policies Extension** dialog box, select **Add**.
 13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy:

-    -   **Name:** **BitLocker Network Unlock**
-    -   **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**
+    - **Name:** **BitLocker Network Unlock**
+    - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1**

 14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**.
 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
@ -212,7 +212,7 @@ Here's a `certreq` example:
    ```
 4.  Verify that certificate was properly created by the previous command by confirming that the .cer file exists.
 5.  Launch Certificates - Local Machine by running **certlm.msc**.
-6.  Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file.
+6.  Create a .pfx file by opening the **Certificates - Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file.

 ### <a href="" id="bkmk-deploycert"></a>Deploy the private key and certificate to the WDS server

@ -259,7 +259,7 @@ By default, all clients with the correct network unlock certificate and valid Ne

 The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.

-The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names.
+The subnet policy configuration file must use a "\[SUBNETS\]" section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word "ENABLED" is disallowed for subnet names.

 ```ini
 [SUBNETS]
@ -293,7 +293,7 @@ To disallow the use of a certificate altogether, add a `DISABLED` line to its su
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.

 > [!NOTE]
-> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server.
+> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server.
 
 ## <a href="" id="bkmk-updatecerts"></a>Update Network Unlock certificates

@ -336,17 +336,17 @@ Gather the following files to troubleshoot BitLocker Network Unlock.
    1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
    1. In the right pane, select **Enable Log**.
 - The DHCP subnet configuration file (if one exists).
- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
+- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
 - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.

 ## <a href="" id="bkmk-unsupportedsystems"></a>Configure Network Unlock Group Policy settings on earlier versions

-Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by  using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
+Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by  using operating systems that run Windows Server 2008 R2 and Windows Server 2008.

 Your system must meet these requirements:

-   The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
-   Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.
+- The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
+- Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.

 Follow these steps to configure Network Unlock on these older systems.

@ -375,6 +375,6 @@ Follow these steps to configure Network Unlock on these older systems.

 ## See also

-   [BitLocker overview](bitlocker-overview.md)
-   [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
-   [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
+- [BitLocker overview](bitlocker-overview.md)
+- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)
+- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
--- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml
@ -20,7 +20,7 @@ metadata:
 title: BitLocker Key Management FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  

 sections:
@ -42,28 +42,28 @@ sections:
          
          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on a removable drive.
          
-          A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+          A domain administrator can additionally configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
          
      - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
        answer: |
          You can use the Manage-bde.exe command-line tool to replace your TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and you want to add PIN authentication, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the numeric PIN you want to use:
          
-          <code>manage-bde –protectors –delete %systemdrive% -type tpm</code>
+          <code>manage-bde -protectors -delete %systemdrive% -type tpm</code>
          
-          <code>manage-bde –protectors –add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
+          <code>manage-bde -protectors -add %systemdrive% -tpmandpin <i>4-20 digit numeric PIN</i></code>
          
          
      - question: When should an additional method of authentication be considered?
        answer: |
          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book do not have external DMA ports to attack. 
-          For older hardware, where a PIN may be needed, it’s recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. 
+          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#bkmk-unlockpol2) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on your risk tolerance and the hardware anti-hammering capabilities available to the TPMs in your computers. 
          
      - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
        answer: |
          BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
          
          > [!IMPORTANT]
-          > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
+          > Store the recovery information in AD DS, along with your Microsoft Account, or another safe location.
           
      - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
        answer: While this is technically possible, it is not a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains your startup key is lost or stolen, you also lose access to your recovery key. In addition, inserting this key would cause your computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
@ -109,9 +109,9 @@ sections:
        answer: |
          The following questions can assist you when asking a TPM manufacturer about the design of a dictionary attack mitigation mechanism:
          
-          -   How many failed authorization attempts can occur before lockout?
-          -   What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
-          -   What actions can cause the failure count and lockout duration to be decreased or reset?
+          - How many failed authorization attempts can occur before lockout?
+          - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
+          - What actions can cause the failure count and lockout duration to be decreased or reset?
          
      - question: Can PIN length and complexity be managed with Group Policy?
        answer: |
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@ -3,13 +3,13 @@ title: BitLocker Management Recommendations for Enterprises (Windows 10)
 description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

--- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml
@ -19,7 +19,7 @@ metadata:
 title: BitLocker Network Unlock FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10

 sections:
  - name: Ignored
--- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
@ -22,8 +22,8 @@ metadata:
 title: BitLocker Overview and Requirements FAQ
 summary: |
  **Applies to**
-  -   Windows 10
-  -   Windows 11
+  - Windows 10
+  - Windows 11
  

 sections:
@ -40,7 +40,7 @@ sections:
          You can use BitLocker to encrypt the entire contents of a data drive. You can use Group Policy to require that BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with a variety of unlock methods for data drives, and a data drive supports multiple unlock methods.
          
      - question: Does BitLocker support multifactor authentication?
-        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.
+        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If you enable BitLocker on a computer that has a TPM version 1.2 or later, you can use additional forms of authentication with the TPM protection.

      - question: What are the BitLocker hardware and software requirements?
        answer: |
@ -73,11 +73,11 @@ sections:
        answer: |
          Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
          
-          -   It is compliant with the TCG standards for a client computer.
-          -   It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+          - It is compliant with the TCG standards for a client computer.
+          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
          
      - question: What credentials are required to use BitLocker?
        answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.

      - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
-        answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
+        answer: You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked. 
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@ -1,16 +1,16 @@
 ---
 title: BitLocker
 description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
-ms.author: dansimp
+ms.author: frankroj
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
+author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 01/26/2018
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -40,21 +40,21 @@ Data on a lost or stolen computer is vulnerable to unauthorized access, either b

 There are two additional tools in the Remote Server Administration Tools which you can use to manage BitLocker.

-   **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
+- **BitLocker Recovery Password Viewer**. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
    By using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.

-   **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
+- **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
 BitLocker control panel, and they are appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive cannot be unlocked normally or by using the recovery console.

 ## <a href="" id="bkmk-new"></a>New and changed functionality

 To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
- 
+ 
 ## System requirements

 BitLocker has the following hardware requirements:

-For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive.
+For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If your computer does not have a TPM, enabling BitLocker makes it mandatory for you to save a startup key on a removable device, such as a USB flash drive.

 A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.

@ -70,8 +70,8 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th

