From 2b3d41e0c5945192efc7b208776f58307a6801d6 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Fri, 11 Sep 2020 19:10:56 +0530
Subject: [PATCH 01/19] Update prep-bl-policies-4457208

---
 ...ion-for-bitlocker-planning-and-policies.md | 76 ++++++++++---------
 1 file changed, 39 insertions(+), 37 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index baa25d7cf6..d42faca138 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -24,9 +24,9 @@ ms.custom: bitlocker
 
 - Windows 10
 
-This topic for the IT professional explains how can you plan your BitLocker deployment.
+This topic explains how to plan your BitLocker deployment.
 
-When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics will help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
+When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
 
 ## Audit your environment
 
@@ -36,7 +36,7 @@ Use the following questions to help you document your organization's current dis
 
 1. Are there policies to address which computers will use BitLocker and which computers will not use BitLocker?
 2. What policies exist to control recovery password and recovery key storage?
-3. What are the policies for validating the identity of users that need to perform BitLocker recovery?
+3. What are the policies for validating the identity of users who need to perform BitLocker recovery?
 4. What policies exist to control who in the organization has access to recovery data?
 5. What policies exist to control computer decommissioning or retirement?
 
@@ -51,17 +51,18 @@ The trusted platform module (TPM) is a hardware component installed in many newe
 
 In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
 
-On computers that do not have a TPM version 1.2 or higher, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
 ### BitLocker key protectors
 
 | Key protector | Description |
 | - | - |
-| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM version 1.2 or higher.|
+| TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
 | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
 | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
 | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
-| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.|
+**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type**
+| Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.|
 | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
 
 ### BitLocker authentication methods
@@ -69,24 +70,25 @@ On computers that do not have a TPM version 1.2 or higher, you can still use Bi
 | Authentication method | Requires user interaction | Description |
 | - | - | - |
 | TPM only| No| TPM validates early boot components.|
-| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM will enter lockout if the incorrect PIN is entered repeatedly to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
+| TPM + PIN | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
 | TPM + Network key | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
 | TPM + startup key| Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
 | Startup key only | Yes| The user is prompted to insert the USB flash drive that holds the recovery key and/or startup key and reboot the computer.|
 
-**Will you support computers without TPM version 1.2 or higher?**
+**Will you support computers without TPM 1.2 or higher versions?**
 
-Determine whether you will support computers that do not have a TPM version 1.2 or higher in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
+Determine whether you will support computers that do not have a TPM 1.2 or higher versions in your environment. If you choose to support BitLocker on this type of computer, a user must use a USB startup key to boot the system. This requires additional support processes similar to multifactor authentication.
 
 **What areas of your organization need a baseline level of data protection?**
 
-The TPM-only authentication method will provide the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
+The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
+**Question: Does reboot unattended imply reboot automatically?**
 
 However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
 
 **What areas of your organization need a more secure level of data protection?**
 
-If there are areas of your organization where data residing on user computers is considered highly-sensitive, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
+If there are areas of your organization in which user systems with highly sensitive data are found, consider the best practice of deploying BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. You can also use BitLocker Network Unlock feature to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
 
 **What multifactor authentication method does your organization prefer?**
 
@@ -94,23 +96,23 @@ The protection differences provided by multifactor authentication methods cannot
 
 ## TPM hardware configurations
 
-In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice, so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+In your deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM of your choice so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
 
 ### TPM 1.2 states and initialization
 
-For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM.
+For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM that is then brought to an enabled, activated, and owned state. This is the state that BitLocker requires before it can use the TPM.
 
 ### Endorsement keys
 
-For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
+For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker forces the TPM to generate one automatically as part of BitLocker setup.
 
-An endorsement key can be created at various points in the TPM’s lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken.
+An endorsement key can be created at various points in the TPM’s lifecycle, but it needs to be created only once for the lifetime of the TPM. If an endorsement key does not exist for the TPM, it must be created before TPM ownership can be taken.
 
 For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<https://go.microsoft.com/fwlink/p/?linkid=69584>).
 
 ## Non-TPM hardware configurations
 
-Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
+Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker-protected using a startup password, and PCs without a TPM can use a startup key.
 
 Use the following questions to identify issues that might affect your deployment in a non-TPM configuration:
 
@@ -118,16 +120,16 @@ Use the following questions to identify issues that might affect your deployment
 - Do you have budget for USB flash drives for each of these computers?
 - Do your existing non-TPM devices support USB devices at boot time?
 
