diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 7fa03fcf50..7e8ef47de3 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -845,7 +845,14 @@ The following diagram shows the BitLocker configuration service provider in tree ``` >[!NOTE] ->When the warning prompt is disabled, the recovery key is backed up to your AAD account. When the warning prompt is allowed, the user can select where to back up the recovery key for an OS drive, but for a Fixed drive we choose where the recovery key will be backed up. The endpoint for a Fixed drive's backup is a user account chossen in the order of AD first, then AAD, and finally the User's personal One-Drive (One-Drive is only applicable to MDM/MAM). Encryption will wait until one of these three locations backs up successfully. +>When you disable the warning prompt, the recovery key will back up to your AAD account. When you allow the warning prompt, the user can select where to back up the recovery key for an OS drive, but for a fixed drive we choose the endpoint for the recovery key's backup. +> +>The endpoint for a Fixed drive's backup is a user account chosen in following order: + >1. AD + >2. AAD + >3. The user's personal OneDrive (MDM/MAM only). +> +>Encryption will wait until one of these three locations backs up successfully. **AllowStandardUserEncryption** Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.