 The hard disk must be partitioned with at least two drives:

-   The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
-   The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
+- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
+- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.

 When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.

@ -95,7 +95,7 @@ When installing the BitLocker optional component on a server, you will also need
 | [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic describes the function, location, and effect of each group policy setting that is used to manage BitLocker. |
 | [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic describes the BCD settings that are used by BitLocker.|
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic describes how to recover BitLocker keys from AD DS. |
-| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
+| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide helps you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device's configuration. |
 | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic describes how to protect CSVs and SANs with BitLocker.|
 | [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic describes how to use BitLocker with Windows IoT Core |
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@ -1,6 +1,6 @@
 ---
 title: BitLocker recovery guide
-description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
+description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
 ms.prod: windows-client
 ms.technology: itpro-security
 ms.localizationpriority: medium
@ -12,7 +12,7 @@ ms.collection:
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -26,20 +26,20 @@ ms.custom: bitlocker

 This article describes how to recover BitLocker keys from AD DS.

-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.
+Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while you are planning your BitLocker deployment.

-This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
+This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.

-This article does not detail how to configure AD DS to store the BitLocker recovery information.
+This article does not detail how to configure AD DS to store the BitLocker recovery information.


 ## <a href="" id="bkmk-whatisrecovery"></a>What is BitLocker recovery?

 BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. In a recovery scenario, you have the following options to restore access to the drive:

-   **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
-   **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
-   **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+- **The user can supply the recovery password.** If your organization allows users to print or store recovery passwords, the users can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft account online. (Saving a recovery password with your Microsoft account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
+- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
+- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. This method makes it mandatory for you to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).

 ### What causes BitLocker recovery?

@ -106,15 +106,15 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
 1.  Select the **Start** button, type **cmd** in the **Start Search** box, and select and hold **cmd.exe**, and then select **Run as administrator**.
 2.  At the command prompt, type the following command and then press **ENTER**:

-    `manage-bde -forcerecovery <BitLockerVolume>`
+    `manage-bde.exe -forcerecovery <BitLockerVolume>`

 **To force recovery for a remote computer:**

-1.  On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
+1.  On the Start screen, type **cmd.exe**, and then select **Run as administrator**.

 2.  At the command prompt, type the following command and then press **ENTER**:

-    `manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
+    `manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`

    > [!NOTE]
    > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
@ -124,7 +124,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t

 When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.

-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).

 After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.

@ -148,11 +148,11 @@ In some cases, users might have the recovery password in a printout or a USB fla

 If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default; you must have configured the appropriate group policy settings before BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

-   **Choose how BitLocker-protected operating system drives can be recovered**
-   **Choose how BitLocker-protected fixed drives can be recovered**
-   **Choose how BitLocker-protected removable drives can be recovered**
-In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
-DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
+- **Choose how BitLocker-protected operating system drives can be recovered**
+- **Choose how BitLocker-protected fixed drives can be recovered**
+- **Choose how BitLocker-protected removable drives can be recovered**
+In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
+DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.

 > [!NOTE]
 > If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event of a recovery being required.
@ -163,32 +163,32 @@ You can use the following list as a template for creating your own recovery proc

 - [Record the name of the user's computer](#bkmk-recordcomputername)
 - [Verify the user's identity](#bkmk-verifyidentity)
- [Locate the recovery password in AD DS](#bkmk-locatepassword)
+- [Locate the recovery password in AD DS](#bkmk-locatepassword)
 - [Gather information to determine why recovery occurred](#bkmk-gatherinfo)
 - [Give the user the recovery password](#bkmk-givepassword)


 ### <a href="" id="bkmk-recordcomputername"></a>Record the name of the user's computer

-You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.
+You can use the name of the user's computer to locate the recovery password in AD DS. If the user does not know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This is the computer name when BitLocker was enabled and is probably the current name of the computer.


 ### <a href="" id="bkmk-verifyidentity"></a>Verify the user's identity

 You should verify whether the person who is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify whether the computer for which the user provided the name belongs to the user.

-### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS
+### <a href="" id="bkmk-locatepassword"></a>Locate the recovery password in AD DS

-Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.
+Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.


 ### Multiple recovery passwords

-If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
+If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.

 If at any time you are unsure about the password to be provided, or if you think you might be providing the incorrect password, ask the user to read the 8-character password ID that is displayed in the recovery console.

-Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
+Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.


 ### <a href="" id="bkmk-gatherinfo"></a>Gather information to determine why recovery occurred
@ -272,7 +272,7 @@ This error occurs if you updated the firmware. As a best practice, you should su

 ## Windows RE and BitLocker Device Encryption

-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs, provided that the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.

 Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.

@ -290,7 +290,7 @@ During BitLocker recovery, Windows displays a custom recovery message and a few

 ### Custom recovery message

-BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.

 This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.

@ -306,7 +306,7 @@ Example of customized recovery screen:

 ### BitLocker recovery key hints

-BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.

 ![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)

@ -320,9 +320,9 @@ There are rules governing which hint is shown during the recovery (in the order
 3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
 4. Prioritize keys with successful backup over keys that have never been backed up.
 5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**. 
-6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
+6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
 7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
-8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” is displayed. 
+8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed. 
 9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer. 


@ -460,22 +460,22 @@ You can reset the recovery password in two ways:
 1.  Remove the previous recovery password.

    ```powershell
-    Manage-bde –protectors –delete C: –type RecoveryPassword
+    Manage-bde -protectors -delete C: -type RecoveryPassword
    ```
 2.  Add the new recovery password.

    ```powershell
-    Manage-bde –protectors –add C: -RecoveryPassword
+    Manage-bde -protectors -add C: -RecoveryPassword
    ```
 3.  Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.

    ```powershell
-    Manage-bde –protectors –get C: -Type RecoveryPassword
+    Manage-bde -protectors -get C: -Type RecoveryPassword
    ```
 4.  Back up the new recovery password to AD DS.

    ```powershell
-    Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
+    Manage-bde -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
    ```

    > [!WARNING]
@ -572,10 +572,10 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re

 You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):

- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
+- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
 - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.

-The following sample script exports all previously saved key packages from AD DS.
+The following sample script exports all previously saved key packages from AD DS.

 **To run the sample key package retrieval script:**

@ -584,7 +584,7 @@ The following sample script exports all previously saved key packages from AD D

    **cscript GetBitLockerKeyPackageADDS.vbs -?**

-You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:
+You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:

