Merge branch 'main' into release-mcc-ent

windows/deployment/TOC.yml

@@ -13,6 +13,8 @@
           href: update/release-cycle.md
         - name: Basics of Windows updates, channels, and tools
           href: update/get-started-updates-channels-tools.md
+        - name: Defining Windows update-managed devices
+          href: update/update-managed-unmanaged-devices.md
         - name: Prepare servicing strategy for Windows client updates
           href: update/waas-servicing-strategy-windows-10-updates.md
         - name: Deployment proof of concept
@@ -113,7 +115,7 @@
             - name: Deploy updates with Group Policy
               href: update/waas-wufb-group-policy.md
             - name: Deploy updates using CSPs and MDM
-              href: update/waas-wufb-csp-mdm.md              
+              href: update/waas-wufb-csp-mdm.md
             - name: Update Windows client media with Dynamic Update
               href: update/media-dynamic-update.md
             - name: Migrating and acquiring optional Windows content
@@ -377,7 +379,7 @@
         - name: Delivery Optimization reference
           href: do/waas-delivery-optimization-reference.md?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json
         - name: FoD and language packs for WSUS and Configuration Manager
-          href: update/fod-and-lang-packs.md         
+          href: update/fod-and-lang-packs.md
         - name: Windows client in S mode
           href: s-mode.md
         - name: Switch to Windows client Pro or Enterprise from S mode

windows/deployment/update/update-managed-unmanaged-devices.md

@@ -0,0 +1,71 @@
+---
+title: Defining Windows update-managed devices
+description: This article provides clarity on the terminology and practices involved in managing Windows updates for both managed and unmanaged devices.
+ms.service: windows-client
+ms.subservice: itpro-updates
+ms.topic: overview
+ms.date: 06/25/2024
+author: mikolding
+ms.author: v-mikolding
+ms.reviewer: mstewart,thtrombl,v-fvalentyna,arcarley
+manager: aaroncz
+ms.localizationpriority: medium
+appliesto:
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
+- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
+---
+
+# Defining Windows update-managed devices
+
+As an IT administrator, understanding the differences between managed and unmanaged devices is crucial for effective Windows update management. This article provides clarity on the terminology and practices involved in managing Windows updates for both types of devices.
+
+## What are update-managed Windows devices?
+
+Update-managed devices are those where an IT administrator or organization controls Windows updates through a management tool, such as Microsoft Intune, or by directly setting policies. You can directly set policies with group policy objects (GPO), configuration service provider (CSP) policies, or Microsoft Graph.
+
+> [!NOTE]
+> This definition is true even if you directly set registry keys. However, we don't recommended doing this action because registry keys can be easily overwritten.
+
+Managed devices can include desktops, laptops, tablets, servers, and manufacturing equipment. These devices are secured and configured according to your organization's standards and policies.
+
+### IT-managed: Windows update offering
+
+Devices are considered Windows update-managed if you manage the update offering in the following ways:
+
+- You configure policies to manage which updates are offered to the specific device.
+- You set when your organization should receive feature, quality, and driver updates, among others.
+- You use [group policy objects (GPO)](/windows/deployment/update/waas-wufb-group-policy), [configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update#update-allowupdateservice), or [Microsoft Graph](/windows/deployment/update/deployment-service-overview) to configure these offerings.
+
+### IT-managed: Windows update experience
+
+Devices are considered Windows update-managed if you use policies (GPO, CSP, or Microsoft Graph) to manage device behavior when taking Windows updates.
+
+Examples of controllable device behavior include active hours, update grace periods and deadlines, update notifications, update scheduling, and more. Consult the complete list at [Update Policy CSP](/windows/client-management/mdm/policy-csp-update).
+
+## Examples of update-managed Windows devices
+
+Here are a few examples of update-managed devices:
+
+- **Company-owned devices:** Devices provisioned by your IT department with corporate credentials, configurations, and policies.
+- **Employee-owned devices in BYOD programs:** Personally owned devices that are enrolled in the company's device management system to securely access corporate resources.
+- **Devices provisioned through Windows Autopilot:** Devices that are set up and preconfigured to be business-ready right out of the box.
+- **Mandated security settings:** Devices with health requirements such as device encryption, PIN or strong password, specific inactivity timeout periods, and up-to-date operating systems.
+- **Intune-enrolled devices:** Devices enrolled in Microsoft Intune for network access and enforced security policies.
+- **Third-party managed devices:** Devices enrolled in non-Microsoft management tools with configured Windows update policies via GPO, CSP, or registry key.
+
+## What are update-unmanaged Windows devices?
+
+Unlike update-managed devices, unmanaged devices aren't controlled through policies, management tools, or software. These devices aren't enrolled in tools like Microsoft Intune or Configuration Manager. If you only configure the Settings page to control overall device behavior when taking updates, it's considered an unmanaged device.
+
+> [!NOTE]
+> The term "Microsoft managed devices" used to refer to what we now call "update unmanaged Windows devices." Based on feedback, we have updated our terminology for clarity.
+
+## Examples of update-unmanaged Windows devices
+
+Examples of update-unmanaged devices include:
+
+- **Personal devices:** Devices owned by individuals at your organization that aren't enrolled in any corporate management system.
+- **BYOD devices not enrolled in management programs:** Devices used for work but not part of an organizational bring your own device (BYOD) program.
+- **Peripheral devices:** Devices like printers, IP phones, and uninterruptible power supplies (UPS) that can't accept centrally managed administrative credentials.
+
+For more information on managed and unmanaged devices, see [Secure managed and unmanaged devices](/microsoft-365/business-premium/m365bp-managed-unmanaged-devices).

windows/security/operating-system-security/data-protection/bitlocker/index.md

@@ -85,10 +85,11 @@ BitLocker has the following requirements:
 
 ## Device encryption
 
-*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
+*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access. Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
 
 > [!IMPORTANT]
-> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
+> Starting in Windows 11, version 24H2, the prerequisites of DMA and HSTI/Modern Standby are removed. As a result, more devices are eligible for automatic and manual device encryption.
+> For more information, see [BitLocker drive encryption in Windows 11 for OEMs](/windows-hardware/design/device-experiences/oem-bitlocker).
 
 Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
 

windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md

@@ -99,6 +99,14 @@ There are rules governing which hint is shown during the recovery (in the order
   :::image type="content" source="images/preboot-recovery-custom-url-single-backup.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL and the hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-custom-url-single-backup.png" border="false":::
   :::column-end:::
 :::row-end:::
+:::row:::
+  :::column span="2":::
+    Starting in Windows 11, version 24H2, the BitLocker preboot recovery screen includes the Microsoft account (MSA) hint, if the recovery password is saved to an MSA. This hint helps the user to understand which MSA account was used to store recovery key information.
+  :::column-end:::
+  :::column span="2":::
+  :::image type="content" source="images/bitlocker-recovery-screen-msa-backup-24h2.png" alt-text="Screenshot of the BitLocker recovery screen showing a Microsoft account hint where the BitLocker recovery key was saved." lightbox="images/bitlocker-recovery-screen-msa-backup-24h2.png" border="false":::
+  :::column-end:::
+:::row-end:::
 :::row:::
   :::column span="4":::
     #### Example: single recovery password in AD DS and single backup