-Test your individual hardware platforms with the BitLocker system check option while you are enabling BitLocker. The system check will ensure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material.
+Test your individual hardware platforms with the **BitLocker system check** option while you are enabling BitLocker. The system check ensures that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives cannot act as a block storage device and cannot be used to store the BitLocker recovery material.
 
 ## Disk configuration considerations
 
 To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
 
-- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
-- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms the system partition must be formatted with the FAT 32 file system. On BIOS platforms the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size
+- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system.
+- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
 
-Windows setup will automatically configure the disk drives of your computer to support BitLocker encryption.
+Windows setup automatically configures the disk drives of your computer to support BitLocker encryption.
 
 Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE in conjunction with BitLocker, the Windows RE boot image must reside on a volume that is not protected by BitLocker.
 
@@ -135,29 +137,29 @@ Windows RE can also be used from boot media other than the local hard disk. If y
 
 ## BitLocker provisioning
 
-In Windows Vista and Windows 7, BitLocker was provisioned post installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires that the computer have a TPM.
+In Windows Vista and Windows 7, BitLocker was provisioned post-installation for system and data volumes through either the manage-bde command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be easily provisioned before the operating system is installed. Preprovisioning requires the computer to have a TPM.
 
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, manage-bde tool or WMI APIs to add an appropriate key protector and the volume status will be updated.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet or Windows Explorer. A status of "Waiting For Activation" with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not protected and needs to have a secure key added to the it before the drive is considered fully protected. Administrators can use the Control Panel options, manage-bde tool or WMI APIs to add an appropriate key protector, and the volume status will be updated.
 
-When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented prior to changing the volume status.
+When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status.
 
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option this step takes only a few seconds and so incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes.
 
 ## Used Disk Space Only encryption
 
-The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption.
+The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption.
 
 Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, you are asked to choose the drive encryption type, either Used Disk Space Only or Full drive encryption.
 
-Used Disk Space Only means that only the portion of the drive that contains data will be encrypted, unused space will remain unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method as data is added to the drive the portion of the drive used will be encrypted, so there is never unencrypted data stored on the drive.
+Used Disk Space Only means that only the portion of the drive that contains data is encrypted, and that the unused space remains unencrypted. This causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method on data being added to the drive, the portion of the drive used is encrypted; thus, there is never unencrypted data stored on the drive.
 
-Full drive encryption means that the entire drive will be encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and may contain data remnants from their previous use.
+Full drive encryption means that the entire drive is encrypted, regardless of whether data is stored on it or not. This is useful for drives that have been repurposed and that may contain data remnants from their previous use.
 
 ## Active Directory Domain Services considerations
 
-BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting for each drive type to enable backup of BitLocker recovery information:
+BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information:
 
-Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker protected drives can be recovered.
+<b>Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\</b>Choose how BitLocker-protected drives can be recovered.
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).
 
@@ -169,28 +171,28 @@ The following recovery data is saved for each computer object:
 
 - **Key package data**
 
-    With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
+    With this key package and the recovery password, you will be able to decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
 
 ## FIPS support for recovery password protector
 
-Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
+Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLocker to be fully functional in FIPS mode.
 
 > [!NOTE]
-> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. federal government. The FIPS 140 standard defines approved cryptographic algorithms. The FIPS 140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS 140 standard. An implementation of a cryptographic algorithm is considered FIPS 140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
+> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
 
 Prior to these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [kb947249](https://support.microsoft.com/kb/947249).
 
 But on computers running these supported systems with BitLocker enabled:
 
-- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS 140 NIST SP800-132 algorithm.
+- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm.
 - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
-- Recovery unlock using the FIPS-compliant algorithm based recovery password protector work in all cases that currently work for recovery passwords.
-- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
+- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**.
+- When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode.
 - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
 
-The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPs mode or not.
+The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not.
 
-However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; so recovery keys should be used instead.
+However, you cannot use recovery passwords generated on a system in FIPS mode for systems earlier than Windows Server 2012 R2 and Windows 8.1. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; therefore, recovery keys should be used, instead.
 
 ## More information
 

From 9f8bee674ba7a9785d7840b5f92aa9a1884b124b Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Fri, 11 Sep 2020 19:17:31 +0530
Subject: [PATCH 02/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index d42faca138..f523d4f8af 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -127,7 +127,7 @@ Test your individual hardware platforms with the **BitLocker system check** opti
 To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
 
 - The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system.
-- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
+- The system partition (or boot partition) contains the files that are needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker is not enabled on this partition. For BitLocker to work, the system partition must not be encrypted and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32 file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
 
 Windows setup automatically configures the disk drives of your computer to support BitLocker encryption.
 