 ```vb
 ' --------------------------------------------------------------------------------
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@ -3,14 +3,14 @@ title: Breaking out of a BitLocker recovery loop
 description: This article for IT professionals describes how to break out of a BitLocker recovery loop.
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: aczechowski
-ms.author: aaroncz
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 10/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

--- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml
@ -20,7 +20,7 @@ metadata:
 title: BitLocker Security FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  
  

@ -35,7 +35,7 @@ sections:
      - question: |
          What is the best practice for using BitLocker on an operating system drive?
        answer: |
-          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.
+          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer cannot simply start the computer.

      - question: |
          What are the implications of using the sleep or hibernate power management options?
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml
@ -20,7 +20,7 @@ metadata:
 title: BitLocker To Go FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  

 sections:
--- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml
@ -19,14 +19,14 @@ metadata:
 title: BitLocker Upgrading FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  

 sections:
  - name: Ignored
    questions:
      - question: |
-          Can I upgrade to Windows 10 with BitLocker enabled?
+          Can I upgrade to Windows 10 with BitLocker enabled?
        answer: |
          Yes. 

@ -43,7 +43,7 @@ sections:
          No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
          Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
          
-          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don’t have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don’t want to suspend BitLocker protection.
+          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM and this happens if a known vulnerability has been discovered in the TPM firmware. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. We recommend users testing their TPM firmware updates if they don't want to suspend BitLocker protection.
          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if you update and BitLocker does not use Secure Boot for integrity validation).
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@ -4,14 +4,14 @@ description: This article for the IT professional describes how to use tools to
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -39,11 +39,11 @@ Repair-bde is a special circumstance tool that is provided for disaster recovery

 Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.

-Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.

 ### Using manage-bde with operating system volumes

-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.

 A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:

@ -58,7 +58,7 @@ This command returns the volumes on the target, current encryption status, encry
 The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.

 ```powershell
-manage-bde –protectors -add C: -startupkey E:
+manage-bde -protectors -add C: -startupkey E:
 manage-bde -on C:
 ```

