diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 36c96ffa8d..fbc41ad17a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -266,7 +266,7 @@ ms.collection: highpri Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time. > [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -361,7 +361,7 @@ ADMX Info: Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. > [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -426,12 +426,12 @@ ADMX Info: The following list shows the supported values: -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). - 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. +- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. +- 5 - Turn off automatic updates. > [!IMPORTANT] @@ -536,8 +536,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. +- 0 - Not configured. +- 1 - Allowed. Accepts updates received through Microsoft Update. > [!NOTE] > Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:. @@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party The following list shows the supported values: -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. +- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. @@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. > [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. @@ -643,8 +643,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Update service isn't allowed. -- 1 (default) – Update service is allowed. +- 0 - Update service isn't allowed. +- 1 (default) - Update service is allowed. @@ -856,8 +856,8 @@ ADMX Info: The following list shows the supported values: -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. +- 1 (default) - Auto Dismissal. +- 2 - User Dismissal. @@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days. Supported values are 0-365 days. > [!IMPORTANT] -> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. @@ -1393,7 +1393,7 @@ ADMX Info: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to four weeks. @@ -1471,7 +1471,7 @@ ADMX Info: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify other upgrade delays for up to eight months. @@ -1616,18 +1616,18 @@ The following list shows the supported values: -Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards. +Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards. Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience. The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update. -IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy. +IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy. > [!NOTE] > Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied. > -> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update. +> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. > > Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues. @@ -2069,8 +2069,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. +- 0 (default) - Allow Windows Update drivers. +- 1 - Exclude Windows Update drivers. @@ -2121,8 +2121,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Disabled. -- 1 – Enabled. +- 0 (default) - Disabled. +- 1 - Enabled. @@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Don't ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. +- 0 (default) - Don't ignore MO download limit for apps and their updates. +- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates. @@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading) The following list shows the supported values: -- 0 (default) – Don't ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. +- 0 (default) - Don't ignore MO download limit for OS updates. +- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates. @@ -2312,7 +2312,7 @@ The following list shows the supported values: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. @@ -2333,8 +2333,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Deferrals aren't paused. -- 1 – Deferrals are paused. +- 0 (default) - Deferrals aren't paused. +- 1 - Deferrals are paused. @@ -2383,8 +2383,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Feature Updates aren't paused. -- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. +- 0 (default) - Feature Updates aren't paused. +- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner. @@ -2476,8 +2476,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Quality Updates aren't paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. +- 0 (default) - Quality Updates aren't paused. +- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. @@ -2580,7 +2580,7 @@ ADMX Info: -Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”. +Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10". @@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to General Availability Channel train. @@ -2640,8 +2640,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – User gets upgrades from General Availability Channel (Targeted). -- 1 – User gets upgrades from General Availability Channel. +- 0 (default) - User gets upgrades from General Availability Channel (Targeted). +- 1 - User gets upgrades from General Availability Channel. @@ -2675,7 +2675,7 @@ The following list shows the supported values: > [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved. @@ -2686,8 +2686,8 @@ Supported operations are Get and Replace. The following list shows the supported values: -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. +- 0 - Not configured. The device installs all applicable updates. +- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. @@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes). > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Allows the IT Admin to specify the period for autorestart warning reminder notifications. @@ -2839,14 +2839,14 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday +- 0 (default) - Every day +- 1 - Sunday +- 2 - Monday +- 3 - Tuesday +- 4 - Wednesday +- 5 - Thursday +- 6 - Friday +- 7 - Saturday @@ -3110,7 +3110,7 @@ ADMX Info: > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education Enables the IT admin to schedule the time of the update installation. @@ -3178,8 +3178,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Enabled -- 1 – Disabled +- 0 (default) - Enabled +- 1 - Disabled @@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what Options: -- 0 (default) – Use the default Windows Update notifications -- 1 – Turn off all notifications, excluding restart warnings -- 2 – Turn off all notifications, including restart warnings +- 0 (default) - Use the default Windows Update notifications +- 1 - Turn off all notifications, excluding restart warnings +- 2 - Turn off all notifications, including restart warnings > [!IMPORTANT] > If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index fa91e9823e..efba4330c5 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803. Roll back Latest Quality Update, if the machine meets the following conditions: - Condition 1: Device must be WUfB Connected + Condition 1: Device must be Windows Update for Business connected Condition 2: Device must be in a Paused State Condition 3: Device must have the Latest Quality Update installed on the device (Current State) If the conditions are not true, the device will not Roll Back the Latest Quality Update. @@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions: - Condition 1: Device must be WUfB Connected + Condition 1: Device must be Windows Update for Business connected Condition 2: Device must be in Paused State Condition 3: Device must have the Latest Feature Update Installed on the device (Current State) Condition 4: Machine should be within the uninstall period diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 5e5a751b1b..fc82f5a509 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -6809,7 +6809,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6823,7 +6823,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6864,7 +6864,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index bcfa0ba684..e660f2df49 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -8296,7 +8296,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -8310,7 +8310,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -8351,7 +8351,7 @@ The following fields are available: - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded @@ -9584,8 +9584,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 6d2cc70a0c..2dd8d27ae5 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -3627,7 +3627,7 @@ The following fields are available: - **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated. - **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications. - **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services). -- **IsDeviceWUFBManaged** If device is WUfB managed. +- **IsDeviceWUFBManaged** If device is Windows Update for Business managed. - **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft. - **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count. - **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device. @@ -6257,8 +6257,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -6374,7 +6374,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter counts the total events for the provider. - **PackageVersion** The version for the current package. -- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -8457,7 +8457,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -8472,7 +8472,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -8509,7 +8509,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index ee4c6b4726..084f8f8a9e 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -6328,7 +6328,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -6343,7 +6343,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -6380,7 +6380,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index 6a226268c2..b37678708d 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -5789,8 +5789,8 @@ The following fields are available: - **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU. - **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed. - **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed. -- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed. -- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed. +- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed. +- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed. - **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is. - **UnifiedInstallerPlatformType** The enum indicating the type of platform detected. - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. @@ -5917,7 +5917,7 @@ The following fields are available: - **CV** Correlation vector. - **GlobalEventCounter** The global event counter for counting total events for the provider. - **PackageVersion** The version for the current package. -- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership. +- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership. ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin @@ -7212,7 +7212,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** This is the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable @@ -7227,7 +7227,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Represents the device info. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted @@ -7270,7 +7270,7 @@ The following fields are available: - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. - **sacDevice** Device in the General Availability Channel. -- **wUfBConnected** Result of WUfB connection check. +- **wUfBConnected** Result of Windows Update for Business connection check. ### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index dfac592fab..1e29149153 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -1,5 +1,5 @@ --- -title: BitLocker basic deployment (Windows 10) +title: BitLocker basic deployment description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 ms.reviewer: @@ -32,9 +32,9 @@ This article for the IT professional explains how BitLocker features can be used ## Using BitLocker to encrypt volumes -BitLocker provides full volume encryption (FVE) for operating system volumes, as well as fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. +BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems. -In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. +If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes. > [!NOTE] > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference. @@ -43,43 +43,43 @@ BitLocker encryption can be done using the following methods: - BitLocker control panel - Windows Explorer -- manage-bde command-line interface +- `manage-bde` command-line interface - BitLocker Windows PowerShell cmdlets ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume -Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: +When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are: |Requirement|Description| |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| -|Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|Hardware TPM|TPM version 1.2 or 2.0.

A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| -Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. -Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. +Upon passing the initial configuration, users are required to enter a password for the volume. If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. +Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer can't access the drive. -You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you are not encrypting. You cannot save the recovery key to the root directory of a non-removable drive and cannot be stored on the encrypted volume. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. +You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options: - Encrypt used disk space only - Encrypts only disk space that contains data - Encrypt entire drive - Encrypts the entire volume including free space -It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option. +It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option. > [!NOTE] -> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. +> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. -Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. +Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. @@ -88,10 +88,10 @@ Until encryption is completed, the only available options for managing BitLocker ### Data volume Encrypting data volumes using the BitLocker control panel interface works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the control panel to begin the BitLocker Drive Encryption wizard. -Unlike for operating system volumes, data volumes are not required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. +Unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the wizard to proceed. Upon launching the wizard, a choice of authentication methods to unlock the drive appears. The available options are **password** and **smart card** and **automatically unlock this drive on this computer**. Disabled by default, the latter option will unlock the data volume without user input when the operating system volume is unlocked. After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes. -With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it is recommended that used space only encryption is selected. +With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected. With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption. @@ -99,7 +99,7 @@ Encryption status displays in the notification area or within the BitLocker cont ### OneDrive option -There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain. +There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. @@ -152,7 +152,7 @@ manage-bde -on C: **Enabling BitLocker with a TPM only** -It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: +It's possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: `manage-bde -on C:` @@ -257,9 +257,9 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` -### Using a SID-based protector in Windows PowerShell +### Using an SID-based protector in Windows PowerShell -The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster. +The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. > [!WARNING] > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. @@ -280,7 +280,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > Use of this command requires the RSAT-AD-PowerShell feature. > [!TIP] -> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. +> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features. In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: @@ -302,11 +302,11 @@ Checking BitLocker status with the control panel is the most common method used | Status | Description | | - | - | | **On**|BitLocker is enabled for the volume | -| **Off**| BitLocker is not enabled for the volume | +| **Off**| BitLocker isn't enabled for the volume | | **Suspended** | BitLocker is suspended and not actively protecting the volume | | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| -If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume is not in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. +If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. @@ -350,7 +350,7 @@ Decrypting volumes removes BitLocker and any associated protectors from the volu BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process. Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel. -The control panel does not report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. +The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. Once decryption is complete, the drive will update its status in the control panel and is available for encryption. @@ -370,9 +370,9 @@ manage-bde -status C: ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets -Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. +Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt. -Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: +Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is: ```powershell Disable-BitLocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 83d1f263d5..c3f40de8e2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -18,11 +18,11 @@ ms.date: 02/28/2019 ms.custom: bitlocker --- -# BitLocker Management for Enterprises +# BitLocker management for enterprises -The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. +The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers. +Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. > [!IMPORTANT] @@ -44,27 +44,26 @@ For hardware that is compliant with Modern Standby and HSTI, when using either o This is applicable to Azure Hybrid AD as well. - ## Managing workplace-joined PCs and phones -For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. +For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. ## Managing servers -Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. +Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core. - Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).   ## PowerShell examples -For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory. +For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure AD. *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker* ```powershell diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index bb97981cfe..905d4ff2dd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ## Update -### Windows Update for Business (WUfB) +### Windows Update for Business -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). +Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). ### Windows Insider Program for Business diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 0afb63e954..f2f4dc5964 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. -### Windows Update for Business (WUfB) +### Windows Update for Business Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure). diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 41c5c84b1f..3b33b31e96 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903. -### Windows Update for Business (WUfB) +### Windows Update for Business -If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. +If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy. ## Security