From 00bb28ce0573afef9496ea6c6e7776ce4794de01 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Fri, 9 Oct 2020 18:04:42 +0530
Subject: [PATCH 03/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index f523d4f8af..180cf50eeb 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -54,7 +54,6 @@ In addition, BitLocker offers the option to lock the normal startup process unti
 On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
 ### BitLocker key protectors
-
 | Key protector | Description |
 | - | - |
 | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|

From ca6095f38e463d44bc5c07ecaf5e279ae4f32e94 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Fri, 9 Oct 2020 18:19:16 +0530
Subject: [PATCH 04/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...pare-your-organization-for-bitlocker-planning-and-policies.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 180cf50eeb..f523d4f8af 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -54,6 +54,7 @@ In addition, BitLocker offers the option to lock the normal startup process unti
 On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
 ### BitLocker key protectors
+
 | Key protector | Description |
 | - | - |
 | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|

From 74ad1a5f45a5990fc03a657f8686111ebc28ce76 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 12 Oct 2020 14:08:03 +0530
Subject: [PATCH 05/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index f523d4f8af..55ea45f733 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -55,7 +55,7 @@ On computers that do not have TPM 1.2 or higher versions, you can still use BitL
 
 ### BitLocker key protectors
 
-| Key protector | Description |
+|**Key protector** | **Description** |
 | - | - |
 | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
 | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|

From b517200777225f3183aea2fa84eaad31bfd957df Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 12 Oct 2020 14:22:16 +0530
Subject: [PATCH 06/19] Update prepare-your-organization

Corrected the suggestion for PR3770
---
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index f523d4f8af..fc7c0430c3 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -54,14 +54,12 @@ In addition, BitLocker offers the option to lock the normal startup process unti
 On computers that do not have TPM 1.2 or higher versions, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume it from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
 
 ### BitLocker key protectors
-
 | Key protector | Description |
 | - | - |
 | TPM | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
 | PIN | A user-entered numeric key protector that can only be used in addition to the TPM.|
 | Enhanced PIN | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
 | Startup key | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or in conjunction with a TPM for added security.|
-**Question:Is the conjunction with a TPM on TPM-enabled computers? The flow of the sentence requires the mention of the computer type**
 | Recovery password | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard are not responding, you can always use the function keys (F1-F10) to input the numbers.|
 | Recovery key| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
 

From 0c00e7a77e799755f664d7ad3b440faede956526 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Thu, 22 Oct 2020 15:33:06 +0530
Subject: [PATCH 07/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...-your-organization-for-bitlocker-planning-and-policies.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index fc7c0430c3..02a573b441 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -80,7 +80,6 @@ Determine whether you will support computers that do not have a TPM 1.2 or highe
 **What areas of your organization need a baseline level of data protection?**
 
 The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
-**Question: Does reboot unattended imply reboot automatically?**
 
 However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components, but the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker’s multifactor authentication methods significantly increase the overall level of data protection.
 
@@ -141,7 +140,7 @@ To check the BitLocker status of a particular volume, administrators can look at
 
 When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then, the drive security window is presented prior to changing the volume status.
 
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process (**Question: Is the change made to this sentence complying the intended meaning?**. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment (WinPE). This is done with a randomly generated clear key protector being applied to the formatted volume and made to encrypt the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, this step takes only a few seconds, and therefore, incorporates well into regular deployment processes.
 
 ## Used Disk Space Only encryption
 
@@ -184,7 +183,7 @@ But on computers running these supported systems with BitLocker enabled:
 
 - FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm.
 - Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
-- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords (**Question: Is this edited sentence conveying the intended meaning?**.
+- Recovery unlock using the FIPS-compliant algorithm-based recovery password protector works in all cases that currently work for recovery passwords.
 - When FIPS-compliant recovery passwords unlock volumes, the volume is allowed read/write access even while in FIPS mode.
 - FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
 

From 7bced2ce10c3a170e5e17cdc29eec29491494ad1 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Thu, 4 Mar 2021 11:54:40 +0530
Subject: [PATCH 08/19] Update bitlocker-basic-deployment.md

---
 .../bitlocker/bitlocker-basic-deployment.md                    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 23047bf7f1..fcf11cf7d8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -110,9 +110,8 @@ The following table shows the compatibility matrix for systems that have been Bi
 
 Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
 
-|||||
-|--- |--- |--- |--- |
 |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7|
+|--- |--- |--- |--- |
 |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
 |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|

From d521d9e93347e998f52c548de9c527571ab58896 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Sun, 7 Mar 2021 14:53:10 +0530
Subject: [PATCH 09/19] Update bitlocker-basic-deployment.md

---
 .../bitlocker/bitlocker-basic-deployment.md                 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index fcf11cf7d8..c0a736e299 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -55,9 +55,11 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 |--- |--- |
 |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
 |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
-|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
+|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as:
+- verification of the integrity of the system before it is booted
+- multifactor authentication.|
 |BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li>|
-|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
+|File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
 |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
 
 Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.