@ -86,7 +86,7 @@ This command encrypts the drive using the TPM as the default protector. If you a
 ```
 ### Using manage-bde with data volumes

-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde.exe -on <drive letter>` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.

 A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.

@ -99,10 +99,10 @@ manage-bde -on C:

 You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.

-The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
+The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.

 > [!TIP]
-> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
+> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde.exe -KeyPackage` to generate a key package for a volume.
 
 The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:

@ -111,12 +111,12 @@ The Repair-bde command-line tool is intended for use when the operating system d
 - You do not have a copy of the data that is contained on the encrypted drive.

 > [!NOTE]
-> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
 
 The following limitations exist for Repair-bde:

-   The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
-   The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
+- The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
+- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.

 For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).

--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@ -4,14 +4,14 @@ description: This topic for the IT professional describes how to use the BitLock
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
  - highpri
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -31,9 +31,9 @@ The BitLocker Recovery Password Viewer tool is an optional tool included with th

 To complete the procedures in this scenario:

-   You must have domain administrator credentials.
-   Your test computers must be joined to the domain.
-   On the domain-joined test computers, BitLocker must have been turned on.
+- You must have domain administrator credentials.
+- Your test computers must be joined to the domain.
+- On the domain-joined test computers, BitLocker must have been turned on.

 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.

@ -62,5 +62,5 @@ By completing the procedures in this scenario, you have viewed and copied the re
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
 - [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
- 
- 
+ 
+ 
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
@ -20,7 +20,7 @@ metadata:
 title: Using BitLocker with other programs FAQ
 summary: |
  **Applies to**
-  -   Windows 10
+  - Windows 10
  

 sections:
@ -61,18 +61,18 @@ sections:
        answer: |
          The system check is designed to ensure your computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
          
-          -   The computer's BIOS or UEFI firmware cannot read USB flash drives.
-          -   The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
-          -   There are multiple USB flash drives inserted into the computer.
-          -   The PIN was not entered correctly.
-          -   The computer's BIOS or UEFI firmware only supports using the function keys (F1–F10) to enter numerals in the pre-boot environment.
-          -   The startup key was removed before the computer finished rebooting.
-          -   The TPM has malfunctioned and fails to unseal the keys.
+          - The computer's BIOS or UEFI firmware cannot read USB flash drives.
+          - The computer's BIOS, uEFI firmware, or boot menu does not have reading USB flash drives enabled.
+          - There are multiple USB flash drives inserted into the computer.
+          - The PIN was not entered correctly.
+          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
+          - The startup key was removed before the computer finished rebooting.
+          - The TPM has malfunctioned and fails to unseal the keys.
          
      - question: |
          What can I do if the recovery key on my USB flash drive cannot be read?
        answer: |
-          Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.
+          Some computers cannot read USB flash drives in the pre-boot environment. First, check your BIOS or UEFI firmware and boot settings to ensure that the use of USB drives is enabled. If it is not enabled, enable the use of USB drives in the BIOS or UEFI firmware and boot settings and then try to read the recovery key from the USB flash drive again. If it still cannot be read, you will have to mount the hard drive as a data drive on another computer so that there is an operating system to attempt to read the recovery key from the USB flash drive. If the USB flash drive has been corrupted or damaged, you may need to supply a recovery password or use the recovery information that was backed up to AD DS. Also, if you are using the recovery key in the pre-boot environment, ensure that the drive is formatted by using the NTFS, FAT16, or FAT32 file system.

      - question: |
          Why am I unable to save my recovery key to my USB flash drive?
@ -92,7 +92,7 @@ sections:
      - question: |
          How do I "lock" a data drive?
        answer: |
-          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the –lock command.
+          Both fixed and removable data drives can be locked by using the Manage-bde command-line tool and the -lock command.
          
          > [!NOTE]
          > Ensure all data is saved to the drive before locking it. Once locked, the drive will become inaccessible.
@ -115,7 +115,7 @@ sections:
          - With TPM: Yes, it is supported.
          - Without  TPM: Yes, it is supported (with password protector).
          
-          BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
+          BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
          
      - question: |
          Can I use BitLocker with virtual machines (VMs)?
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@ -4,13 +4,13 @@ description: This article for the IT professional explains how can you plan your
