diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption.md index 47e815ee11..a27714a6d9 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption.md @@ -42,24 +42,18 @@ Microsoft recommends automatically enabling BitLocker Device Encryption on any s - **Type**: `REG_DWORD` - **Value**: `PreventDeviceEncryption` equal to `1` (True) -Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. - > [!NOTE] > BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied. ## Used Disk Space Only encryption -BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused. - -To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent. +To reduce encryption time, BitLocker lets users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty aren't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent. Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk. ## Encrypted hard drive support -SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. - -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the device's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements. For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md). @@ -98,4 +92,4 @@ For more information about how to configure Network unlock feature, see [BitLock ## Microsoft BitLocker administration and monitoring -Enterprises can use Configuration Manager or the built-in features of Azure AD and Microsoft Intune for BitLocker administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor). +Enterprises can use Microsoft Entra ID, Microsoft Intune and Configuration Manager for BitLocker administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor). diff --git a/windows/security/operating-system-security/data-protection/bitlocker/manage.md b/windows/security/operating-system-security/data-protection/bitlocker/manage.md index 0f2d48b295..b0b5c97735 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/manage.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/manage.md @@ -498,7 +498,7 @@ manage-bde.exe -status C: #### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel) -BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process. +BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel applet, users can select the **Turn off BitLocker** option to begin the process.\ After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md similarity index 100% rename from windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md rename to windows/security/operating-system-security/data-protection/bitlocker/recovery-password-viewer.md