From 9d80f4d9e23db9f1f12cff95a4890001a6141999 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Tue, 9 Mar 2021 11:29:12 +0530
Subject: [PATCH 10/19] Update bitlocker-basic-deployment.md

---
 .../bitlocker/bitlocker-basic-deployment.md                   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 2146b82940..05e8f44ec6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -55,9 +55,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
 |--- |--- |
 |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
 |Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
-|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as:
-- verification of the integrity of the system before it is booted
-- multifactor authentication.|
+|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM is not required for BitLocker; however, only a computer with a TPM can provide security such as (a) verification of the integrity of the system prior to its booting, and (b) multifactor authentication.|
 |BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li>|
 |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
 |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|

From 6f2fa0d82e9fe78cc6540a00d50d3255e8a9948c Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Tue, 13 Sep 2022 15:31:12 +0530
Subject: [PATCH 11/19] fixed the warnings

---
 .../bitlocker/bitlocker-basic-deployment.md                    | 2 +-
 .../bitlocker-device-encryption-overview-windows-10.md         | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 05e8f44ec6..06f1349062 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -111,7 +111,7 @@ The following table shows the compatibility matrix for systems that have been Bi
 Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
 
 |Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7|
-|--- |--- |--- |--- |
+|---|---|---|---|
 |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
 |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index af220e5c22..03b03a3499 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -19,8 +19,7 @@ ms.custom: bitlocker
 
 # Overview of BitLocker Device Encryption in Windows 10
 
-**Applies to**
--   Windows 10
+**Applies to:** Windows 10
 
 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. 
 For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). 

From a1df887f6671944604df056b6dfebe5b43f1bc60 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Fri, 16 Sep 2022 12:58:01 +0530
Subject: [PATCH 12/19] resolved comments

---
 .../bitlocker-device-encryption-overview-windows-10.md          | 2 +-
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index e0d12cc32a..20fe2b176d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -19,7 +19,7 @@ ms.custom: bitlocker
 **Applies to**
 -   Windows 10
 -   Windows 11
--   Windows Server 2016 and above 
+-   Windows Server 2016 and later 
 
 This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). 
 
diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index ff944581f9..1b77d14e1c 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -155,7 +155,7 @@ With Full drive encryption, the entire drive is encrypted, whether data is store
 
 BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information:
 
-<b>Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\</b>Choose how BitLocker-protected drives can be recovered.
+Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\*drive type*\\Choose how BitLocker-protected drives can be recovered.
 
 By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
 

From e2e3e10af45e911f0ef1c473d3dbb1c4b3766625 Mon Sep 17 00:00:00 2001
From: Thorsten Sauter <Thorsten.Sauter@gmail.com>
Date: Sun, 25 Sep 2022 04:47:48 -0700
Subject: [PATCH 13/19] Fixed broken link in Hello Planning Guide

This fixes the broken link in the WHFB Planning Guide. The link text is the title of the page being linked to.
---
 .../hello-for-business/hello-planning-guide.md                | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 32137c8e75..e48d058b7b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md.
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md).
 
 The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
@@ -349,4 +349,4 @@ If boxes **2a** or **2b** read **modern management** and you want devices to aut
 
 ## Congratulations, You're Done
 
-Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.
\ No newline at end of file
+Your Windows Hello for Business planning worksheet should be complete.  This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used.  The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment.  With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment.

From 30c45fba094b1c47ad39c149aee8021237df2d53 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 3 Oct 2022 16:57:03 +0530
Subject: [PATCH 14/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 1b77d14e1c..8df6789baa 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -23,7 +23,7 @@ ms.custom: bitlocker
 - Windows 11
 - Windows Server 2016 and above
 
-This topic explains how to plan your BitLocker deployment.
+This topic for the IT professional explains how to plan BitLocker deployment.
 