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: 
  - M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/24/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -49,7 +49,7 @@ The trusted platform module (TPM) is a hardware component installed in many newe

 Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.

-On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+On computers that don't have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.

 ### BitLocker key protectors
 | Key protector | Description |
@ -79,7 +79,7 @@ Determine whether you will support computers that don't have a TPM 1.2 or higher

 The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.

-However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
+However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.

 **What areas of your organization need a more secure level of data protection?**

@ -101,7 +101,7 @@ For TPM 1.2, there are multiple possible states. Windows automatically initializ

 For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.

-An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken.
+An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken.

 For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<https://go.microsoft.com/fwlink/p/?linkid=69584>).

--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@ -4,19 +4,19 @@ description: This article for IT pros describes how to protect CSVs and SANs wit
 ms.reviewer: 
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
+author: frankroj
+ms.author: frankroj
 manager: aaroncz
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

 # Protecting cluster shared volumes and storage area networks with BitLocker

 **Applies to**
-   Windows Server 2016
+- Windows Server 2016

 This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker.

@ -134,7 +134,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st
 2.  Ensure new storage is formatted as NTFS.
 3.  Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the**manage-bde** command line interface (see example):

-    -   `Manage-bde -on -used <drive letter> -RP -sid domain\CNO$ -sync`
+    - `manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync`

       1.  BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
       2.  Using the -sync parameter is optional. However, using -sync parameter has the following advantage:
@ -143,7 +143,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st
 4.  Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.


-    -   Once the disk is clustered, it's enabled for CSV.
+    - Once the disk is clustered, it's enabled for CSV.


 5.  During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
@ -152,7 +152,7 @@ You can also use **manage-bde** to enable BitLocker on clustered volumes. The st
    2.  If the volume is BitLocker enabled, the following check occurs:


-       -   If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
+       - If volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.

 6.  Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing "**Add to cluster shared volumes**".
 CSVs include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption: administrators must do the following task:
@ -177,15 +177,15 @@ The following table contains information about both physical disk resources (tha

 | Action | On owner node of failover volume | On Metadata Server (MDS) of CSV | On (Data Server) DS of CSV | Maintenance Mode |
 |--- |--- |--- |--- |--- |
-|**Manage-bde –on**|Blocked|Blocked|Blocked|Allowed|
-|**Manage-bde –off**|Blocked|Blocked|Blocked|Allowed|
+|**Manage-bde -on**|Blocked|Blocked|Blocked|Allowed|
+|**Manage-bde -off**|Blocked|Blocked|Blocked|Allowed|
 |**Manage-bde Pause/Resume**|Blocked|Blocked**|Blocked|Allowed|
-|**Manage-bde –lock**|Blocked|Blocked|Blocked|Allowed|
-|**manage-bde –wipe**|Blocked|Blocked|Blocked|Allowed|
+|**Manage-bde -lock**|Blocked|Blocked|Blocked|Allowed|
+|**manage-bde -wipe**|Blocked|Blocked|Blocked|Allowed|
 |**Unlock**|Automatic via cluster service|Automatic via cluster service|Automatic via cluster service|Allowed|
-|**manage-bde –protector –add**|Allowed|Allowed|Blocked|Allowed|
+|**manage-bde -protector -add**|Allowed|Allowed|Blocked|Allowed|
 |**manage-bde -protector -delete**|Allowed|Allowed|Blocked|Allowed|
-|**manage-bde –autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
+|**manage-bde -autounlock**|Allowed (not recommended)|Allowed (not recommended)|Blocked|Allowed (not recommended)|
 |**Manage-bde -upgrade**|Allowed|Allowed|Blocked|Allowed|
 |**Shrink**|Allowed|Allowed|Blocked|Allowed|
 |**Extend**|Allowed|Allowed|Blocked|Allowed|
@ -198,10 +198,10 @@ In the case where a physical disk resource experiences a failover event during c
 ### Other considerations when using BitLocker on CSV2.0

 Some other considerations to take into account for BitLocker on clustered storage include:
-   BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
-   If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
-   If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
-   If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
-   If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
-   If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
-   If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
+- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
+- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
+- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
+- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
+- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
+- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
+- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -44,7 +44,7 @@ wevtutil qe "Microsoft-Windows-BitLocker/BitLocker Operational" /f:text > BitLoc
 To use the **Get-WinEvent** cmdlet to export the same log to a comma-separated text file, open a Windows Powershell window and run the following command:

 ```ps
-Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
+Get-WinEvent -logname "Microsoft-Windows-BitLocker/BitLocker Operational"  | Export-Csv -Path Bitlocker-Operational.csv
 ```

 You can use Get-WinEvent in an elevated PowerShell window to display filtered information from the system or application log by using the following syntax:
@ -87,7 +87,7 @@ Open an elevated Windows PowerShell window, and run each of the following comman
 |Command |Notes |
 | --- | --- |
 |[**get-tpm \> C:\\TPM.txt**](/powershell/module/trustedplatformmodule/get-tpm?view=win10-ps&preserve-view=true) |Exports information about the local computer's Trusted Platform Module (TPM). This cmdlet shows different values depending on whether the TPM chip is version 1.2 or 2.0. This cmdlet is not supported in Windows 7. |
-|[**manage-bde –status \>&nbsp;C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
+|[**manage-bde -status \>&nbsp;C:\\BDEStatus.txt**](/windows-server/administration/windows-commands/manage-bde-status) |Exports information about the general encryption status of all drives on the computer. |
 |[**manage-bde c: <br />-protectors -get \>&nbsp;C:\\Protectors**](/windows-server/administration/windows-commands/manage-bde-protectors) |Exports information about the protection methods that are used for the BitLocker encryption key.  |
 |[**reagentc&nbsp;/info&nbsp;\>&nbsp;C:\\reagent.txt**](/windows-hardware/manufacture/desktop/reagentc-command-line-options) |Exports information about an online or offline image about the current status of the Windows Recovery Environment (WindowsRE) and any available recovery image. |
 |[**get-BitLockerVolume \| fl**](/powershell/module/bitlocker/get-bitlockervolume?view=win10-ps&preserve-view=true) |Gets information about volumes that BitLocker Drive Encryption can protect. |
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -23,7 +23,7 @@ This article describes common issues that prevent BitLocker from encrypting a dr

 ## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive

-When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:
+When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following:

 > **ERROR:** An error occurred (code 0x80310059):BitLocker Drive Encryption is already performing an operation on this drive. Please complete all operations before continuing.NOTE: If the -on switch has failed to add key protectors or start encryption,you may need to call manage-bde -off before attempting -on again.

@ -51,7 +51,7 @@ To resolve this issue, follow these steps:

 ## "Access is denied" message when you try to encrypt removable drives

-You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:
+You have a computer that is running Windows 10, version 1709 or version 1607, or Windows 11. You try to encrypt a USB drive by following these steps:

 1. In Windows Explorer, right-click the USB drive and select **Turn on BitLocker**.

@ -63,7 +63,7 @@ You have a computer that is running Windows 10, version 1709 or version 1607, or

 1. The **Starting encryption** page displays the message "Access is denied."

-You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.
+You receive this message on any computer that runs Windows 10 version 1709 or version 1607, or Windows 11, when you use any USB drive.

 ### Cause

--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/18/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

--- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -18,9 +18,9 @@ ms.custom: bitlocker

 This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues.

-## BitLocker encryption is slower in Windows 10 and Windows 11
+## BitLocker encryption is slower in Windows 10 and Windows 11

-In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.
+In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance.

 To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*.

@ -80,7 +80,7 @@ To resolve this issue, remove the third-party software.

 ## Production snapshots fail for virtualized domain controllers that use BitLocker-encrypted disks

-You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a “production snapshot” of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.
+You have a Windows Server 2019 or 2016 Hyper-V Server that is hosting VMs (guests) that are configured as Windows domain controllers. BitLocker has encrypted the disks that store the Active Directory database and log files. When you run a "production snapshot" of the domain controller guests, the Volume Snap-Shot (VSS) service does not correctly process the backup.

 This issue occurs regardless of any of the following variations in the environment:

--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/17/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -29,7 +29,7 @@ For more information about Measured Boot and PCRs, see the following articles:

 ## Use TBSLogGenerator to decode Measured Boot logs

-Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 11, Windows 10, and earlier versions. You can install this tool on the following systems:
+Use TBSLogGenerator to decode Measured Boot logs that you have collected from Windows 11, Windows 10, and earlier versions. You can install this tool on the following systems:

 - A computer that is running Windows Server 2016 and that has a TPM enabled
 - A Gen 2 virtual machine (running on Hyper-V) that is running Windows Server 2016 (you can use the virtual TPM)
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@ -5,13 +5,13 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: 
  - Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/18/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -97,7 +97,7 @@ You can resolve this issue by verifying the configuration of the disk partitions

 #### Step 1: Verify the configuration of the disk partitions

-The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
+The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.

 ![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)

@ -143,7 +143,7 @@ The output of this command resembles the following:

 :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png":::

-In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
+In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.

 ## <a id="issue-4"></a>Event ID 851: Contact the manufacturer for BIOS upgrade instructions

@ -231,7 +231,7 @@ To verify the secure boot state, use the System Information application. To do t

 ## <a id="issue-7"></a>Event ID 846, 778, and 851: Error 0x80072f9a

-In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.
+In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option.

 The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder):

@ -260,7 +260,7 @@ These events refer to Error code 0x80072f9a.

 These events indicate that the signed-in user does not have permission to read the private key on the certificate that is generated as part of the provisioning and enrollment process. Therefore, the BitLocker MDM policy refresh fails.

-The issue affects Windows 11 and Windows 10 version 1809.
+The issue affects Windows 11 and Windows 10 version 1809.

 ### Resolution

@ -292,11 +292,11 @@ For information about the procedure to use policy together with BitLocker and In

 Intune offers the following enforcement types for BitLocker:

- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later, or Windows 11.)
- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later, or Windows 11.)
- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803, or Windows 11.)
+- **Automatic** (Enforced when the device joins Azure AD during the provisioning process. This option is available in Windows 10 version 1703 and later, or Windows 11.)
+- **Silent** (Endpoint protection policy. This option is available in Windows 10 version 1803 and later, or Windows 11.)
+- **Interactive** (Endpoint policy for Windows versions that are older than Windows 10 version 1803, or Windows 11.)

-If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.
+If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption.

 If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following:

@ -306,25 +306,25 @@ The OMA-URI references for these settings are as follows:

 - OMA-URI: **./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption**  
   Value Type: **Integer**  
-   Value: **1**  (1 = Require, 0 = Not Configured)
+   Value: **1**  (1 = Require, 0 = Not Configured)

 - OMA-URI: **./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption**  
   Value Type: **Integer**  
   Value: **0** (0 = Blocked, 1 = Allowed)  

 > [!NOTE]
-> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.
+> Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant.

 > [!NOTE]
 > If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard.  

-If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  
+If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard.  

 The Intune 1901 release provides settings that you can use to configure automatic device encryption for Autopilot devices for standard users. Each device must meet the following requirements:

 - Be HSTI-compliant
 - Support Modern Standby
- Use Windows 10 version 1803 or later, or Windows 11
+- Use Windows 10 version 1803 or later, or Windows 11

 ![Intune policy setting.](./images/4509188-en-1.png)

--- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
@ -4,9 +4,9 @@ description: Describes several known issues that you may encounter while using n
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: v-tappelgate
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.reviewer: kaushika
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md
@ -5,14 +5,14 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: 
  - Windows Security Technologies\BitLocker
  - highpri
 ms.topic: troubleshooting
-ms.date: 10/18/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -37,7 +37,7 @@ The BitLocker and Active Directory Domain Services (AD DS) FAQ address situation

 ## The recovery password for a laptop was not backed up, and the laptop is locked

-You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.
+You have a Windows 11 or Windows 10 Home-based laptop, and you have to recover its hard disk. The disk was encrypted by using BitLocker Driver Encryption. However, the BitLocker recovery password was not backed up, and the usual user of the laptop is not available to provide the password.

 ### Resolution

@ -47,7 +47,7 @@ You can use either of the following methods to manually back up or synchronize a

 - In an elevated Command Prompt window, use the [manage-bde](/windows-server/administration/windows-commands/manage-bde) command to back up the information.

-   For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:
+   For example, to back up all of the recovery information for the C: drive to AD DS, open an elevated Command Prompt window and run the following command:

   ```console
   manage-bde -protectors -adbackup C:
@ -69,11 +69,11 @@ However, after you enter the recovery password, the device cannot start.
 ### Cause