 When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
 

From ed4741461d61a6285098c8393990edfb8b1847b2 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 3 Oct 2022 17:03:26 +0530
Subject: [PATCH 15/19] Update
 prepare-your-organization-for-bitlocker-planning-and-policies.md

---
 ...are-your-organization-for-bitlocker-planning-and-policies.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
index 8df6789baa..9c7eba189e 100644
--- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ b/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
@@ -25,7 +25,7 @@ ms.custom: bitlocker
 
 This topic for the IT professional explains how to plan BitLocker deployment.
 
-When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following topics help you collect information that you can use to frame your decision-making process about deploying and managing BitLocker systems.
+When you design your BitLocker deployment strategy, define the appropriate policies and configuration requirements based on the business requirements of your organization. The following sections will help you collect information. Use this information to help with your decision-making process about deploying and managing BitLocker systems.
 
 ## Audit your environment
 

From 271bfaac7de979ed56b3a95d91721a6fa38f564f Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 3 Oct 2022 17:16:10 +0530
Subject: [PATCH 16/19] Update
 bitlocker-device-encryption-overview-windows-10.md

---
 .../bitlocker-device-encryption-overview-windows-10.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
index 20fe2b176d..79e687ca90 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@@ -21,7 +21,7 @@ ms.custom: bitlocker
 -   Windows 11
 -   Windows Server 2016 and later 
 
-This topic explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). 
+This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). 
 
 When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
 

From 470dbff85cef133da0e34c715ffeda79435e2dd2 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Wed, 19 Oct 2022 15:09:07 +0530
Subject: [PATCH 17/19] Update essential-services-and-connected-experiences.md

---
 windows/privacy/essential-services-and-connected-experiences.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index cac24b1acb..70a53c988b 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
 | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft. <br/><br/>To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).|
 | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats. <br/><br/>Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date. <br/><br/>To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
 | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps. <br/><br/>To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
-|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](../client-management/mdm-overview) |
+|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) |
 
 ## Windows connected experiences
 

From 1c6dfd795ac57334d9a9e3531c507b351a3f640f Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Wed, 19 Oct 2022 15:15:51 +0530
Subject: [PATCH 18/19] Update essential-services-and-connected-experiences.md

---
 windows/privacy/essential-services-and-connected-experiences.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 70a53c988b..cac24b1acb 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -44,7 +44,7 @@ Although enterprise admins can turn off most essential services, we recommend, w
 | Diagnostic Data | Microsoft collects diagnostic data including error data about your devices with the help of the telemetry service. Diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows behaves in the real world, focus on user priorities, find and fix problems, and improve services. This data allows Microsoft to improve the Windows experience. Setting diagnostic data to off means important information to help fix issues and improve quality won't be available to Microsoft. <br/><br/>To turn it off, see [Telemetry Services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#1816-feedback--diagnostics).|
 | Update | Windows Update ensures devices are kept up to date and secure by downloading the latest updates and security patches for Windows. This service also enables users to download apps from the Microsoft Store and keep them up to date. Turning off Windows Update will potentially leave your Windows devices in a vulnerable state and more prone to security threats. <br/><br/>Other services like Device metadata retrieval and Font streaming also ensure that the content on your devices is kept up to date. <br/><br/>To turn off updates, see [Windows Update](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#29-windows-update), [Device Metadata Retrieval](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#4-device-metadata-retrieval), and [Font Streaming](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#6-font-streaming).|
 | Microsoft Store | Microsoft Store enables users to purchase and download apps, games, and digital content. The Store also enables the developers of these apps to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to store apps in a power-efficient and dependable way. The Store can also revoke malicious apps. <br/><br/>To turn it off, see [Microsoft Store](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services#26-microsoft-store).|
-|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](../client-management/mdm-overview.md#mobile-device-management-overview) |
+|Device Management |Device management includes Mobile Device Management (MDM), which helps IT pros manage company security policies and business applications. A built-in management component can communicate with the management server. If this is turned off, the device may no longer be compliant with company policy and the user might lose access to company resources.<br/><br/> [Learn more about Mobile Device Management](../client-management/mdm-overview) |
 
 ## Windows connected experiences
 

From 0d506dc8909fbf18f3e85471f0fa6d70f8b743ba Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 19 Oct 2022 09:26:54 -0400
Subject: [PATCH 19/19] removed #preview

---
 .../hello-for-business/hello-planning-guide.md                  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index e48d058b7b..a50d39c2dc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust.
 
 > [!NOTE]
-> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment (Preview)](./hello-hybrid-cloud-kerberos-trust.md).
+> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Hybrid Cloud Kerberos Trust Deployment](./hello-hybrid-cloud-kerberos-trust.md).
 
 The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.