 > [!IMPORTANT]
-> Tablet devices do not support the **manage-bde -forcerecovery** command.
+> Tablet devices do not support the **manage-bde -forcerecovery** command.

 This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input.

-If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.
+If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting.

 This behavior is by design for all versions of Windows.

@ -88,7 +88,7 @@ To resolve the restart loop, follow these steps:
 1. In the Command Prompt window, run the following commands:

   ```console
-   manage-bde –unlock C: -rp <48-digit BitLocker recovery password>
+   manage-bde -unlock C: -rp <48-digit BitLocker recovery password>
   manage-bde -protectors -disable C:

   ```
@ -105,8 +105,8 @@ You have a Surface device that has BitLocker drive encryption turned on. You upd

 You experience one or more of the following symptoms on the Surface device:

- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn’t start up.
- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
+- At startup, you are prompted for your BitLocker recovery password. You enter the correct recovery password, but Windows doesn't start up.
+- Startup progresses directly into the Surface Unified Extensible Firmware Interface (UEFI) settings.
 - The Surface device appears to be in an infinite restart loop.

 ### Cause
@ -185,13 +185,13 @@ To recover data from your Surface device if you cannot start Windows, follow ste
 1. After the drive is unlocked, use the **copy** or **xcopy** command to copy the user data to another drive.  

   > [!NOTE]
-   > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
+   > For more information about the these commands, see the [Windows commands](/windows-server/administration/windows-commands/windows-commands).
  
 1. To reset your device by using a Surface recovery image, follow the instructions in the "How to reset your Surface using your USB recovery drive" section in [Creating and using a USB recovery drive](https://support.microsoft.com/help/4023512).  

 #### Step 3: Restore the default PCR values

-To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.
+To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values.

 To enable secure boot on a Surface device, follow these steps:

@ -216,7 +216,7 @@ To enable secure boot on a Surface device, follow these steps:

 To reset the PCR settings on the TPM, follow these steps:

-1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  
+1. Disable any Group Policy Objects that configure the PCR settings, or remove the device from any groups that enforce such policies.  

   For more information, see [BitLocker Group Policy settings](./bitlocker-group-policy-settings.md).

@ -265,7 +265,7 @@ To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLock

 ## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000

-You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.
+You have a device that runs Windows 11, Windows 10, version 1703, Windows 10, version 1607, or Windows Server 2016. Also, Hyper-V is enabled on the device. After you install an affected update and restart the device, the device enters BitLocker Recovery mode and you see error code 0xC0210000.

 ### Workaround

@ -282,7 +282,7 @@ If your device is already in this state, you can successfully start Windows afte
 1. In the Command Prompt window, run the following commands:

   ```console
-   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
+   Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by "-" in 6 digit group>
   Manage-bde -protectors -disable c:
   exit
   ```
@ -290,7 +290,7 @@ If your device is already in this state, you can successfully start Windows afte
   These commands unlock the drive and then suspend BitLocker by disabling the TPM protectors on the drive. The final command closes the Command Prompt window.

   > [!NOTE]
-   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.
+   > These commands suspend BitLocker for one restart of the device. The **-rc 1** option works only inside the operating system and does not work in the recovery environment.

 1. Select **Continue**. Windows should start.

@ -313,12 +313,12 @@ Manage-bde -protectors -disable c: -rc 1

 To resolve this issue, install the appropriate update on the affected device:  

- For Windows 10, version 1703, or Windows 11: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
- For Windows 11, Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)
+- For Windows 10, version 1703, or Windows 11: [July 9, 2019—KB4507450 (OS Build 15063.1928)](https://support.microsoft.com/help/4507450/windows-10-update-kb4507450)
+- For Windows 11, Windows 10, version 1607 and Windows Server 2016: [July 9, 2019—KB4507460 (OS Build 14393.3085)](https://support.microsoft.com/help/4507460/windows-10-update-kb4507460)

 ## Credential Guard/Device Guard on TPM 1.2: At every restart, BitLocker prompts for the recovery password and returns error 0xC0210000

-You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Windows 11. Also, the device uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.
+You have a device that uses TPM 1.2 and runs Windows 10, version 1809, or Windows 11. Also, the device uses [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) features such as [Device Guard and Credential Guard](/windows-hardware/drivers/bringup/device-guard-and-credential-guard). Every time that you start the device, the device enters BitLocker Recovery mode and you see error code 0xc0210000, and a message that resembles the following.

 > Recovery
 > 
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md
@ -5,12 +5,12 @@ ms.reviewer: kaushika
 ms.technology: itpro-security
 ms.prod: windows-client
 ms.localizationpriority: medium
-author: Teresa-Motiv
-ms.author: v-tappelgate
-manager: kaushika
+author: frankroj
+ms.author: frankroj
+manager: aaroncz
 ms.collection: Windows Security Technologies\BitLocker
 ms.topic: troubleshooting
-ms.date: 10/18/2019
+ms.date: 11/08/2022
 ms.custom: bitlocker
 ---

@ -38,7 +38,7 @@ Additionally, the computer logs the following entry for Event ID 1026:
 > User: SYSTEM  
 > Computer: \<Computer name\>  
 > Description:  
-> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
+> The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start-\>tpm.msc) and use the action to make the TPM ready.  
 > Error: The TPM is defending against dictionary attacks and is in a time-out period.  
 > Additional Information: 0x840000  

@ -64,7 +64,7 @@ To resolve this issue, follow these steps to troubleshoot the TPM:

 ## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use

-You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message:
+You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message:

 > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use.  
 > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY  
@ -101,8 +101,8 @@ This issue may occur when the Windows operating system isn't the owner of the TP
 |Message |Reason | Resolution|
 | - | - | - |
 |NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. |
-|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
-|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
+|TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. |
 |NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. |

 For more information about TPM issues, see the following articles: