Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20231106-freshness

2025-05-12 13:27:23 +00:00 · 2023-11-06 16:34:03 -05:00 · 2023-11-06 16:34:03 -05:00 · e3604c377e
commit e3604c377e
parent e514ba7c44 b041f13a8a
148 changed files with 6251 additions and 5126 deletions
--- a/.openpublishing.redirection.windows-security.json
+++ b/.openpublishing.redirection.windows-security.json
@ -532,7 +532,7 @@
    },
    {
      "source_path": "windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
-      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
      "redirect_document_id": false
    },
    {
@ -587,7 +587,7 @@
    },
    {
      "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md",
-      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview",
      "redirect_document_id": false
    },
    {
@ -617,7 +617,7 @@
    },
    {
      "source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
-      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer",
+      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/manage-recovery-passwords#bitlocker-recovery-password-viewer",
      "redirect_document_id": false
    },
    {
@ -7414,6 +7414,71 @@
      "source_path": "windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml",
      "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure#$bitlocker-policy-settings",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure#bitlocker-policy-settings",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/countermeasures",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/recovery-process#bitlocker-recovery-password-viewer",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/network-unlock",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/configure",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/plan",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/operations-guide",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/csv-san",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/install-server",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
      "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
      "redirect_document_id": false
    }
  ]
-}
+}
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@ -15,7 +15,7 @@ metadata:
  author: paolomatarazzo
  ms.author: paoloma
  manager: aaroncz
-  ms.date: 08/07/2023
+  ms.date: 10/30/2023
 highlightedContent:
  items:
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -18,8 +18,6 @@ ms.topic: reference
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- BitLocker-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@ -39,7 +37,6 @@ The following list shows the BitLocker configuration service provider nodes:
 - ./Device/Vendor/MSFT/BitLocker
  - [AllowStandardUserEncryption](#allowstandarduserencryption)
  - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
  - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
  - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
  - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@ -148,64 +145,6 @@ To disable this policy, use the following SyncML:
 <!-- Device-AllowStandardUserEncryption-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Begin -->
 ## AllowSuspensionOfBitLockerProtection
 <!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-AllowSuspensionOfBitLockerProtection-Applicability-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
 ```
 <!-- Device-AllowSuspensionOfBitLockerProtection-OmaUri-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Description-Begin -->
 <!-- Description-Source-DDF -->
 This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
 > [!WARNING]
 > When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
 The expected values for this policy are:
 0 = Prevent BitLocker Drive Encryption protection from being suspended.
 1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection.
 <!-- Device-AllowSuspensionOfBitLockerProtection-Description-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Editable-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 1 |
 <!-- Device-AllowSuspensionOfBitLockerProtection-DFProperties-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
 | 1 (Default) | This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. |
 <!-- Device-AllowSuspensionOfBitLockerProtection-AllowedValues-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-Examples-End -->
 <!-- Device-AllowSuspensionOfBitLockerProtection-End -->
 <!-- Device-AllowWarningForOtherDiskEncryption-Begin -->
 ## AllowWarningForOtherDiskEncryption
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -772,52 +772,6 @@ Supported Values: String form of request ID. Example format of request ID is GUI
        </MSFT:Applicability>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>AllowSuspensionOfBitLockerProtection</NodeName>
      <DFProperties>
        <AccessType>
          <Add />
          <Delete />
          <Get />
          <Replace />
        </AccessType>
        <DefaultValue>1</DefaultValue>
        <Description>This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
                         Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
                         The format is integer.
                         The expected values for this policy are:
                         0 = Prevent BitLocker Drive Encryption protection from being suspended.
                         1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
                         </Description>
        <DFFormat>
          <int />
        </DFFormat>
        <Occurrence>
          <ZeroOrOne />
        </Occurrence>
        <Scope>
          <Dynamic />
        </Scope>
        <DFType>
          <MIME />
        </DFType>
        <MSFT:Applicability>
          <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
          <MSFT:CspVersion>9.9</MSFT:CspVersion>
        </MSFT:Applicability>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>0</MSFT:Value>
            <MSFT:ValueDescription>Prevent BitLocker Drive Encryption protection from being suspended.</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>1</MSFT:Value>
            <MSFT:ValueDescription>This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
      <NodeName>Status</NodeName>
      <DFProperties>
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DeclaredConfiguration CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -110,7 +110,7 @@ The Host internal node indicates that the target of the configuration request or
 <!-- Device-Host-Complete-Description-Begin -->
 <!-- Description-Source-DDF -->
-This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
 <!-- Device-Host-Complete-Description-End -->
 <!-- Device-Host-Complete-Editable-Begin -->
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
            <Delete />
            <Get />
          </AccessType>
-          <Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.</Description>
+          <Description>This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.</Description>
          <DFFormat>
            <node />
          </DFFormat>
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -71,10 +71,12 @@ The following list shows the Defender configuration service provider nodes:
    - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
    - [IntelTDTEnabled](#configurationinteltdtenabled)
    - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
    - [NetworkProtectionReputationMode](#configurationnetworkprotectionreputationmode)
    - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
    - [PassiveRemediation](#configurationpassiveremediation)
    - [PerformanceModeStatus](#configurationperformancemodestatus)
    - [PlatformUpdatesChannel](#configurationplatformupdateschannel)
    - [QuickScanIncludeExclusions](#configurationquickscanincludeexclusions)
    - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
    - [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
    - [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
@ -348,7 +350,7 @@ Control whether network protection can improve performance by switching from rea
 | Value | Description |
 |:--|:--|
 | 1 | Allow switching to asynchronous inspection. |
-| 0 (Default) | Don’t allow asynchronous inspection. |
+| 0 (Default) | Don't allow asynchronous inspection. |
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-AllowedValues-End -->
 <!-- Device-Configuration-AllowSwitchToAsyncInspection-Examples-Begin -->
@ -464,7 +466,7 @@ Define the retention period in days of how much time the evidence data will be k
 | Property name | Property value |
 |:--|:--|
-| Format | `chr` (string) |
+| Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[1-120]` |
 | Default Value  | 60 |
@ -953,8 +955,8 @@ Control Device Control feature.
 | Value | Description |
 |:--|:--|
-| 1 | . |
+| 1 | Device Control is enabled. |
-| 0 (Default) | . |
+| 0 (Default) | Device Control is disabled. |
 <!-- Device-Configuration-DeviceControlEnabled-AllowedValues-End -->
 <!-- Device-Configuration-DeviceControlEnabled-Examples-Begin -->
@ -2186,6 +2188,46 @@ Allow managed devices to update through metered connections. Default is 0 - not
 <!-- Device-Configuration-MeteredConnectionUpdates-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Begin -->
 ### Configuration/NetworkProtectionReputationMode
 <!-- Device-Configuration-NetworkProtectionReputationMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
 <!-- Device-Configuration-NetworkProtectionReputationMode-Applicability-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Defender/Configuration/NetworkProtectionReputationMode
 ```
 <!-- Device-Configuration-NetworkProtectionReputationMode-OmaUri-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This sets the reputation mode for Network Protection.
 <!-- Device-Configuration-NetworkProtectionReputationMode-Description-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Editable-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- Device-Configuration-NetworkProtectionReputationMode-DFProperties-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-Examples-End -->
 <!-- Device-Configuration-NetworkProtectionReputationMode-End -->
 <!-- Device-Configuration-OobeEnableRtpAndSigUpdate-Begin -->
 ### Configuration/OobeEnableRtpAndSigUpdate
@ -2325,8 +2367,8 @@ This setting allows IT admins to configure performance mode in either enabled or
 | Value | Description |
 |:--|:--|
-| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
+| 0 (Default) | Performance mode is enabled (default). |
-| 1 | Performance mode is disabled. A service restart is required after changing this value. |
+| 1 | Performance mode is disabled. |
 <!-- Device-Configuration-PerformanceModeStatus-AllowedValues-End -->
 <!-- Device-Configuration-PerformanceModeStatus-Examples-Begin -->
@ -2388,6 +2430,55 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
 <!-- Device-Configuration-PlatformUpdatesChannel-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Begin -->
 ### Configuration/QuickScanIncludeExclusions
 <!-- Device-Configuration-QuickScanIncludeExclusions-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
 <!-- Device-Configuration-QuickScanIncludeExclusions-Applicability-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions
 ```
 <!-- Device-Configuration-QuickScanIncludeExclusions-OmaUri-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting allows you to scan excluded files and directories during quick scans.
 <!-- Device-Configuration-QuickScanIncludeExclusions-Description-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Editable-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Default Value  | 0 |
 <!-- Device-Configuration-QuickScanIncludeExclusions-DFProperties-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | 0 (Default) | If you set this setting to 0 or don't configure it, exclusions aren't scanned during quick scans. |
 | 1 | If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards aren't supported and aren't scanned. |
 <!-- Device-Configuration-QuickScanIncludeExclusions-AllowedValues-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-Examples-End -->
 <!-- Device-Configuration-QuickScanIncludeExclusions-End -->
 <!-- Device-Configuration-RandomizeScheduleTaskTimes-Begin -->
 ### Configuration/RandomizeScheduleTaskTimes
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -2098,11 +2098,50 @@ The following XML file contains the device description framework (DDF) for the D
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>Performance mode is enabled (default). A service restart is required after changing this value.</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Performance mode is enabled (default).</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>Performance mode is disabled. A service restart is required after changing this value.</MSFT:ValueDescription>
+              <MSFT:ValueDescription>Performance mode is disabled.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>QuickScanIncludeExclusions</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <DefaultValue>0</DefaultValue>
          <Description>This setting allows you to scan excluded files and directories during quick scans.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.3</MSFT:CspVersion>
          </MSFT:Applicability>
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
              <MSFT:ValueDescription>If you set this setting to 0 or do not configure it, exclusions are not scanned during quick scans.</MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
              <MSFT:ValueDescription>If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards are not supported and are not scanned.</MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
@ -2382,7 +2421,7 @@ The following XML file contains the device description framework (DDF) for the D
          <DefaultValue>60</DefaultValue>
          <Description>Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.</Description>
          <DFFormat>
-            <chr />
+            <int />
          </DFFormat>
          <Occurrence>
            <One />
@ -2432,13 +2471,11 @@ The following XML file contains the device description framework (DDF) for the D
          <MSFT:AllowedValues ValueType="ENUM">
            <MSFT:Enum>
              <MSFT:Value>1</MSFT:Value>
-              <MSFT:ValueDescription>
+              <MSFT:ValueDescription>Device Control is enabled</MSFT:ValueDescription>
              </MSFT:ValueDescription>
            </MSFT:Enum>
            <MSFT:Enum>
              <MSFT:Value>0</MSFT:Value>
-              <MSFT:ValueDescription>
+              <MSFT:ValueDescription>Device Control is disabled</MSFT:ValueDescription>
              </MSFT:ValueDescription>
            </MSFT:Enum>
          </MSFT:AllowedValues>
        </DFProperties>
@ -2650,6 +2687,35 @@ The following XML file contains the device description framework (DDF) for the D
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>NetworkProtectionReputationMode</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
          <DefaultValue>0</DefaultValue>
          <Description>This sets the reputation mode for Network Protection.</Description>
          <DFFormat>
            <int />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Dynamic />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:Applicability>
            <MSFT:OsBuildVersion>10.0.14393</MSFT:OsBuildVersion>
            <MSFT:CspVersion>1.3</MSFT:CspVersion>
          </MSFT:Applicability>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>AllowSwitchToAsyncInspection</NodeName>
        <DFProperties>
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -27,12 +27,11 @@ The following list shows the DevicePreparation configuration service provider no
 - ./Device/Vendor/MSFT/DevicePreparation
  - [BootstrapperAgent](#bootstrapperagent)
    - [ClassID](#bootstrapperagentclassid)
    - [ExecutionContext](#bootstrapperagentexecutioncontext)
    - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
  - [MdmAgentInstalled](#mdmagentinstalled)
  - [MDMProvider](#mdmprovider)
    - [MdmAgentInstalled](#mdmprovidermdmagentinstalled)
    - [Progress](#mdmproviderprogress)
    - [RebootRequired](#mdmproviderrebootrequired)
  - [PageEnabled](#pageenabled)
  - [PageSettings](#pagesettings)
  - [PageStatus](#pagestatus)
@ -55,7 +54,7 @@ The following list shows the DevicePreparation configuration service provider no
 <!-- Device-BootstrapperAgent-Description-Begin -->
 <!-- Description-Source-DDF -->
-The subnodes configure settings for the Bootstrapper Agent.
+Parent node for configuring agent that orchestrates provisioning and communicate status to Device Preparation page.
 <!-- Device-BootstrapperAgent-Description-End -->
 <!-- Device-BootstrapperAgent-Editable-Begin -->
@ -77,45 +76,6 @@ The subnodes configure settings for the Bootstrapper Agent.
 <!-- Device-BootstrapperAgent-End -->
 <!-- Device-BootstrapperAgent-ClassID-Begin -->
 ### BootstrapperAgent/ClassID
 <!-- Device-BootstrapperAgent-ClassID-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-BootstrapperAgent-ClassID-Applicability-End -->
 <!-- Device-BootstrapperAgent-ClassID-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID
 ```
 <!-- Device-BootstrapperAgent-ClassID-OmaUri-End -->
 <!-- Device-BootstrapperAgent-ClassID-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node stores the class ID for the Bootstrapper Agent WinRT object.
 <!-- Device-BootstrapperAgent-ClassID-Description-End -->
 <!-- Device-BootstrapperAgent-ClassID-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-BootstrapperAgent-ClassID-Editable-End -->
 <!-- Device-BootstrapperAgent-ClassID-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Get, Replace |
 <!-- Device-BootstrapperAgent-ClassID-DFProperties-End -->
 <!-- Device-BootstrapperAgent-ClassID-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-BootstrapperAgent-ClassID-Examples-End -->
 <!-- Device-BootstrapperAgent-ClassID-End -->
 <!-- Device-BootstrapperAgent-ExecutionContext-Begin -->
 ### BootstrapperAgent/ExecutionContext
@ -155,85 +115,6 @@ This node holds opaque data that will be passed to the Bootstrapper Agent as a p
 <!-- Device-BootstrapperAgent-ExecutionContext-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Begin -->
 ### BootstrapperAgent/InstallationStatusUri
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Applicability-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri
 ```
 <!-- Device-BootstrapperAgent-InstallationStatusUri-OmaUri-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Description-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Editable-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Get, Replace |
 <!-- Device-BootstrapperAgent-InstallationStatusUri-DFProperties-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-Examples-End -->
 <!-- Device-BootstrapperAgent-InstallationStatusUri-End -->
 <!-- Device-MdmAgentInstalled-Begin -->
 ## MdmAgentInstalled
 <!-- Device-MdmAgentInstalled-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-MdmAgentInstalled-Applicability-End -->
 <!-- Device-MdmAgentInstalled-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
 ```
 <!-- Device-MdmAgentInstalled-OmaUri-End -->
 <!-- Device-MdmAgentInstalled-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
 <!-- Device-MdmAgentInstalled-Description-End -->
 <!-- Device-MdmAgentInstalled-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-MdmAgentInstalled-Editable-End -->
 <!-- Device-MdmAgentInstalled-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `bool` |
 | Access Type | Get, Replace |
 | Default Value  | false |
 <!-- Device-MdmAgentInstalled-DFProperties-End -->
 <!-- Device-MdmAgentInstalled-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-MdmAgentInstalled-Examples-End -->
 <!-- Device-MdmAgentInstalled-End -->
 <!-- Device-MDMProvider-Begin -->
 ## MDMProvider
@ -251,7 +132,7 @@ This node indicates whether the MDM agent was installed or not. When set to true
 <!-- Device-MDMProvider-Description-Begin -->
 <!-- Description-Source-DDF -->
-The subnode configures the settings for the MDMProvider.
+Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
 <!-- Device-MDMProvider-Description-End -->
 <!-- Device-MDMProvider-Editable-Begin -->
@ -273,6 +154,46 @@ The subnode configures the settings for the MDMProvider.
 <!-- Device-MDMProvider-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Begin -->
 ### MDMProvider/MdmAgentInstalled
 <!-- Device-MDMProvider-MdmAgentInstalled-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-MDMProvider-MdmAgentInstalled-Applicability-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DevicePreparation/MDMProvider/MdmAgentInstalled
 ```
 <!-- Device-MDMProvider-MdmAgentInstalled-OmaUri-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
 <!-- Device-MDMProvider-MdmAgentInstalled-Description-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Editable-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `bool` |
 | Access Type | Get, Replace |
 | Default Value  | False |
 <!-- Device-MDMProvider-MdmAgentInstalled-DFProperties-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-MDMProvider-MdmAgentInstalled-Examples-End -->
 <!-- Device-MDMProvider-MdmAgentInstalled-End -->
 <!-- Device-MDMProvider-Progress-Begin -->
 ### MDMProvider/Progress
@ -290,7 +211,7 @@ The subnode configures the settings for the MDMProvider.
 <!-- Device-MDMProvider-Progress-Description-Begin -->
 <!-- Description-Source-DDF -->
-Node for reporting progress status as opaque data.
+Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
 <!-- Device-MDMProvider-Progress-Description-End -->
 <!-- Device-MDMProvider-Progress-Editable-Begin -->
@ -303,7 +224,7 @@ Node for reporting progress status as opaque data.
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
-| Access Type | Get, Replace |
+| Access Type | Add, Delete, Get, Replace |
 <!-- Device-MDMProvider-Progress-DFProperties-End -->
 <!-- Device-MDMProvider-Progress-Examples-Begin -->
@ -312,6 +233,46 @@ Node for reporting progress status as opaque data.
 <!-- Device-MDMProvider-Progress-End -->
 <!-- Device-MDMProvider-RebootRequired-Begin -->
 ### MDMProvider/RebootRequired
 <!-- Device-MDMProvider-RebootRequired-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- Device-MDMProvider-RebootRequired-Applicability-End -->
 <!-- Device-MDMProvider-RebootRequired-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/DevicePreparation/MDMProvider/RebootRequired
 ```
 <!-- Device-MDMProvider-RebootRequired-OmaUri-End -->
 <!-- Device-MDMProvider-RebootRequired-Description-Begin -->
 <!-- Description-Source-DDF -->
 This node indicates whether an MDM policy was provisioned that requires a reboot.
 <!-- Device-MDMProvider-RebootRequired-Description-End -->
 <!-- Device-MDMProvider-RebootRequired-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- Device-MDMProvider-RebootRequired-Editable-End -->
 <!-- Device-MDMProvider-RebootRequired-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `bool` |
 | Access Type | Get |
 | Default Value  | False |
 <!-- Device-MDMProvider-RebootRequired-DFProperties-End -->
 <!-- Device-MDMProvider-RebootRequired-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-MDMProvider-RebootRequired-Examples-End -->
 <!-- Device-MDMProvider-RebootRequired-End -->
 <!-- Device-PageEnabled-Begin -->
 ## PageEnabled
@ -329,7 +290,7 @@ Node for reporting progress status as opaque data.
 <!-- Device-PageEnabled-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node determines whether to enable or show the Device Preparation page.
+This node determines whether to show the Device Preparation page during OOBE.
 <!-- Device-PageEnabled-Description-End -->
 <!-- Device-PageEnabled-Editable-Begin -->
@ -346,15 +307,6 @@ This node determines whether to enable or show the Device Preparation page.
 | Default Value  | false |
 <!-- Device-PageEnabled-DFProperties-End -->
 <!-- Device-PageEnabled-AllowedValues-Begin -->
 **Allowed values**:
 | Value | Description |
 |:--|:--|
 | false (Default) | The page isn't enabled. |
 | true | The page is enabled. |
 <!-- Device-PageEnabled-AllowedValues-End -->
 <!-- Device-PageEnabled-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- Device-PageEnabled-Examples-End -->
@ -378,7 +330,7 @@ This node determines whether to enable or show the Device Preparation page.
 <!-- Device-PageSettings-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node configures specific settings for the Device Preparation page.
+This node configures the Device Preparation page settings.
 <!-- Device-PageSettings-Description-End -->
 <!-- Device-PageSettings-Editable-Begin -->
@ -417,7 +369,7 @@ This node configures specific settings for the Device Preparation page.
 <!-- Device-PageStatus-Description-Begin -->
 <!-- Description-Source-DDF -->
-This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
+This node provides status of the Device Preparation page.
 <!-- Device-PageStatus-Description-End -->
 <!-- Device-PageStatus-Editable-Begin -->
@ -441,8 +393,8 @@ This node provides status of the Device Preparation page. Values are an enum: 0
 | 0 | Disabled. |
 | 1 | Enabled. |
 | 2 | InProgress. |
-| 3 | Succeeded. |
+| 3 | ExitOnSuccess. |
-| 4 | Failed. |
+| 4 | ExitOnFailure. |
 <!-- Device-PageStatus-AllowedValues-End -->
 <!-- Device-PageStatus-Examples-Begin -->
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -31,7 +31,7 @@ The following XML file contains the device description framework (DDF) for the D
      <AccessType>
        <Get />
      </AccessType>
-      <Description>Parent node for the CSP.</Description>
+      <Description>Parent node for configuring the Device Preparation page in OOBE settings and configuring </Description>
      <DFFormat>
        <node />
      </DFFormat>
@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
        <Permanent />
      </Scope>
      <DFType>
-        <DDFName />
+        <MIME />
      </DFType>
      <MSFT:Applicability>
        <MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
@ -58,7 +58,7 @@ The following XML file contains the device description framework (DDF) for the D
          <Replace />
        </AccessType>
        <DefaultValue>false</DefaultValue>
-        <Description>This node determines whether to enable or show the Device Preparation page.</Description>
+        <Description>This node determines whether to show the Device Preparation page during OOBE.</Description>
        <DFFormat>
          <bool />
        </DFFormat>
@ -71,16 +71,6 @@ The following XML file contains the device description framework (DDF) for the D
        <DFType>
          <MIME />
        </DFType>
        <MSFT:AllowedValues ValueType="ENUM">
          <MSFT:Enum>
            <MSFT:Value>false</MSFT:Value>
            <MSFT:ValueDescription>The page is not enabled</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>true</MSFT:Value>
            <MSFT:ValueDescription>The page is enabled</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
    <Node>
@ -90,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
          <Get />
          <Replace />
        </AccessType>
-        <Description>This node provides status of the Device Preparation page.  Values are an enum: 0 = Disabled; 1 = Enabled;  2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.</Description>
+        <Description>This node provides status of the Device Preparation page.  </Description>
        <DFFormat>
          <int />
        </DFFormat>
@ -118,11 +108,11 @@ The following XML file contains the device description framework (DDF) for the D
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>3</MSFT:Value>
-            <MSFT:ValueDescription>Succeeded</MSFT:ValueDescription>
+            <MSFT:ValueDescription>ExitOnSuccess</MSFT:ValueDescription>
          </MSFT:Enum>
          <MSFT:Enum>
            <MSFT:Value>4</MSFT:Value>
-            <MSFT:ValueDescription>Failed</MSFT:ValueDescription>
+            <MSFT:ValueDescription>ExitOnFailure</MSFT:ValueDescription>
          </MSFT:Enum>
        </MSFT:AllowedValues>
      </DFProperties>
@ -134,7 +124,7 @@ The following XML file contains the device description framework (DDF) for the D
          <Get />
          <Replace />
        </AccessType>
-        <Description>This node configures specific settings for the Device Preparation page.</Description>
+        <Description>This node configures the Device Preparation page settings.</Description>
        <DFFormat>
          <chr />
        </DFFormat>
@ -147,7 +137,8 @@ The following XML file contains the device description framework (DDF) for the D
        <DFType>
          <MIME />
        </DFType>
-        <MSFT:AllowedValues ValueType="None">
+        <MSFT:AllowedValues ValueType="JSON">
          <MSFT:Value>{"AgentDownloadTimeoutSeconds": 900, "PageTimeoutSeconds": 3600, "ErrorMessage": "This is an error message.", "AllowSkipOnFailure": true, "AllowDiagnostics": true }</MSFT:Value>
        </MSFT:AllowedValues>
      </DFProperties>
    </Node>
@ -157,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the D
        <AccessType>
          <Get />
        </AccessType>
-        <Description>The subnodes configure settings for the Bootstrapper Agent.</Description>
+        <Description>Parent node for configuring agent that orchestrage provioning and communicate status to Device Preparation page.</Description>
        <DFFormat>
          <node />
        </DFFormat>
@ -171,30 +162,6 @@ The following XML file contains the device description framework (DDF) for the D
          <DDFName />
        </DFType>
      </DFProperties>
      <Node>
        <NodeName>ClassID</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
            <Replace />
          </AccessType>
          <Description>This node stores the class ID for the Bootstrapper Agent WinRT object.</Description>
          <DFFormat>
            <chr />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="None">
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>ExecutionContext</NodeName>
        <DFProperties>
@ -215,32 +182,6 @@ The following XML file contains the device description framework (DDF) for the D
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="None">
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
      <Node>
        <NodeName>InstallationStatusUri</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
            <Replace />
          </AccessType>
          <Description>This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.</Description>
          <DFFormat>
            <chr />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
          <MSFT:AllowedValues ValueType="None">
          </MSFT:AllowedValues>
        </DFProperties>
      </Node>
    </Node>
@ -250,7 +191,7 @@ The following XML file contains the device description framework (DDF) for the D
        <AccessType>
          <Get />
        </AccessType>
-        <Description>The subnode configures the settings for the MDMProvider.</Description>
+        <Description>Parent node for configuring the MDM provider that interacts with the BootstrapperAgent. </Description>
        <DFFormat>
          <node />
        </DFFormat>
@ -268,10 +209,12 @@ The following XML file contains the device description framework (DDF) for the D
        <NodeName>Progress</NodeName>
        <DFProperties>
          <AccessType>
            <Add />
            <Delete />
            <Get />
            <Replace />
          </AccessType>
-          <Description>Noode for reporting progress status as opaque data.</Description>
+          <Description>Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data. </Description>
          <DFFormat>
            <chr />
          </DFFormat>
@ -286,29 +229,51 @@ The following XML file contains the device description framework (DDF) for the D
          </DFType>
        </DFProperties>
      </Node>
-    </Node>
+      <Node>
-    <Node>
+        <NodeName>MdmAgentInstalled</NodeName>
-      <NodeName>MdmAgentInstalled</NodeName>
+        <DFProperties>
-      <DFProperties>
+          <AccessType>
-        <AccessType>
+            <Get />
-          <Get />
+            <Replace />
-          <Replace />
+          </AccessType>
-        </AccessType>
+          <DefaultValue>False</DefaultValue>
-        <DefaultValue>false</DefaultValue>
+          <Description>This node indicates whether the mdm agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
-        <Description>This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.</Description>
+          <DFFormat>
-        <DFFormat>
+            <bool />
-          <bool />
+          </DFFormat>
-        </DFFormat>
+          <Occurrence>
-        <Occurrence>
+            <One />
-          <One />
+          </Occurrence>
-        </Occurrence>
+          <Scope>
-        <Scope>
+            <Permanent />
-          <Permanent />
+          </Scope>
-        </Scope>
+          <DFType>
-        <DFType>
+            <MIME />
-          <MIME />
+          </DFType>
-        </DFType>
+        </DFProperties>
-      </DFProperties>
+      </Node>
      <Node>
        <NodeName>RebootRequired</NodeName>
        <DFProperties>
          <AccessType>
            <Get />
          </AccessType>
          <DefaultValue>False</DefaultValue>
          <Description>This node indicates whether an MDM policy was provisioned that requires a reboot.</Description>
          <DFFormat>
            <bool />
          </DFFormat>
          <Occurrence>
            <One />
          </Occurrence>
          <Scope>
            <Permanent />
          </Scope>
          <DFType>
            <MIME />
          </DFType>
        </DFProperties>
      </Node>
    </Node>
  </Node>
 </MgmtTree>
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DiagnosticLog CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -182,7 +182,7 @@ This node is to trigger snapping of the Device Management state data with "SNAP"
 <!-- Device-DiagnosticArchive-Description-Begin -->
 <!-- Description-Source-DDF -->
-Root note for archive definition and collection.
+Root node for archive definition and collection.
 <!-- Device-DiagnosticArchive-Description-End -->
 <!-- Device-DiagnosticArchive-Editable-Begin -->
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DMAcc CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -751,7 +751,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
 <!-- Device-{AccountUID}-AppID-Description-Begin -->
 <!-- Description-Source-DDF -->
-Specifies the application identifier for the OMA DM account.. The only supported value is w7.
+Specifies the application identifier for the OMA DM account. The only supported value is w7.
 <!-- Device-{AccountUID}-AppID-Description-End -->
 <!-- Device-{AccountUID}-AppID-Editable-Begin -->
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/24/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -4576,7 +4576,7 @@ This node, when doing a get, tells the server if the "First Syncs" are done and
 | Value | Description |
 |:--|:--|
-| false | The user isn't finished provisioning. |
+| false | The user hasn't finished provisioning. |
 | true | The user has finished provisioning. |
 <!-- User-Provider-{ProviderID}-FirstSyncStatus-IsSyncDone-AllowedValues-End -->
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -341,11 +341,11 @@ The following XML file contains the device description framework (DDF) for the D
              <MSFT:AllowedValues ValueType="ENUM">
                <MSFT:Enum>
                  <MSFT:Value>false</MSFT:Value>
-                  <MSFT:ValueDescription>The user is not finished provisioning</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>The user has not finished provisioning</MSFT:ValueDescription>
                </MSFT:Enum>
                <MSFT:Enum>
                  <MSFT:Value>true</MSFT:Value>
-                  <MSFT:ValueDescription>The user has finished provisoining.</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>The user has finished provisioning.</MSFT:ValueDescription>
                </MSFT:Enum>
              </MSFT:AllowedValues>
            </DFProperties>
@ -381,7 +381,7 @@ The following XML file contains the device description framework (DDF) for the D
                </MSFT:Enum>
                <MSFT:Enum>
                  <MSFT:Value>2</MSFT:Value>
-                  <MSFT:ValueDescription>Provisoining is in progress.</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>Provisioning is in progress.</MSFT:ValueDescription>
                </MSFT:Enum>
              </MSFT:AllowedValues>
            </DFProperties>
@ -1264,7 +1264,7 @@ The following XML file contains the device description framework (DDF) for the D
              </MSFT:Enum>
              <MSFT:Enum>
                <MSFT:Value>2</MSFT:Value>
-                <MSFT:ValueDescription>Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn).</MSFT:ValueDescription>
+                <MSFT:ValueDescription>Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer token).</MSFT:ValueDescription>
              </MSFT:Enum>
              <MSFT:Enum>
                <MSFT:Value>4</MSFT:Value>
@ -2020,7 +2020,7 @@ The following XML file contains the device description framework (DDF) for the D
                </MSFT:Enum>
                <MSFT:Enum>
                  <MSFT:Value>true</MSFT:Value>
-                  <MSFT:ValueDescription>The device has finished provisoining.</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>The device has finished provisioning.</MSFT:ValueDescription>
                </MSFT:Enum>
              </MSFT:AllowedValues>
            </DFProperties>
@ -2056,7 +2056,7 @@ The following XML file contains the device description framework (DDF) for the D
                </MSFT:Enum>
                <MSFT:Enum>
                  <MSFT:Value>2</MSFT:Value>
-                  <MSFT:ValueDescription>Provisoining is in progress.</MSFT:ValueDescription>
+                  <MSFT:ValueDescription>Provisioning is in progress.</MSFT:ValueDescription>
                </MSFT:Enum>
              </MSFT:AllowedValues>
            </DFProperties>
@ -2679,7 +2679,7 @@ The following XML file contains the device description framework (DDF) for the D
                <Get />
                <Replace />
              </AccessType>
-              <Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK. </Description>
+              <Description>Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an empty string with S_OK. </Description>
              <DFFormat>
                <chr />
              </DFFormat>
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -2151,7 +2151,7 @@ When setting this field in a firewall rule, the protocol field must also be set,
 <!-- Description-Source-DDF -->
 Specifies the list of authorized local users for the app container.
-This is a string in Security Descriptor Definition Language (SDDL) format\.
+This is a string in Security Descriptor Definition Language (SDDL) format.
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalUserAuthorizedList-Description-End -->
 <!-- Device-MdmStore-FirewallRules-{FirewallRuleName}-LocalUserAuthorizedList-Editable-Begin -->
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -253,8 +253,8 @@ Don't start Windows Hello provisioning after sign-in.
 | Value | Description |
 |:--|:--|
-| false (Default) | Disabled. |
+| false (Default) | Post Logon Provisioning Enabled. |
-| true | Enabled. |
+| true | Post Logon Provisioning Disabled. |
 <!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-AllowedValues-End -->
 <!-- Device-{TenantId}-Policies-DisablePostLogonProvisioning-Examples-Begin -->
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -883,11 +883,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret
            <MSFT:AllowedValues ValueType="ENUM">
              <MSFT:Enum>
                <MSFT:Value>false</MSFT:Value>
-                <MSFT:ValueDescription>Disabled</MSFT:ValueDescription>
+                <MSFT:ValueDescription>Post Logon Provisioning Enabled</MSFT:ValueDescription>
              </MSFT:Enum>
              <MSFT:Enum>
                <MSFT:Value>true</MSFT:Value>
-                <MSFT:ValueDescription>Enabled</MSFT:ValueDescription>
+                <MSFT:ValueDescription>Post Logon Provisioning Disabled</MSFT:ValueDescription>
              </MSFT:Enum>
            </MSFT:AllowedValues>
          </DFProperties>
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -2145,6 +2145,7 @@ This article lists the ADMX-backed policies in Policy CSP.
 - [EnableAllowedSources](policy-csp-desktopappinstaller.md)
 - [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
 - [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
 - [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md)
 ## DeviceInstallation
@ -2475,11 +2476,12 @@ This article lists the ADMX-backed policies in Policy CSP.
 ## MSSecurityGuide
 - [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md)
 - [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
 - [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md)
 - [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
 - [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md)
- [WDigestAuthentication](policy-csp-mssecurityguide.md)
+- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md)
 - [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md)
 - [WDigestAuthentication](policy-csp-mssecurityguide.md)
 ## MSSLegacy
@ -2530,6 +2532,8 @@ This article lists the ADMX-backed policies in Policy CSP.
 ## RemoteDesktopServices
 - [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md)
 - [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md)
 - [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md)
 - [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md)
 - [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md)
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -691,8 +691,24 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 ## SystemServices
 - [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md)
 - [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md)
 - [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md)
@ -829,6 +845,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [LogOnAsService](policy-csp-userrights.md)
 - [IncreaseProcessWorkingSet](policy-csp-userrights.md)
 - [DenyLogOnAsService](policy-csp-userrights.md)
 - [AdjustMemoryQuotasForProcess](policy-csp-userrights.md)
 - [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md)
 ## VirtualizationBasedTechnology
@ -895,6 +913,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
 - [AllowVideoInput](policy-csp-windowssandbox.md)
 - [AllowPrinterRedirection](policy-csp-windowssandbox.md)
 - [AllowClipboardRedirection](policy-csp-windowssandbox.md)
 - [AllowMappedFolders](policy-csp-windowssandbox.md)
 - [AllowWriteToMappedFolders](policy-csp-windowssandbox.md)
 ## WirelessDisplay
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -955,9 +955,9 @@ This policy setting controls Event Log behavior when the log file reaches its ma
 <!-- Description-Source-ADMX -->
 This policy setting turns on logging.
-If you enable or don't configure this policy setting, then events can be written to this log.
+- If you enable or don't configure this policy setting, then events can be written to this log.
-If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
+- If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
 <!-- Channel_LogEnabled-Description-End -->
 <!-- Channel_LogEnabled-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -838,7 +838,7 @@ Microsoft Defender Antivirus automatically determines which applications should
 Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
 Disabled:
@ -1283,12 +1283,12 @@ This policy, if defined, will prevent antimalware from using the configured prox
 This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
 1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
+1. None
-4. Internet Explorer proxy settings.
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
 - If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
@ -1349,12 +1349,12 @@ This policy setting defines the URL of a proxy .pac file that should be used whe
 This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
 1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
+1. None
-4. Internet Explorer proxy settings.
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
 - If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://.
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -668,11 +668,13 @@ Also, see the "Enable user to patch elevated products" policy setting.
 <!-- Description-Source-ADMX -->
 This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
 This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
 - If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
 <!-- DisableRollback_1-Description-End -->
 <!-- DisableRollback_1-Editable-Begin -->
@ -729,11 +731,13 @@ This policy setting appears in the Computer Configuration and User Configuration
 <!-- Description-Source-ADMX -->
 This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
 This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
 - If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
 <!-- DisableRollback_2-Description-End -->
 <!-- DisableRollback_2-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -53,9 +53,9 @@ Important.
 At least one of the entries must be a PING: resource.
-	A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
+- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
-	A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
+- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
 You must configure this setting to have complete NCA functionality.
 <!-- CorporateResources-Description-End -->
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1939,7 +1939,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
 > [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
 <!-- Pol_ReminderFreq_1-Description-End -->
 <!-- Pol_ReminderFreq_1-Editable-Begin -->
@ -2002,7 +2002,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
 This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
 > [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
 <!-- Pol_ReminderFreq_2-Description-End -->
 <!-- Pol_ReminderFreq_2-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -48,14 +48,6 @@ Note that Security Center can only be turned off for computers that are joined t
 - If you enable this policy setting, Security Center is turned on for all users.
 - If you disable this policy setting, Security Center is turned off for domain members.
 Windows XP SP2
 ----------------------
 In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
 Windows Vista
 ---------------------
 In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers don't require a reboot for this policy setting to take effect.
 <!-- SecurityCenter_SecurityCenterInDomain-Description-End -->
 <!-- SecurityCenter_SecurityCenterInDomain-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/24/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1362,13 +1362,13 @@ You can use this policy setting to set a limit on the color depth of any connect
 Note:
-1.	Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
+1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
-2.	The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
+1. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
-3.	For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
+1. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
-a.	Value specified by this policy setting b.	Maximum color depth supported by the client c.	Value requested by the client.
+a.    Value specified by this policy setting b.    Maximum color depth supported by the client c.    Value requested by the client.
 If the client doesn't support at least 16 bits, the connection is terminated.
 <!-- TS_COLORDEPTH-Description-End -->
@ -2130,19 +2130,19 @@ To allow users to overwrite the "Set RD Gateway server address" policy setting a
 <!-- Description-Source-ADMX -->
 This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server.
-If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
+- If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
+- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed.
 - If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
 If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level.
 Note:
-1.
+1. - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
 2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
 <!-- TS_JOIN_SESSION_DIRECTORY-Description-End -->
 <!-- TS_JOIN_SESSION_DIRECTORY-Editable-Begin -->
@ -2330,7 +2330,7 @@ This policy setting allows you to specify the order in which an RD Session Host
 1. Remote Desktop license servers that are published in Active Directory Domain Services.
-2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
+1. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
 - If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level.
 <!-- TS_LICENSE_SERVERS-Description-End -->
@ -3074,13 +3074,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
 - If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
 <!-- TS_RemoteControl_1-Description-End -->
@ -3141,13 +3141,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
 1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
 - If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
 <!-- TS_RemoteControl_2-Description-End -->
@ -3275,7 +3275,7 @@ Note:
 1. This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy.
-2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
 <!-- TS_SD_ClustName-Description-End -->
 <!-- TS_SD_ClustName-Editable-Begin -->
@ -3404,9 +3404,9 @@ Note:
 1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
-2. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
+1. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
-3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
+1. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
 <!-- TS_SD_Loc-Description-End -->
 <!-- TS_SD_Loc-Editable-Begin -->
@ -4075,9 +4075,9 @@ This policy setting allows the administrator to configure the RemoteFX experienc
 - If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
 1. Let the system choose the experience for the network condition
-2. Optimize for server scalability.
+1. Optimize for server scalability.
-3. Optimize for minimum bandwidth usage.
+1. Optimize for minimum bandwidth usage.
 - If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition".
 <!-- TS_SERVER_PROFILE-Description-End -->
@ -5677,7 +5677,7 @@ Note:
 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session.
-2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
+1. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
 <!-- TS_USER_PROFILES-Description-End -->
 <!-- TS_USER_PROFILES-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -158,7 +158,7 @@ To create the SyncML, follow these steps:
 <!-- Description-Source-ADMX -->
 This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
-Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
+Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI.
 Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1044,7 +1044,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
 <!-- AllowPopups-Description-Begin -->
 <!-- Description-Source-ADMX -->
-This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on..
+This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
 - If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
@ -3530,7 +3530,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
 |:--|:--|
 | Name | ConfiguredFavorites |
 | Friendly Name | Provision Favorites |
-| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.<br> <br> URL can be specified as.<br> <br> 1. HTTP location: https://localhost:8080/URLs.html<br> 2. Local network: \\network\shares\URLs.html.<br> <br> 3. Local file: file:///c:\\Users\\`<user>`\\Documents\\URLs.html or C:\\Users\\`<user>`\\Documents\\URLs.html. |
+| Element Name | ConfiguredFavoritesPrompt |
 | Location | Computer and User Configuration |
 | Path | Windows Components > Microsoft Edge |
 | Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites |
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/23/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1350,7 +1350,7 @@ Microsoft Defender Antivirus automatically determines which applications should
 Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
 Disabled:
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -1697,8 +1697,8 @@ This policy allows an IT Admin to define the following details:
 <!-- DOVpnKeywords-OmaUri-End -->
 <!-- DOVpnKeywords-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
-This policy allows you to set one or more keywords used to recognize VPN connections.
+This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
 <!-- DOVpnKeywords-Description-End -->
 <!-- DOVpnKeywords-Editable-Begin -->
@ -1721,8 +1721,12 @@ This policy allows you to set one or more keywords used to recognize VPN connect
 | Name | Value |
 |:--|:--|
 | Name | VpnKeywords |
-| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
+| Friendly Name | VPN Keywords |
-| Element Name | VpnKeywords |
+| Element Name | VPN Keywords. |
 | Location | Computer Configuration |
 | Path | Windows Components > Delivery Optimization |
 | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
 | ADMX File Name | DeliveryOptimization.admx |
 <!-- DOVpnKeywords-GpMapping-End -->
 <!-- DOVpnKeywords-Examples-Begin -->
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -775,6 +775,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
 <!-- EnableWindowsPackageManagerCommandLineInterfaces-End -->
 <!-- EnableWindowsPackageManagerConfiguration-Begin -->
 ## EnableWindowsPackageManagerConfiguration
 <!-- EnableWindowsPackageManagerConfiguration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- EnableWindowsPackageManagerConfiguration-Applicability-End -->
 <!-- EnableWindowsPackageManagerConfiguration-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerConfiguration
 ```
 <!-- EnableWindowsPackageManagerConfiguration-OmaUri-End -->
 <!-- EnableWindowsPackageManagerConfiguration-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- EnableWindowsPackageManagerConfiguration-Description-End -->
 <!-- EnableWindowsPackageManagerConfiguration-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- EnableWindowsPackageManagerConfiguration-Editable-End -->
 <!-- EnableWindowsPackageManagerConfiguration-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- EnableWindowsPackageManagerConfiguration-DFProperties-End -->
 <!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-Begin -->
 <!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 **ADMX mapping**:
 | Name | Value |
 |:--|:--|
 | Name | EnableWindowsPackageManagerConfiguration |
 | ADMX File Name | DesktopAppInstaller.admx |
 <!-- EnableWindowsPackageManagerConfiguration-AdmxBacked-End -->
 <!-- EnableWindowsPackageManagerConfiguration-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- EnableWindowsPackageManagerConfiguration-Examples-End -->
 <!-- EnableWindowsPackageManagerConfiguration-End -->
 <!-- SourceAutoUpdateInterval-Begin -->
 ## SourceAutoUpdateInterval
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -365,26 +365,26 @@ Device instance IDs > Device IDs > Device setup class > Removable devices.
 Device instance IDs.
 1. Prevent installation of devices using drivers that match these device instance IDs
-2. Allow installation of devices using drivers that match these device instance IDs.
+1. Allow installation of devices using drivers that match these device instance IDs.
 Device IDs.
-3. Prevent installation of devices using drivers that match these device IDs
+1. Prevent installation of devices using drivers that match these device IDs
-4. Allow installation of devices using drivers that match these device IDs.
+1. Allow installation of devices using drivers that match these device IDs.
 Device setup class.
-5. Prevent installation of devices using drivers that match these device setup classes
+1. Prevent installation of devices using drivers that match these device setup classes
-6. Allow installation of devices using drivers that match these device setup classes.
+1. Allow installation of devices using drivers that match these device setup classes.
 Removable devices.
-7. Prevent installation of removable devices.
+1. Prevent installation of removable devices.
 > [!NOTE]
 > This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..". policy settings have precedence over any other policy setting that allows Windows to install a device.
+If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation.". policy settings have precedence over any other policy setting that allows Windows to install a device.
 <!-- EnableInstallationPolicyLayering-Description-End -->
 <!-- EnableInstallationPolicyLayering-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -4132,7 +4132,7 @@ User Account Control: Only elevate executable files that are signed and validate
 <!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-Begin -->
 <!-- Description-Source-DDF -->
-User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
+User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
 <!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Description-End -->
 <!-- UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@ -4,7 +4,7 @@ description: Learn more about the MSSecurityGuide Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -222,6 +222,56 @@ ms.topic: reference
 <!-- EnableStructuredExceptionHandlingOverwriteProtection-End -->
 <!-- NetBTNodeTypeConfiguration-Begin -->
 ## NetBTNodeTypeConfiguration
 <!-- NetBTNodeTypeConfiguration-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- NetBTNodeTypeConfiguration-Applicability-End -->
 <!-- NetBTNodeTypeConfiguration-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/NetBTNodeTypeConfiguration
 ```
 <!-- NetBTNodeTypeConfiguration-OmaUri-End -->
 <!-- NetBTNodeTypeConfiguration-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- NetBTNodeTypeConfiguration-Description-End -->
 <!-- NetBTNodeTypeConfiguration-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- NetBTNodeTypeConfiguration-Editable-End -->
 <!-- NetBTNodeTypeConfiguration-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- NetBTNodeTypeConfiguration-DFProperties-End -->
 <!-- NetBTNodeTypeConfiguration-AdmxBacked-Begin -->
 <!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 **ADMX mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Pol_SecGuide_0050_NetbtNodeTypeConfig |
 | ADMX File Name | SecGuide.admx |
 <!-- NetBTNodeTypeConfiguration-AdmxBacked-End -->
 <!-- NetBTNodeTypeConfiguration-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- NetBTNodeTypeConfiguration-Examples-End -->
 <!-- NetBTNodeTypeConfiguration-End -->
 <!-- TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications-Begin -->
 ## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@ -4,7 +4,7 @@ description: Learn more about the RemoteDesktopServices Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -18,6 +18,8 @@ ms.topic: reference
 [!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- RemoteDesktopServices-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- RemoteDesktopServices-Editable-End -->
@ -338,6 +340,114 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
 <!-- DoNotAllowWebAuthnRedirection-End -->
 <!-- LimitClientToServerClipboardRedirection-Begin -->
 ## LimitClientToServerClipboardRedirection
 <!-- LimitClientToServerClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- LimitClientToServerClipboardRedirection-Applicability-End -->
 <!-- LimitClientToServerClipboardRedirection-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
 ```
 <!-- LimitClientToServerClipboardRedirection-OmaUri-End -->
 <!-- LimitClientToServerClipboardRedirection-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- LimitClientToServerClipboardRedirection-Description-End -->
 <!-- LimitClientToServerClipboardRedirection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- LimitClientToServerClipboardRedirection-Editable-End -->
 <!-- LimitClientToServerClipboardRedirection-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- LimitClientToServerClipboardRedirection-DFProperties-End -->
 <!-- LimitClientToServerClipboardRedirection-AdmxBacked-Begin -->
 <!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 **ADMX mapping**:
 | Name | Value |
 |:--|:--|
 | Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
 | ADMX File Name | terminalserver.admx |
 <!-- LimitClientToServerClipboardRedirection-AdmxBacked-End -->
 <!-- LimitClientToServerClipboardRedirection-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- LimitClientToServerClipboardRedirection-Examples-End -->
 <!-- LimitClientToServerClipboardRedirection-End -->
 <!-- LimitServerToClientClipboardRedirection-Begin -->
 ## LimitServerToClientClipboardRedirection
 <!-- LimitServerToClientClipboardRedirection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- LimitServerToClientClipboardRedirection-Applicability-End -->
 <!-- LimitServerToClientClipboardRedirection-OmaUri-Begin -->
 ```User
 ./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
 ```
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
 ```
 <!-- LimitServerToClientClipboardRedirection-OmaUri-End -->
 <!-- LimitServerToClientClipboardRedirection-Description-Begin -->
 <!-- Description-Source-Not-Found -->
 <!-- LimitServerToClientClipboardRedirection-Description-End -->
 <!-- LimitServerToClientClipboardRedirection-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- LimitServerToClientClipboardRedirection-Editable-End -->
 <!-- LimitServerToClientClipboardRedirection-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 <!-- LimitServerToClientClipboardRedirection-DFProperties-End -->
 <!-- LimitServerToClientClipboardRedirection-AdmxBacked-Begin -->
 <!-- ADMX-Not-Found -->
 [!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
 **ADMX mapping**:
 | Name | Value |
 |:--|:--|
 | Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
 | ADMX File Name | terminalserver.admx |
 <!-- LimitServerToClientClipboardRedirection-AdmxBacked-End -->
 <!-- LimitServerToClientClipboardRedirection-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- LimitServerToClientClipboardRedirection-Examples-End -->
 <!-- LimitServerToClientClipboardRedirection-End -->
 <!-- PromptForPasswordUponConnection-Begin -->
 ## PromptForPasswordUponConnection
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -118,7 +118,7 @@ AllowCommercialDataPipeline configures a Microsoft Entra joined device so that M
 To enable this behavior:
 1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
 Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
@ -198,10 +198,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
+1. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
+1. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
 When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -762,10 +762,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
 To enable this behavior:
 1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
+1. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
+1. Set the Configure the Commercial ID setting for your Update Compliance workspace.
 When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -889,9 +889,9 @@ This policy setting configures a Microsoft Entra joined device so that Microsoft
 To enable this behavior:
 1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher.
+1. Set Allow Telemetry to value 1 - Required, or higher.
 When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@ -1999,10 +1999,10 @@ This policy setting, in combination with the "Allow Diagnostic Data" policy sett
 To enable the behavior described above, complete the following steps:
 1. Enable this policy setting
-2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
+1. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
-3. Enable the "Limit Dump Collection" policy
+1. Enable the "Limit Dump Collection" policy
-4. Enable the "Limit Diagnostic Log Collection" policy.
+1. Enable the "Limit Diagnostic Log Collection" policy.
 When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at< https://go.microsoft.com/fwlink/?linkid=2116020>.
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@ -4,7 +4,7 @@ description: Learn more about the SystemServices Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -20,6 +20,56 @@ ms.topic: reference
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- SystemServices-Editable-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Begin -->
 ## ConfigureComputerBrowserServiceStartupMode
 <!-- ConfigureComputerBrowserServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureComputerBrowserServiceStartupMode-Applicability-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserServiceStartupMode
 ```
 <!-- ConfigureComputerBrowserServiceStartupMode-OmaUri-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureComputerBrowserServiceStartupMode-Description-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Editable-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureComputerBrowserServiceStartupMode-DFProperties-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Computer Browser |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureComputerBrowserServiceStartupMode-GpMapping-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureComputerBrowserServiceStartupMode-Examples-End -->
 <!-- ConfigureComputerBrowserServiceStartupMode-End -->
 <!-- ConfigureHomeGroupListenerServiceStartupMode-Begin -->
 ## ConfigureHomeGroupListenerServiceStartupMode
@ -120,6 +170,756 @@ This setting determines whether the service's start type is Automatic(2), Manual
 <!-- ConfigureHomeGroupProviderServiceStartupMode-End -->
 <!-- ConfigureIISAdminServiceStartupMode-Begin -->
 ## ConfigureIISAdminServiceStartupMode
 <!-- ConfigureIISAdminServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureIISAdminServiceStartupMode-Applicability-End -->
 <!-- ConfigureIISAdminServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceStartupMode
 ```
 <!-- ConfigureIISAdminServiceStartupMode-OmaUri-End -->
 <!-- ConfigureIISAdminServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureIISAdminServiceStartupMode-Description-End -->
 <!-- ConfigureIISAdminServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureIISAdminServiceStartupMode-Editable-End -->
 <!-- ConfigureIISAdminServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureIISAdminServiceStartupMode-DFProperties-End -->
 <!-- ConfigureIISAdminServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | IIS Admin Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureIISAdminServiceStartupMode-GpMapping-End -->
 <!-- ConfigureIISAdminServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureIISAdminServiceStartupMode-Examples-End -->
 <!-- ConfigureIISAdminServiceStartupMode-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Begin -->
 ## ConfigureInfraredMonitorServiceStartupMode
 <!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureInfraredMonitorServiceStartupMode-Applicability-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorServiceStartupMode
 ```
 <!-- ConfigureInfraredMonitorServiceStartupMode-OmaUri-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureInfraredMonitorServiceStartupMode-Description-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Editable-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureInfraredMonitorServiceStartupMode-DFProperties-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Infrared Monitor Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureInfraredMonitorServiceStartupMode-GpMapping-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-Examples-End -->
 <!-- ConfigureInfraredMonitorServiceStartupMode-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Begin -->
 ## ConfigureInternetConnectionSharingServiceStartupMode
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Applicability-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode
 ```
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-OmaUri-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Description-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Editable-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-DFProperties-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Internet Connection Sharing (ICS) |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-GpMapping-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-Examples-End -->
 <!-- ConfigureInternetConnectionSharingServiceStartupMode-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-Begin -->
 ## ConfigureLxssManagerServiceStartupMode
 <!-- ConfigureLxssManagerServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureLxssManagerServiceStartupMode-Applicability-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureLxssManagerServiceStartupMode
 ```
 <!-- ConfigureLxssManagerServiceStartupMode-OmaUri-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureLxssManagerServiceStartupMode-Description-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureLxssManagerServiceStartupMode-Editable-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureLxssManagerServiceStartupMode-DFProperties-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | LxssManager |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureLxssManagerServiceStartupMode-GpMapping-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureLxssManagerServiceStartupMode-Examples-End -->
 <!-- ConfigureLxssManagerServiceStartupMode-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Begin -->
 ## ConfigureMicrosoftFTPServiceStartupMode
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Applicability-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode
 ```
 <!-- ConfigureMicrosoftFTPServiceStartupMode-OmaUri-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Description-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Editable-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureMicrosoftFTPServiceStartupMode-DFProperties-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Microsoft FTP Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureMicrosoftFTPServiceStartupMode-GpMapping-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-Examples-End -->
 <!-- ConfigureMicrosoftFTPServiceStartupMode-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Begin -->
 ## ConfigureRemoteProcedureCallLocatorServiceStartupMode
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Applicability-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode
 ```
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-OmaUri-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Description-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Editable-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-DFProperties-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Remote Procedure Call (RPC) Locator |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-GpMapping-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-Examples-End -->
 <!-- ConfigureRemoteProcedureCallLocatorServiceStartupMode-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Begin -->
 ## ConfigureRoutingAndRemoteAccessServiceStartupMode
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Applicability-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode
 ```
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-OmaUri-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Description-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Editable-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-DFProperties-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Routing and Remote Access |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-GpMapping-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-Examples-End -->
 <!-- ConfigureRoutingAndRemoteAccessServiceStartupMode-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Begin -->
 ## ConfigureSimpleTCPIPServicesStartupMode
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Applicability-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode
 ```
 <!-- ConfigureSimpleTCPIPServicesStartupMode-OmaUri-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Description-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Editable-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureSimpleTCPIPServicesStartupMode-DFProperties-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Simple TCP/IP Services |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureSimpleTCPIPServicesStartupMode-GpMapping-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-Examples-End -->
 <!-- ConfigureSimpleTCPIPServicesStartupMode-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Begin -->
 ## ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Applicability-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
 ```
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-OmaUri-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Description-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Editable-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-DFProperties-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Special Administration Console Helper |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-GpMapping-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-Examples-End -->
 <!-- ConfigureSpecialAdministrationConsoleHelperServiceStartupMode-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Begin -->
 ## ConfigureSSDPDiscoveryServiceStartupMode
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Applicability-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode
 ```
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-OmaUri-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Description-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Editable-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-DFProperties-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | SSDP Discovery |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-GpMapping-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-Examples-End -->
 <!-- ConfigureSSDPDiscoveryServiceStartupMode-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Begin -->
 ## ConfigureUPnPDeviceHostServiceStartupMode
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Applicability-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode
 ```
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-OmaUri-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Description-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Editable-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-DFProperties-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | UPnP Device Host |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-GpMapping-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-Examples-End -->
 <!-- ConfigureUPnPDeviceHostServiceStartupMode-End -->
 <!-- ConfigureWebManagementServiceStartupMode-Begin -->
 ## ConfigureWebManagementServiceStartupMode
 <!-- ConfigureWebManagementServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureWebManagementServiceStartupMode-Applicability-End -->
 <!-- ConfigureWebManagementServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServiceStartupMode
 ```
 <!-- ConfigureWebManagementServiceStartupMode-OmaUri-End -->
 <!-- ConfigureWebManagementServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureWebManagementServiceStartupMode-Description-End -->
 <!-- ConfigureWebManagementServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureWebManagementServiceStartupMode-Editable-End -->
 <!-- ConfigureWebManagementServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureWebManagementServiceStartupMode-DFProperties-End -->
 <!-- ConfigureWebManagementServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Web Management Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureWebManagementServiceStartupMode-GpMapping-End -->
 <!-- ConfigureWebManagementServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureWebManagementServiceStartupMode-Examples-End -->
 <!-- ConfigureWebManagementServiceStartupMode-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Begin -->
 ## ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Applicability-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
 ```
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-OmaUri-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Description-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Editable-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-DFProperties-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Windows Media Player Network Sharing Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-GpMapping-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-Examples-End -->
 <!-- ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Begin -->
 ## ConfigureWindowsMobileHotspotServiceStartupMode
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Applicability-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode
 ```
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-OmaUri-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Description-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Editable-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-DFProperties-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Windows Mobile Hotspot Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-GpMapping-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-Examples-End -->
 <!-- ConfigureWindowsMobileHotspotServiceStartupMode-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Begin -->
 ## ConfigureWorldWideWebPublishingServiceStartupMode
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Applicability-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode
 ```
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-OmaUri-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Description-Begin -->
 <!-- Description-Source-DDF -->
 This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Description-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Editable-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[2-4]` |
 | Default Value  | 3 |
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-DFProperties-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | World Wide Web Publishing Service |
 | Path | Windows Settings > Security Settings > System Services |
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-GpMapping-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-Examples-End -->
 <!-- ConfigureWorldWideWebPublishingServiceStartupMode-End -->
 <!-- ConfigureXboxAccessoryManagementServiceStartupMode-Begin -->
 ## ConfigureXboxAccessoryManagementServiceStartupMode
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@ -4,7 +4,7 @@ description: Learn more about the Troubleshooting Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -61,15 +61,15 @@ After setting this policy, you can use the following instructions to check devic
 rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner".
-2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
+1. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
-3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
+1. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
-4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
+1. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
-5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
+1. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
-6. Configure the task to deploy to your domain.
+1. Configure the task to deploy to your domain.
 <!-- AllowRecommendations-Description-End -->
 <!-- AllowRecommendations-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -292,8 +292,16 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
 <!-- AllowOptionalContent-OmaUri-End -->
 <!-- AllowOptionalContent-Description-Begin -->
-<!-- Description-Source-DDF -->
+<!-- Description-Source-ADMX -->
 This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
 When the policy is configured.
 - If "Automatically receive optional updates (including CFRs)" is selected, the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
 - If "Automatically receive optional updates" is selected, the device will only get optional cumulative updates automatically, in line with the quality update deferrals.
 - If "Users can select which optional updates to receive" is selected, users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle "Get the latest updates as soon as they're available" to automatically receive optional updates and gradual feature rollouts.
 <!-- AllowOptionalContent-Description-End -->
 <!-- AllowOptionalContent-Editable-Begin -->
@ -327,7 +335,12 @@ This policy enables devices to get optional updates (including gradual feature r
 | Name | Value |
 |:--|:--|
 | Name | AllowOptionalContent |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+| Friendly Name | Enable optional updates |
 | Location | Computer Configuration |
 | Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
 | Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
 | Registry Value Name | SetAllowOptionalContent |
 | ADMX File Name | WindowsUpdate.admx |
 <!-- AllowOptionalContent-GpMapping-End -->
 <!-- AllowOptionalContent-Examples-Begin -->
@ -1958,7 +1971,7 @@ If any of the following two policies are enabled, this policy has no effect:
 1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
 Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
 <!-- ActiveHoursEnd-Description-End -->
@ -2085,7 +2098,7 @@ If any of the following two policies are enabled, this policy has no effect:
 1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
 Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
 <!-- ActiveHoursStart-Description-End -->
@ -3599,7 +3612,7 @@ Enabling either of the following two policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
 <!-- AutoRestartDeadlinePeriodInDays-Description-End -->
 <!-- AutoRestartDeadlinePeriodInDays-Editable-Begin -->
@ -3664,7 +3677,7 @@ Enabling either of the following two policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
 <!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Description-End -->
 <!-- AutoRestartDeadlinePeriodInDaysForFeatureUpdates-Editable-Begin -->
@ -4083,9 +4096,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartDeadline-Description-End -->
 <!-- EngagedRestartDeadline-Editable-Begin -->
@ -4153,9 +4166,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartDeadlineForFeatureUpdates-Description-End -->
 <!-- EngagedRestartDeadlineForFeatureUpdates-Editable-Begin -->
@ -4223,9 +4236,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartSnoozeSchedule-Description-End -->
 <!-- EngagedRestartSnoozeSchedule-Editable-Begin -->
@ -4293,9 +4306,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Description-End -->
 <!-- EngagedRestartSnoozeScheduleForFeatureUpdates-Editable-Begin -->
@ -4363,9 +4376,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartTransitionSchedule-Description-End -->
 <!-- EngagedRestartTransitionSchedule-Editable-Begin -->
@ -4433,9 +4446,9 @@ If you disable or don't configure this policy, the PC will restart following the
 Enabling any of the following policies will override the above policy:
 1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
 <!-- EngagedRestartTransitionScheduleForFeatureUpdates-Description-End -->
 <!-- EngagedRestartTransitionScheduleForFeatureUpdates-Editable-Begin -->
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -259,6 +259,55 @@ This user right allows a process to impersonate any user without authentication.
 <!-- ActAsPartOfTheOperatingSystem-End -->
 <!-- AdjustMemoryQuotasForProcess-Begin -->
 ## AdjustMemoryQuotasForProcess
 <!-- AdjustMemoryQuotasForProcess-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AdjustMemoryQuotasForProcess-Applicability-End -->
 <!-- AdjustMemoryQuotasForProcess-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/UserRights/AdjustMemoryQuotasForProcess
 ```
 <!-- AdjustMemoryQuotasForProcess-OmaUri-End -->
 <!-- AdjustMemoryQuotasForProcess-Description-Begin -->
 <!-- Description-Source-DDF -->
 Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
 <!-- AdjustMemoryQuotasForProcess-Description-End -->
 <!-- AdjustMemoryQuotasForProcess-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AdjustMemoryQuotasForProcess-Editable-End -->
 <!-- AdjustMemoryQuotasForProcess-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | List (Delimiter: `0xF000`) |
 <!-- AdjustMemoryQuotasForProcess-DFProperties-End -->
 <!-- AdjustMemoryQuotasForProcess-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Adjust memory quotas for a process |
 | Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
 <!-- AdjustMemoryQuotasForProcess-GpMapping-End -->
 <!-- AdjustMemoryQuotasForProcess-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AdjustMemoryQuotasForProcess-Examples-End -->
 <!-- AdjustMemoryQuotasForProcess-End -->
 <!-- AllowLocalLogOn-Begin -->
 ## AllowLocalLogOn
@ -311,6 +360,55 @@ This user right determines which users can log on to the computer.
 <!-- AllowLocalLogOn-End -->
 <!-- AllowLogOnThroughRemoteDesktop-Begin -->
 ## AllowLogOnThroughRemoteDesktop
 <!-- AllowLogOnThroughRemoteDesktop-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AllowLogOnThroughRemoteDesktop-Applicability-End -->
 <!-- AllowLogOnThroughRemoteDesktop-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLogOnThroughRemoteDesktop
 ```
 <!-- AllowLogOnThroughRemoteDesktop-OmaUri-End -->
 <!-- AllowLogOnThroughRemoteDesktop-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.
 <!-- AllowLogOnThroughRemoteDesktop-Description-End -->
 <!-- AllowLogOnThroughRemoteDesktop-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AllowLogOnThroughRemoteDesktop-Editable-End -->
 <!-- AllowLogOnThroughRemoteDesktop-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `chr` (string) |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | List (Delimiter: `0xF000`) |
 <!-- AllowLogOnThroughRemoteDesktop-DFProperties-End -->
 <!-- AllowLogOnThroughRemoteDesktop-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | Allow log on through Remote Desktop Services |
 | Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
 <!-- AllowLogOnThroughRemoteDesktop-GpMapping-End -->
 <!-- AllowLogOnThroughRemoteDesktop-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AllowLogOnThroughRemoteDesktop-Examples-End -->
 <!-- AllowLogOnThroughRemoteDesktop-End -->
 <!-- BackupFilesAndDirectories-Begin -->
 ## BackupFilesAndDirectories
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -16,8 +16,6 @@ ms.topic: reference
 <!-- WebThreatDefense-Begin -->
 # Policy CSP - WebThreatDefense
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- WebThreatDefense-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
@ -30,7 +28,7 @@ ms.topic: reference
 <!-- AutomaticDataCollection-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
 <!-- AutomaticDataCollection-Applicability-End -->
 <!-- AutomaticDataCollection-OmaUri-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@ -4,7 +4,7 @@ description: Learn more about the WindowsAI Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -16,8 +16,6 @@ ms.topic: reference
 <!-- WindowsAI-Begin -->
 # Policy CSP - WindowsAI
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- WindowsAI-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsAI-Editable-End -->
@ -28,7 +26,7 @@ ms.topic: reference
 <!-- TurnOffWindowsCopilot-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
-| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
+| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2360] and later <br> ✅ Windows 11, version 23H2 [10.0.22631] and later |
 <!-- TurnOffWindowsCopilot-Applicability-End -->
 <!-- TurnOffWindowsCopilot-OmaUri-Begin -->
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@ -4,7 +4,7 @@ description: Learn more about the WindowsSandbox Area in Policy CSP.
 author: vinaypamnani-msft
 manager: aaroncz
 ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
 ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
@ -16,6 +16,8 @@ ms.topic: reference
 <!-- WindowsSandbox-Begin -->
 # Policy CSP - WindowsSandbox
 [!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
 <!-- WindowsSandbox-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- WindowsSandbox-Editable-End -->
@ -148,6 +150,56 @@ This policy setting enables or disables clipboard sharing with the sandbox.
 <!-- AllowClipboardRedirection-End -->
 <!-- AllowMappedFolders-Begin -->
 ## AllowMappedFolders
 <!-- AllowMappedFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AllowMappedFolders-Applicability-End -->
 <!-- AllowMappedFolders-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders
 ```
 <!-- AllowMappedFolders-OmaUri-End -->
 <!-- AllowMappedFolders-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allow mapping folders into Windows Sandbox.
 <!-- AllowMappedFolders-Description-End -->
 <!-- AllowMappedFolders-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AllowMappedFolders-Editable-End -->
 <!-- AllowMappedFolders-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 <!-- AllowMappedFolders-DFProperties-End -->
 <!-- AllowMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | AllowMappedFolders |
 | Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
 <!-- AllowMappedFolders-GpMapping-End -->
 <!-- AllowMappedFolders-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AllowMappedFolders-Examples-End -->
 <!-- AllowMappedFolders-End -->
 <!-- AllowNetworking-Begin -->
 ## AllowNetworking
@ -406,6 +458,57 @@ Note that there may be security implications of exposing host video input to the
 <!-- AllowVideoInput-End -->
 <!-- AllowWriteToMappedFolders-Begin -->
 ## AllowWriteToMappedFolders
 <!-- AllowWriteToMappedFolders-Applicability-Begin -->
 | Scope | Editions | Applicable OS |
 |:--|:--|:--|
 | ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
 <!-- AllowWriteToMappedFolders-Applicability-End -->
 <!-- AllowWriteToMappedFolders-OmaUri-Begin -->
 ```Device
 ./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowWriteToMappedFolders
 ```
 <!-- AllowWriteToMappedFolders-OmaUri-End -->
 <!-- AllowWriteToMappedFolders-Description-Begin -->
 <!-- Description-Source-DDF -->
 Allow Sandbox to write to mapped folders.
 <!-- AllowWriteToMappedFolders-Description-End -->
 <!-- AllowWriteToMappedFolders-Editable-Begin -->
 <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 <!-- AllowWriteToMappedFolders-Editable-End -->
 <!-- AllowWriteToMappedFolders-DFProperties-Begin -->
 **Description framework properties**:
 | Property name | Property value |
 |:--|:--|
 | Format | `int` |
 | Access Type | Add, Delete, Get, Replace |
 | Allowed Values | Range: `[0-1]` |
 | Default Value  | 1 |
 | Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br>  |
 <!-- AllowWriteToMappedFolders-DFProperties-End -->
 <!-- AllowWriteToMappedFolders-GpMapping-Begin -->
 **Group policy mapping**:
 | Name | Value |
 |:--|:--|
 | Name | AllowWriteToMappedFolders |
 | Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
 <!-- AllowWriteToMappedFolders-GpMapping-End -->
 <!-- AllowWriteToMappedFolders-Examples-Begin -->
 <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
 <!-- AllowWriteToMappedFolders-Examples-End -->
 <!-- AllowWriteToMappedFolders-End -->
 <!-- WindowsSandbox-CspMoreInfo-Begin -->
 <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
 <!-- WindowsSandbox-CspMoreInfo-End -->
--- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
@ -54,27 +54,27 @@ You can use the Windows Security settings to check if Kernel DMA Protection is e
 1. Open **Windows Security**.
 1. Select **Device security > Core isolation details > Memory access protection**
-:::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
+   :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
-Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
+   Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
-:::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
+   :::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
-If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
+   If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
- Reboot into UEFI settings
+   - Reboot into UEFI settings
- Turn on Intel Virtualization Technology
+   - Turn on Intel Virtualization Technology
- Turn on Intel Virtualization Technology for I/O (VT-d)
+   - Turn on Intel Virtualization Technology for I/O (VT-d)
- Reboot system into Windows
+   - Reboot system into Windows
-> [!NOTE]
+   > [!NOTE]
-> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
+   > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
->
+   >
-> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
+   > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
-If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
+   If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
-For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
 ## Frequently asked questions
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@ -98,7 +98,7 @@ The following table defines which Windows features require TPM support.
 Windows Features | TPM Required | Supports TPM 1.2  | Supports TPM 2.0  | Details  |
 -|-|-|-|-
 Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.  
- BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
+ BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support
 Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
 Windows Defender Application Control (Device Guard) | No | Yes | Yes
 Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@ -1,31 +1,27 @@
 ---
 title: BCD settings and BitLocker 
-description: This article for IT professionals describes the BCD settings that are used by BitLocker.
+description: Learn how BCD settings are used by BitLocker.
 ms.topic: reference
-ms.date: 11/08/2022
+ms.date: 10/30/2023
 ---
 # Boot Configuration Data settings and BitLocker
-This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
+This article describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
+During the boot process, BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
-## BitLocker and BCD Settings
+If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, you can include that BCD setting in the BCD validation coverage to suit the preferences for validation.\
 If the default BCD setting persistently triggers a recovery for benign changes, you can exclude that BCD setting from the validation coverage.
-In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
+> [!IMPORTANT]
-
+> Devices with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **[Allow Secure Boot for integrity validation](configure.md?tabs=os#allow-secure-boot-for-integrity-validation)** policy setting, the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy is ignored.
 In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
 ### When secure boot is enabled
 Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
 One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
-## Customizing BCD validation settings
+## Customize BCD validation settings
-To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
+To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting.
 For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
@ -34,15 +30,15 @@ For the purposes of BitLocker validation, BCD settings are associated with a spe
 - memtest
 - all of the above
-All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a *friendly name*.
 The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
 You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`.
-Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
+Not all BCD settings have friendly names. For those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
-When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
+When specifying BCD values in the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting, use the following syntax:
 - Prefix the setting with the boot application prefix
 - Append a colon `:`
@ -54,11 +50,11 @@ For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yi
 A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
 > [!NOTE]
-> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
+> Take care when configuring BCD entries in the policy setting. The Local Group Policy Editor doesn't validate the correctness of the BCD entry. BitLocker fails to be enabled if the policy setting specified is invalid.
 ### Default BCD validation profile
-The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
+The following table contains the default BCD validation profile used by BitLocker:
 | Hex Value | Prefix | Friendly Name |
 | - | - | - |
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
@ -1,455 +0,0 @@
 ---
 title: BitLocker basic deployment
 description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker basic deployment
 This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
 ## Using BitLocker to encrypt volumes
 BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
 If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
 > [!NOTE]
 > For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
 BitLocker encryption can be enabled and managed using the following methods:
 - BitLocker control panel
 - Windows Explorer
 - `manage-bde.exe` command-line interface
 - BitLocker Windows PowerShell cmdlets
 ### Encrypting volumes using the BitLocker control panel
 Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
 To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
 #### Operating system volume
 For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions:
 1. When the **BitLocker Drive Encryption Wizard**  first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
    |Requirement|Description|
    |--- |--- |
    |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
    |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
    |Hardware TPM|TPM version 1.2 or 2.0. <br><br> A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
    |UEFI firmware/BIOS configuration|<ul><li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li>  <li> The firmware must be able to read from a USB flash drive during startup.</li></ul>|
    |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
    |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
    If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
 2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
 3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if:
   - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
   - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
    A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive.
    The recovery key can be stored using the following methods:
   - **Save to your Microsoft Entra account** (if applicable)
   - **Save to a USB flash drive**
   - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
   - **Print the recovery key**
   The recovery key can't be stored at the following locations:
   - The drive being encrypted
   - The root directory of a non-removable/fixed drive
   - An encrypted volume
    > [!TIP]
    > Ideally, a computer's recovery key should be stored separate from the computer itself.
    > [!NOTE]
    > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
 4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted:
   - **Encrypt used disk space only** - Encrypts only disk space that contains data.
   - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
    Each of the methods is recommended in the following scenarios:
     - **Encrypt used disk space only**:
       - The drive has never had data
       - Formatted or erased drives that in the past have never had confidential data that was never encrypted
     - **Encrypt entire drive** (full disk encryption):
       - Drives that currently have data
       - Drives that currently have an operating system
       - Formatted or erased drives that in the past had confidential data that was never encrypted
    > [!IMPORTANT]
    > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
 5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
   - **New encryption mode**
   - **Compatible mode**
    Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
 6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
 After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume.
 Users can check encryption status by checking the system notification area or the BitLocker control panel.
 Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
 #### Data volume
 Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
 1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed
 2. A choice of authentication methods to unlock the drive appears. The available options are:
   - **Use a password to unlock the drive**
   - **Use my smart card to unlock the drive**
   - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked.
 3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
   - **Save to your Microsoft Entra account** (if applicable)
   - **Save to a USB flash drive**
   - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
   - **Print the recovery key**
 4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes:
   - **Encrypt used disk space only** - Encrypts only disk space that contains data.
   - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
 5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
   - **New encryption mode**
   - **Compatible mode**
    Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
 6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption.
 Encryption status displays in the notification area or within the BitLocker control panel.
 ### OneDrive option
 There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
 Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
 ### Using BitLocker within Windows Explorer
 Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
 ## Down-level compatibility
 The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows.
 Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
 |Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7|
 |---|---|---|---|
 |Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
 |Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
 |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
 |Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
 ## Encrypting volumes using the `manage-bde.exe` command-line interface
 `Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
 `Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command.
 Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
 ### Operating system volume commands
 Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
 #### Determining volume status
 A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
 `manage-bde.exe -status`
 This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
 #### Enabling BitLocker without a TPM
 Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption:
 ```powershell
 manage-bde.exe -protectors -add C: -startupkey E:
 manage-bde.exe -on C:
 ```
 If prompted, reboot the computer to complete the encryption process.
 #### Enabling BitLocker with a TPM only
 It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command:
 ```cmd
 manage-bde.exe -on C:
 ```
 This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command:
 ```cmd
 manage-bde.exe -protectors -get <volume>
 ```
 #### Provisioning BitLocker with two protectors
 Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:
 ```cmd
 manage-bde.exe -protectors -add C: -pw -sid <user or group>
 ```
 This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
 ### Data volume commands
 Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
 ```cmd
 manage-bde.exe -on <drive letter>
 ```
 Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume.
 #### Enabling BitLocker with a password
 A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker.
 ```powershell
 manage-bde.exe -protectors -add -pw C:
 manage-bde.exe -on C:
 ```
 ## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
 Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 |Name|Parameters|
 |--- |--- |
 |**Add-BitLockerKeyProtector**|<li>ADAccountOrGroup<li>ADAccountOrGroupProtector<li>Confirm<li>MountPoint<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>WhatIf|
 |**Backup-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
 |**Disable-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Disable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Enable-BitLocker**|<li>AdAccountOrGroup<li>AdAccountOrGroupProtector<li>Confirm<li>EncryptionMethod<li>HardwareEncryption<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>SkipHardwareTest<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>UsedSpaceOnly<li>WhatIf|
 |**Enable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Get-BitLockerVolume**|<li>MountPoint|
 |**Lock-BitLocker**|<li>Confirm<li>ForceDismount<li>MountPoint<li>WhatIf|
 |**Remove-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
 |**Resume-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
 |**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
 Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
 Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors.
 > [!NOTE]
 > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
 ```powershell
 Get-BitLockerVolume C: | fl
 ```
 If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed.
 A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
 ```powershell
 $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command:
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
 > [!NOTE]
 > The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
 ### Operating system volume PowerShell cmdlets
 Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
 To enable BitLocker with just the TPM protector, use this command:
 ```powershell
 Enable-BitLocker C:
 ```
 The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
 ```powershell
 Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
 ```
 ### Data volume PowerShell cmdlets
 Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
 ```powershell
 $pw = Read-Host -AsSecureString
 <user inputs password>
 Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 ```
 ### Using an SID-based protector in Windows PowerShell
 The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
 > [!WARNING]
 > The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
 To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
 ```powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
 ```
 For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
 ```powershell
 Get-ADUser -filter {samaccountname -eq "administrator"}
 ```
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
 > [!TIP]
 > In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features.
 In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
 ```
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
 ## Checking BitLocker status
 To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
 ### Checking BitLocker status with the control panel
 Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include:
 | Status | Description |
 | - | - |
 | **On**|BitLocker is enabled for the volume |
 | **Off**| BitLocker isn't enabled for the volume |
 | **Suspended** | BitLocker is suspended and not actively protecting the volume |
 | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
 If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
 Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
 The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
 Once BitLocker protector activation is completed, the completion notice is displayed.
 ### Checking BitLocker status with `manage-bde.exe`
 Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
 To check the status of a volume using `manage-bde.exe`, use the following command:
 ```powershell
 manage-bde.exe -status <volume>
 ```
 > [!NOTE]
 > If no volume letter is associated with the -status command, all volumes on the computer display their status.
 ### Checking BitLocker status with Windows PowerShell
 Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
 Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
 ```powershell
 Get-BitLockerVolume <volume> -Verbose | fl
 ```
 This command displays information about the encryption method, volume type, key protectors, and more.
 ### Provisioning BitLocker during operating system deployment
 Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
 ### Decrypting BitLocker volumes
 Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below.
 ### Decrypting volumes using the BitLocker control panel applet
 BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process.
 After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel.
 The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
 Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
 ### Decrypting volumes using the `manage-bde.exe` command-line interface
 Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
 ```powershell
 manage-bde.exe -off C:
 ```
 This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
 ```powershell
 manage-bde.exe -status C:
 ```
 ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
 Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
 Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
 ```powershell
 Disable-BitLocker
 ```
 If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
 ```powershell
 Disable-BitLocker -MountPoint E:,F:,G:
 ```
 ## Related articles
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [BitLocker overview](index.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
@ -1,183 +0,0 @@
 ---
 title: BitLocker Countermeasures
 description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker Countermeasures
 Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
 BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
 - **Encrypting volumes on a computer.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
 - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
 The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
 For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 ## Protection before startup
 Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
 ### Trusted Platform Module
 A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
 ### UEFI and secure boot
 Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
 The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
 By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
 ### BitLocker and reset attacks
 To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
 >[!NOTE]
 >This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
 ## Security policies
 The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker.
 ### Pre-boot authentication
 Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
 BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
 Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks.
 On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
 - **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
 - **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
 - **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
 - **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
 In the following group policy example, TPM + PIN is required to unlock an operating system drive:
 ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
 Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
 On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
 To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
 ### Protecting Thunderbolt and other DMA ports
 There are a few different options to protect DMA ports, such as Thunderbolt&trade;3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt&trade; 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
 You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
 ![Kernel DMA protection.](images/kernel-dma-protection.png)
 If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt&trade; 3 enabled ports:
 1. Require a password for BIOS changes
 2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt&trade; 3 and Security on Microsoft Windows&reg; 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
    - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
    - Group Policy: [Disable new DMA devices when this computer is locked](bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
 For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
 ## Attack countermeasures
 This section covers countermeasures for specific types of attacks.
 ### Bootkits and rootkits
 A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
 > [!NOTE]
 > BitLocker protects against this attack by default.
 A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 ### Brute force attacks against a PIN
 Require TPM + PIN for anti-hammering protection.
 ### DMA attacks
 See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article.
 ### Paging file, crash dump, and Hyberfil.sys attacks
 These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
 ### Memory remanence
 Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
 ### Tricking BitLocker to pass the key to a rogue operating system
 An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
 An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 ## Attacker countermeasures
 The following sections cover mitigations for different types of attackers.
 ### Attacker without much skill or with limited physical access
 Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
 This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
 Mitigation:
 - Pre-boot authentication set to TPM only (the default)
 ### Attacker with skill and lengthy physical access
 Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
 Mitigation:
 - Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
  -And-
 - Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy:
  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu**
  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)**
  - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)**
 > [!IMPORTANT]
 > These settings are **not configured** by default.
 For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](bitlocker-group-policy-settings.md) is:
 - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
 > [!IMPORTANT]
 > This setting is **not configured** by default.
 For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
 ## Related articles
 - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
 - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
 - [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
 - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
@ -1,49 +0,0 @@
 ---
 title: BitLocker deployment comparison 
 description: This article shows the BitLocker deployment comparison chart.
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker deployment comparison
 This article depicts the BitLocker deployment comparison chart.
 ## BitLocker deployment comparison chart
 | Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
 |--|--|--|--|
 | *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
 | *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
 | *Minimum Windows version* | 1909 | None | None |
 | *Supported domain-joined status* | Microsoft Entra joined, Microsoft Entra hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined | Active Directory-joined |
 | *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
 | *Cloud or on premises* | Cloud | On premises | On premises |
 | Server components required? |  | ✅ | ✅ |
 | *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
 | *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
 | *Administrative portal installation required* |  | ✅ | ✅ |
 | *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
 | *Force encryption* | ✅ | ✅ | ✅ |
 | *Encryption for storage cards (mobile)* | ✅ | ✅ |  |
 | *Allow recovery password* | ✅ | ✅ | ✅ |
 | *Manage startup authentication* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
 | *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
 | *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database | MBAM database |
 | *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Yes (Active Directory and Microsoft Entra ID) | Yes (Active Directory only) | Yes (Active Directory only) |
 | *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
 | *Allow/deny key file creation* | ✅ | ✅ | ✅ |
 | *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
 | *Can be administered outside company network* | ✅ | ✅ |  |
 | *Support for organization unique IDs* |  | ✅ | ✅ |
 | *Self-service recovery* | Yes (through Microsoft Entra ID or Company Portal app) | ✅ | ✅ |
 | *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
 | *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ |  |  |
 | *Wait to complete encryption until recovery information is backed up to Active Directory* |  | ✅ | ✅ |
 | *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
 | *Unlock a volume using certificate with custom object identifier* |  | ✅ | ✅ |
 | *Prevent memory overwrite on restart* |  | ✅ | ✅ |
 | *Configure custom Trusted Platform Module Platform Configuration Register profiles* |  |  | ✅ |
 | *Manage auto-unlock functionality* |  | ✅ | ✅ |
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
@ -1,163 +0,0 @@
 ---
 title: Overview of BitLocker Device Encryption in Windows
 description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
 ms.collection: 
  - highpri
  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # Overview of BitLocker device encryption
 This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
 When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
 ## Data Protection in Windows 11, Windows 10, and Windows 7
 The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
 | Windows 7 | Windows 11 and Windows 10 |
 |---|---|
 | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
 | When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
 | There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
 | Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
 | Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
 | BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. |
 | Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
 ## Prepare for drive and file encryption
 The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth.
 ### TPM pre-provisioning
 In Windows 7, preparing the TPM offered a few challenges:
 - Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows.
 - When the TPM is enabled, it may require one or more restarts.
 This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled.
 Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
 ## Deploy hard drive encryption
 BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
 With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
 ## BitLocker Device Encryption
 Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
 Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
 Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
 - When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer.  The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
 - If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
 - If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS:
  *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**
  With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
 - Similar to signing in with a domain account, the clear key is removed when the user signs in to a Microsoft Entra account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Microsoft Entra ID. Then, the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
 Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
 - **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
 - **Type**: `REG_DWORD`
 - **Value**: `PreventDeviceEncryption` equal to `1` (True)
 Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
 > [!NOTE]
 > BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied.
 ## Used Disk Space Only encryption
 BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused.
 To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent.
 Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
 ## Encrypted hard drive support
 SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
 Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements.
 For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md).
 ## Preboot information protection
 An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
 It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
 Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
 ## Manage passwords and PINs
 When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
 Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
 Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
 For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md).
 ## Configure Network Unlock
 Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
 Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
 Network Unlock requires the following infrastructure:
 - Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
 - A server running at least Windows Server 2012 with the Windows deployment services (WDS) role
 - A server with the DHCP server role installed
 For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 ## Microsoft BitLocker administration and monitoring
 Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
 - Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
 - Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
 - Provides centralized reporting and hardware management with Microsoft Configuration Manager.
 - Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
 - Enables end users to recover encrypted devices independently by using the Self-Service Portal.
 - Enables security officers to easily audit access to recovery key information.
 - Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
 - Enforces the BitLocker encryption policy options that are set for the enterprise.
 - Integrates with existing management tools, such as Microsoft Configuration Manager.
 - Offers an IT-customizable recovery user experience.
 - Supports Windows 11 and Windows 10.
 > [!IMPORTANT]
 > Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
 Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
 Enterprises not using Configuration Manager can use the built-in features of Microsoft Entra ID and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
@ -1,102 +0,0 @@
 ---
 title: BitLocker How to deploy on Windows Server
 description: This article for the IT professional explains how to deploy BitLocker and Windows Server
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker: How to deploy on Windows Server
 This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
 ## Installing BitLocker
 ### To install BitLocker using server manager
 1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
 1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
 1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
 1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
 1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
 1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
   > [!NOTE]
   > Server roles and features are installed by using the same wizard in Server Manager.
 1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
   > [!NOTE]
   > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
 1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
 1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
 1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
 ### To install BitLocker using Windows PowerShell
 Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation.
 > [!NOTE]
 > The server must be restarted to complete the installation of BitLocker.
 ### Using the servermanager module to install BitLocker
 The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
 By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
 ```powershell
 Install-WindowsFeature BitLocker -WhatIf
 ```
 The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
 To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
 ```powershell
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
 ```
 The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
 - BitLocker Drive Encryption
 - BitLocker Drive Encryption Tools
 - BitLocker Drive Encryption Administration Utilities
 - BitLocker Recovery Password Viewer
 - AD DS Snap-Ins and Command-Line Tools
 - AD DS Tools
 - AD DS and AD LDS Tools
 The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
 ```powershell
 Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
 ```
 > [!IMPORTANT]
 > Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
 ### Using the dism module to install BitLocker
 The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
 ```powershell
 Get-WindowsOptionalFeature -Online | ft
 ```
 From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
 To install BitLocker using the `dism.exe` module, use the following command:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
 ```
 This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
 ```
 ## Related articles
 - [BitLocker overview](index.md)
 - [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@ -1,453 +0,0 @@
 ---
 title: BitLocker - How to enable Network Unlock 
 description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker: How to enable Network Unlock
 This article describes how BitLocker Network Unlock works and how to configure it.
 Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
 Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
 ## Network Unlock core requirements
 Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
 - Currently supported Windows operating system
 - Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients
 - Network Unlock clients with a TPM chip and at least one TPM protector
 - A server running the Windows Deployment Services (WDS) role on any supported server operating system
 - BitLocker Network Unlock optional feature installed on any supported server operating system
 - A DHCP server, separate from the WDS server
 - Properly configured public/private key pairing
 - Network Unlock group policy settings configured
 - Network stack enabled in the UEFI firmware of client devices
 > [!NOTE]
 > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
 For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
 The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
 Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
 The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
 ## Network Unlock sequence
 The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
 On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
 The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
 Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
 ![Diagram showing the BitLocker Network Unlock sequence.](images/bitlockernetworkunlocksequence.png)
 The Network Unlock process follows these phases:
 1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
 2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
 3. The client computer broadcasts a vendor-specific DHCP request that contains:
    1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
    2. An AES-256 session key for the reply.
 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
 5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
 6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
 7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
 8. This combined key is used to create an AES-256 key that unlocks the volume.
 9. Windows continues the boot sequence.
 ## Configure Network Unlock
 The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
 ### Install the WDS server role
 The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**.
 To install the role by using Windows PowerShell, use the following command:
 ```powershell
 Install-WindowsFeature WDS-Deployment
 ```
 The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard.
 ### Confirm the WDS service is running
 To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service.
 To confirm that the service is running using Windows PowerShell, use the following command:
 ```powershell
 Get-Service WDSServer
 ```
 ### Install the Network Unlock feature
 To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
 To install the feature by using Windows PowerShell, use the following command:
 ```powershell
 Install-WindowsFeature BitLocker-NetworkUnlock
 ```
 ### Create the certificate template for Network Unlock
 A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
 1. Open the Certificates Template snap-in (`certtmpl.msc`).
 2. Locate the User template, right-click the template name and select **Duplicate Template**.
 3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
 4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
 5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
 6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**.
 7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**.
 8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
 9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
 10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
 11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
 12. On the **Edit Application Policies Extension** dialog box, select **Add**.
 13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy:
    - *Name:* **BitLocker Network Unlock**
    - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1**
 14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
 15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
 17. Select **OK** to complete configuration of the template.
 To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
 After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock.
 ### Create the Network Unlock certificate
 Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
 To enroll a certificate from an existing certificate authority:
 1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
 2. Under **Certificates - Current User**, right-click **Personal**.
 3. Select **All Tasks** > **Request New Certificate**.
 4. When the Certificate Enrollment wizard opens, select **Next**.
 5. Select **Active Directory Enrollment Policy**.
 6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**.
 7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example:
    *BitLocker Network Unlock Certificate for Contoso domain*
 8. Create the certificate. Ensure the certificate appears in the **Personal** folder.
 9. Export the public key certificate for Network Unlock:
   1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
   2. Select **No, do not export the private key**.
   3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
   4. Give the file a name such as BitLocker-NetworkUnlock.cer.
 10. Export the public key with a private key for Network Unlock.
    1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
    2. Select **Yes, export the private key**.
    3. Complete the steps to create the `.pfx` file.
 To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example:
 **Windows PowerShell:**
 ```powershell
 New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
 ```
 **certreq.exe:**
 1. Create a text file with an `.inf` extension, for example:
    ```cmd
    notepad.exe BitLocker-NetworkUnlock.inf
    ```
 2. Add the following contents to the previously created file:
    ```ini
    [NewRequest]
    Subject="CN=BitLocker Network Unlock certificate"
    ProviderType=0
    MachineKeySet=True
    Exportable=true
    RequestType=Cert
    KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
    KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
    KeyLength=2048
    SMIME=FALSE
    HashAlgorithm=sha512
    [Extensions]
    1.3.6.1.4.1.311.21.10 = "{text}"
    _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
    2.5.29.37 = "{text}"
    _continue_ = "1.3.6.1.4.1.311.67.1.1"
    ```
 3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
    ```cmd
    certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
    ```
 4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists.
 5. Launch the **Certificates - Local Computer** console by running `certlm.msc`.
 6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console:
   1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates**
   2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export**
   3. Follow through the wizard to create the `.pfx` file.
 ### Deploy the private key and certificate to the WDS server
 After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
 1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`.
 2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**.
 3. In the **File to Import** dialog, choose the `.pfx` file created previously.
 4. Enter the password used to create the `.pfx` and complete the wizard.
 ### Configure group policy settings for Network Unlock
 With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
 The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock.
 1. Open Group Policy Management Console (`gpmc.msc`).
 2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
 The following steps describe how to deploy the required group policy setting:
 > [!NOTE]
 > The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
 1. Copy the `.cer` file that was created for Network Unlock to the domain controller.
 2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
 3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting.
 4. Deploy the public certificate to clients:
    1. Within group policy management console, navigate to the following location:
        **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**.
    2. Right-click the folder and select **Add Network Unlock Certificate**.
    3. Follow the wizard steps and import the `.cer` file that was copied earlier.
    > [!NOTE]
    > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer.
 5. Reboot the clients after the Group Policy is deployed.
   > [!NOTE]
   > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
 ### Subnet policy configuration files on the WDS server (optional)
 By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
 The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
 The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names.
 ```ini
 [SUBNETS]
 SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
 SUBNET2=10.185.252.200/28 
 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
 SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
 ```
 Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
 > [!NOTE]
 > When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
 Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
 Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
 ```ini
 [2158a767e1c14e88e27a4c0aee111d2de2eafe60]
 ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
 ;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
 SUBNET1
 ;SUBNET2
 SUBNET3
 ```
 To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
 ## Turn off Network Unlock
 To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
 > [!NOTE]
 > Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
 ## Update Network Unlock certificates
 To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller.
 > [!NOTE]
 > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
 ## Troubleshoot Network Unlock
 Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
 - Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode.
 - All required roles and services are installed and started.
 - Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer.
 - Group policy for Network Unlock is enabled and linked to the appropriate domains.
 - Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities.
 - Verify whether the clients were rebooted after applying the policy.
 - Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
  ```powershell
  manage-bde.exe -protectors -get C:
  ```
  > [!NOTE]
  > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
 Gather the following files to troubleshoot BitLocker Network Unlock.
 - The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.
    Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
  - Start an elevated command prompt, and then run the following command:
      ```cmd
      wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
      ```
  - Open **Event Viewer** on the WDS server:
    1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
    2. In the right pane, select **Enable Log**.
 - The DHCP subnet configuration file (if one exists).
 - The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
 - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
 <!--
 REMOVING SECTION DUE TO THE VERSIONS OF WINDOWS THAT THIS SECTION APPLIES TO ARE NO LONGER SUPPORTED.
 ## Configure Network Unlock Group Policy settings on earlier versions
 Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. However Network Unlock and the accompanying Group Policy settings can be deployed using operating systems that run Windows Server 2008 R2 and Windows Server 2008.
 The system must meet these requirements:
 - The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article.
 - Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article.
 Follow these steps to configure Network Unlock on these older systems.
 1. [Install the WDS Server role](#install-the-wds-server-role)
 2. [Confirm the WDS Service is running](#confirm-the-wds-service-is-running)
 3. [Install the Network Unlock feature](#install-the-network-unlock-feature)
 4. [Create the Network Unlock certificate](#create-the-network-unlock-certificate)
 5. [Deploy the private key and certificate to the WDS server](#deploy-the-private-key-and-certificate-to-the-wds-server)
 6. Configure registry settings for Network Unlock:
    Apply the registry settings by running the following `certutil.exe` script (assuming the Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the [Applies to](#bitlocker-how-to-enable-network-unlock) list at the beginning of this article.
    ```cmd
            certutil.exe -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f
            reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f
    ```
 7. Set up a TPM protector on the clients.
 8. Reboot the clients to add the Network (certificate based) protector.
 -->
 ## Related articles
 - [BitLocker overview](index.md)
 - [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
@ -1,115 +0,0 @@
 ---
 title: BitLocker management
 description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker management
 The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
 Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
 [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
 ## Managing domain-joined computers and moving to cloud  
 Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
 Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Microsoft Entra ID.
 > [!IMPORTANT]
 > Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
 <a name='managing-devices-joined-to-azure-active-directory'></a>
 ## Managing devices joined to Microsoft Entra ID
 Devices joined to Microsoft Entra ID are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
 For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Microsoft Entra ID. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Microsoft Entra ID. This process and feature is applicable to Azure Hybrid AD as well.
 ## Managing workplace-joined PCs and phones
 For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Microsoft Entra ID.
 ## Managing servers
 Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
 The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).  
 If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
 Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
 For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles).
 ## PowerShell examples
 For Microsoft Entra joined computers, including virtual machines, the recovery password should be stored in Microsoft Entra ID.  
 **Example**: *Use PowerShell to add a recovery password and back it up to Microsoft Entra ID before enabling BitLocker*
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 $BLV = Get-BitLockerVolume -MountPoint "C:"
 BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
 For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
 **Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
 ```powershell
 Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 $BLV = Get-BitLockerVolume -MountPoint "C:"
 Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
 PowerShell can then be used to enable BitLocker:
 **Example**: *Use PowerShell to enable BitLocker with a TPM protector*
 ```powershell
 Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
 ```
 **Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
 ```powershell
 $SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
 Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
 ```
 ## Related Articles
 - [BitLocker: FAQs](faq.yml)
 - [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
 - [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
 - [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
 - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
 *(Overview)*
 - [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
 *(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))*
 - [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
 ### Windows Server setup tools
 - [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
 - [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
 - [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
 - [How to deploy BitLocker on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)  
 - [How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
 ### PowerShell
 - [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
@ -1,979 +0,0 @@
 ---
 title: BitLocker recovery guide
 description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
 ms.collection: 
  - highpri
  - tier1
 ms.topic: conceptual
 ms.date: 11/08/2022
 ---
 # BitLocker recovery guide
 This article describes how to recover BitLocker keys from AD DS.
 Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
 This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
 This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
 ## What is BitLocker recovery?
 BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
 - **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
 - **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
 - **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
 ### What causes BitLocker recovery?
 The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
 - On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
 - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised.
 - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
 - Failing to boot from a network drive before booting from the hard drive.
 - Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked.
 - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
 - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
 - Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
 - Turning off, disabling, deactivating, or clearing the TPM.
 - Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
 - Forgetting the PIN when PIN authentication has been enabled.
 - Updating option ROM firmware.
 - Upgrading TPM firmware.
 - Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
 - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
 - Changes to the master boot record on the disk.
 - Changes to the boot manager on the disk.
 - Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software.
 - Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
 - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
    > [!NOTE]
    > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
 - Moving the BitLocker-protected drive into a new computer.
 - Upgrading the motherboard to a new one with a new TPM.
 - Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
 - Failing the TPM self-test.
 - Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
 - Changing the usage authorization for the storage root key of the TPM to a non-zero value.
    > [!NOTE]
    > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
 - Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
 - Pressing the F8 or F10 key during the boot process.
 - Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
 - Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
 > [!NOTE]
 > Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
 For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
 > [!NOTE]
 > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
 If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method.
 Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
 ## Testing recovery
 Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
 **To force a recovery for the local computer:**
 1. Select the **Start** button and type in **cmd**
 2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
 3. At the command prompt, enter the following command:
    ```cmd
    manage-bde.exe -forcerecovery <BitLockerVolume>
    ```
 **To force recovery for a remote computer:**
 1. Select the **Start** button and type in **cmd**
 2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
 3. At the command prompt, enter the following command:
    ```cmd
    manage-bde.exe -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>
    ```
    > [!NOTE]
    > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
 ## Planning the recovery process
 When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.
 Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
 After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
 When the recovery process is determined:
 - Become familiar with how a recovery password can be retrieved. See:
  - [Self-recovery](#self-recovery)
  - [Recovery password retrieval](#recovery-password-retrieval)
 - Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
  - [Post-recovery analysis](#post-recovery-analysis)
 ### Self-recovery
 In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
 ### Recovery password retrieval
 If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
 - **Choose how BitLocker-protected operating system drives can be recovered**
 - **Choose how BitLocker-protected fixed drives can be recovered**
 - **Choose how BitLocker-protected removable drives can be recovered**
 In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
 DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
 > [!NOTE]
 > If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required.
 The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
 The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
 - [Record the name of the user's computer](#record-the-name-of-the-users-computer)
 - [Verify the user's identity](#verify-the-users-identity)
 - [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds)
 - [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred)
 - [Give the user the recovery password](#give-the-user-the-recovery-password)
 ### Record the name of the user's computer
 The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.
 ### Verify the user's identity
 The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.
 ### Locate the recovery password in AD DS
 Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.
 ### Multiple recovery passwords
 If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
 To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
 Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
 ### Gather information to determine why recovery occurred
 Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).
 ### Give the user the recovery password
 Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password.
 > [!NOTE]
 > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
 ### Post-recovery analysis
 When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
 If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see:
 - [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery)
 - [Resolve the root cause](#resolve-the-root-cause)
 ### Determine the root cause of the recovery
 If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
 While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
 Review and answer the following questions for the organization:
 1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
 3. If TPM mode was in effect, was recovery caused by a boot file change?
 4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
 To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
 ```cmd
 manage-bde.exe -status
 ```
 Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
 ### Resolve the root cause
 After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup.
 The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
 > [!NOTE]
 > BitLocker validation profile reset can be performed by suspending and resuming BitLocker.
 - [Unknown PIN](#unknown-pin)
 - [Lost startup key](#lost-startup-key)
 - [Changes to boot files](#changes-to-boot-files)
 ### Unknown PIN
 If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
 #### To prevent continued recovery due to an unknown PIN
 1. Unlock the computer using the recovery password.
 2. Reset the PIN:
    1. Select and hold the drive and then select **Change PIN**
    2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
    3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
 3. The new PIN can be used the next time the drive needs to be unlocked.
 ### Lost startup key
 If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created.
 #### To prevent continued recovery due to a lost startup key
 1. Sign in as an administrator to the computer that has its startup key lost.
 2. Open Manage BitLocker.
 3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**.
 ### Changes to boot files
 This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time.
 ## Windows RE and BitLocker Device Encryption
 Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
 Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
 The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
 To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control.
 :::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
 ## BitLocker recovery screen
 During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
 ### Custom recovery message
 BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
 This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
 It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp):
 **`<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>`**
 ![Custom URL.](images/bl-intune-custom-url.png)
 Example of a customized recovery screen:
 ![Customized BitLocker Recovery Screen.](images/bl-password-hint1.png)
 ### BitLocker recovery key hints
 BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
 ![Customized BitLocker recovery screen.](images/bl-password-hint2.png)
 > [!IMPORTANT]
 > It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Microsoft Entra ID and Microsoft account.
 There are rules governing which hint is shown during the recovery (in the order of processing):
 1. Always display custom recovery message if it has been configured (using GPO or MDM).
 2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.`
 3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
 4. Prioritize keys with successful backup over keys that have never been backed up.
 5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Microsoft Entra ID > Active Directory**.
 6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
 7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
 8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed.
 9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer.
 #### Example 1 (single recovery key with single backup)
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
 |     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
 **Result:** The hints for the Microsoft account and custom URL are displayed.
 ![Example 1 of Customized BitLocker recovery screen.](images/rp-example1.png)
 #### Example 2 (single recovery key with single backup)
 |     Custom URL       |     Yes    |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     No     |
 |     Saved to Microsoft Entra ID     |     No     |
 |     Saved to Active Directory      |     Yes    |
 |     Printed          |     No     |
 |     Saved to file    |     No     |
 **Result:** Only the custom URL is displayed.
 ![Example 2 of customized BitLocker recovery screen.](images/rp-example2.png)
 #### Example 3 (single recovery key with multiple backups)
 |     Custom URL       |     No     |
 |----------------------|------------|
 |     Saved to Microsoft Account     |     Yes    |
 |     Saved to Microsoft Entra ID     |     Yes    |
 |     Saved to Active Directory      |     No     |
 |     Printed          |     Yes    |
 |     Saved to file    |     Yes    |
 **Result:** Only the Microsoft Account hint is displayed.
 ![Example 3 of customized BitLocker recovery screen.](images/rp-example3.png)
 #### Example 4  (multiple recovery passwords)
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
 |     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     Yes         |
 |     Creation time    |     **1PM**     |
 |     Key ID           |     A564F193    |
 <br>
 <br>
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
 |     Saved to Microsoft Entra ID     |     No          |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
 |     Creation time    |     **3PM**     |
 |     Key ID           |     T4521ER5    |
 **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
 ![Example 4 of customized BitLocker recovery screen.](images/rp-example4.png)
 #### Example 5  (multiple recovery passwords)
 |     Custom URL       |     No          |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     Yes         |
 |     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
 |     Creation time    |     **1PM**     |
 |     Key ID           |     99631A34    |
 |     Custom URL       |     No        |
 |----------------------|-----------------|
 |     Saved to Microsoft Account     |     No          |
 |     Saved to Microsoft Entra ID     |     Yes         |
 |     Saved to Active Directory      |     No          |
 |     Printed          |     No          |
 |     Saved to file    |     No          |
 |     Creation time    |     **3PM**     |
 |     Key ID           |     9DF70931    |
 **Result:** The hint for the most recent key is displayed.
 ![Example 5 of customized BitLocker recovery screen.](images/rp-example5.png)
 ## Using additional recovery information
 Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
 ### BitLocker key package
 If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password.
 > [!NOTE]
 > The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
 The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
 ## Resetting recovery passwords
 It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
 The recovery password and be invalidated and reset in two ways:
 - **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
 - **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
 ### Resetting a recovery password using `manage-bde.exe`
 1. Remove the previous recovery password.
    ```cmd
    `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
    ```
 2. Add the new recovery password.
    ```cmd
    `manage-bde.exe` -protectors -add C: -RecoveryPassword
    ```
 3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
    ```cmd
    `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
    ```
 4. Back up the new recovery password to AD DS.
    ```cmd
    `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
    ```
    > [!WARNING]
    > The braces `{}` must be included in the ID string.
 ### Running the sample recovery password script to reset the recovery passwords
 1. Save the following sample script in a VBScript file. For example:
    `ResetPassword.vbs`.
 2. At the command prompt, enter the following command::
    ```cmd
    cscript.exe ResetPassword.vbs
    ```
    > [!IMPORTANT]
    > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested.
 > [!NOTE]
 > To manage a remote computer, specify the remote computer name rather than the local computer name.
 The following sample VBScript can be used to reset the recovery passwords:
 <br>
 <details>
  <summary>Expand to view sample recovery password VBscript to reset the recovery passwords</summary>
 ```vb
 ' Target drive letter
 strDriveLetter = "c:"
 ' Target computer name
 ' Use "." to connect to the local computer
 strComputerName = "."
 ' --------------------------------------------------------------------------------
 ' Connect to the BitLocker WMI provider class
 ' --------------------------------------------------------------------------------
 strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
 On Error Resume Next 'handle permission errors
 Set objWMIService = GetObject(strConnectionStr)
 If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
 End If
 On Error GoTo 0
 strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
 Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
 If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
 End If
 ' there should only be one volume found
 For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
 Next
 ' objVolume is now our found BitLocker-capable disk volume
 ' --------------------------------------------------------------------------------
 ' Perform BitLocker WMI provider functionality
 ' --------------------------------------------------------------------------------
 ' Add a new recovery password, keeping the ID around so it doesn't get deleted later
 ' ----------------------------------------------------------------------------------
 nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 ' Removes the other, "stale", recovery passwords
 ' ----------------------------------------------------------------------------------
 nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
 nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 ' Delete those key protectors other than the one we just added.
 For Each sKeyProtectorID In aKeyProtectorIDs
 If sKeyProtectorID <> sNewKeyProtectorID Then
 nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 Else
 ' no output
 'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
 End If
 End If
 Next
 WScript.Echo "A new recovery password has been added. Old passwords have been removed."
 ' - some advanced output (hidden)
 'WScript.Echo ""
 'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
 ```
 </details>
 ## Retrieving the BitLocker key package
 Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information):
 - **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS.
 - **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume.
 ### Running the sample key package retrieval script that exports all previously saved key packages from AD DS
 The following steps and sample script exports all previously saved key packages from AD DS.
 1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`.
 2. At the command prompt, enter a command similar to the following sample script:
    ```cmd
    cscript.exe GetBitLockerKeyPackageADDS.vbs -?
    ```
 The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS:
 <br>
 <details>
  <summary>Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS</summary>
 ```vb
 ' --------------------------------------------------------------------------------
 ' Usage
 ' --------------------------------------------------------------------------------
 Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
   Wscript.Echo "If no computer name is specified, the local computer is assumed."
   Wscript.Echo
   Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
   WScript.Quit
 End Sub
 ' --------------------------------------------------------------------------------
 ' Parse Arguments
 ' --------------------------------------------------------------------------------
 Set args = WScript.Arguments
 Select Case args.Count
  Case 1
    If args(0) = "/?" Or args(0) = "-?" Then
    ShowUsage
    Else
      strFilePath = args(0)
      ' Get the name of the local computer
      Set objNetwork = CreateObject("WScript.Network")
      strComputerName = objNetwork.ComputerName
    End If
  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else
      strFilePath = args(0)
      strComputerName = args(1)
    End If
  Case Else
    ShowUsage
 End Select
 ' --------------------------------------------------------------------------------
 ' Get path to Active Directory computer object associated with the computer name
 ' --------------------------------------------------------------------------------
 Function GetStrPathToComputer(strComputerName)
    ' Uses the global catalog to find the computer in the forest
    ' Search also includes deleted computers in the tombstone
    Set objRootLDAP = GetObject("LDAP://rootDSE")
    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
    strBase = "<GC://" & namingContext & ">"
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOOBject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree"
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 100
    objCommand.Properties("Cache Results") = False
    ' Enumerate all objects found.
    Set objRecordSet = objCommand.Execute
    If objRecordSet.EOF Then
      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
      WScript.Quit 1
    End If
    ' Found object matching name
    Do Until objRecordSet.EOF
      dnFound = objRecordSet.Fields("distinguishedName")
      GetStrPathToComputer = "LDAP://" & dnFound
      objRecordSet.MoveNext
    Loop
    ' Clean up.
    Set objConnection = Nothing
    Set objCommand = Nothing
    Set objRecordSet = Nothing
 End Function
 ' --------------------------------------------------------------------------------
 ' Securely access the Active Directory computer object using Kerberos
 ' --------------------------------------------------------------------------------
 Set objDSO = GetObject("LDAP:")
 strPathToComputer = GetStrPathToComputer(strComputerName)
 WScript.Echo "Accessing object: " + strPathToComputer
 Const ADS_SECURE_AUTHENTICATION = 1
 Const ADS_USE_SEALING = 64 '0x40
 Const ADS_USE_SIGNING = 128 '0x80
 ' --------------------------------------------------------------------------------
 ' Get all BitLocker recovery information from the Active Directory computer object
 ' --------------------------------------------------------------------------------
 ' Get all the recovery information child objects of the computer object
 Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _
                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
 objFveInfos.Filter = Array("msFVE-RecoveryInformation")
 ' Iterate through each recovery information object and saves any existing key packages
 nCount = 1
 strFilePathCurrent = strFilePath & nCount
 For Each objFveInfo in objFveInfos
   strName = objFveInfo.Get("name")
   strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
   strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
   WScript.echo
   WScript.echo "Recovery Object Name: " + strName
   WScript.echo "Recovery Password: " + strRecoveryPassword
   ' Validate file path
   Set fso = CreateObject("Scripting.FileSystemObject")
   If (fso.FileExists(strFilePathCurrent)) Then
 WScript.Echo "The file " & strFilePathCurrent & " already exists. Please use a different path."
 WScript.Quit -1
   End If
   ' Save binary data to the file
   SaveBinaryDataText strFilePathCurrent, strKeyPackage
   WScript.echo "Related key package successfully saved to " + strFilePathCurrent
   ' Update next file path using base name
   nCount = nCount + 1
   strFilePathCurrent = strFilePath & nCount
 Next
 '----------------------------------------------------------------------------------------
 ' Utility functions to save binary data
 '----------------------------------------------------------------------------------------
 Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)
  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
 End Function
 Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
 End Function
 WScript.Quit
 ```
 </details>
 ### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume
 The following steps and sample script exports a new key package from an unlocked, encrypted volume.
 1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs`
 2. Open an administrator command prompt, and then enter a command similar to the following sample script:
    ```cmd
    cscript.exe GetBitLockerKeyPackage.vbs  -?
    ```
 <br>
 <details>
  <summary>Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume</summary>
 ```vb
 ' --------------------------------------------------------------------------------
 ' Usage
 ' --------------------------------------------------------------------------------
 Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
   Wscript.Echo
   Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
   WScript.Quit
 End Sub
 ' --------------------------------------------------------------------------------
 ' Parse Arguments
 ' --------------------------------------------------------------------------------
 Set args = WScript.Arguments
 Select Case args.Count
  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else
      strDriveLetter = args(0)
      strFilePath = args(1)
    End If
  Case Else
    ShowUsage
 End Select
 ' --------------------------------------------------------------------------------
 ' Other Inputs
 ' --------------------------------------------------------------------------------
 ' Target computer name
 ' Use "." to connect to the local computer
 strComputerName = "."
 ' Default key protector ID to use. Specify "" to let the script choose.
 strDefaultKeyProtectorID = ""
 ' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample
 ' --------------------------------------------------------------------------------
 ' Connect to the BitLocker WMI provider class
 ' --------------------------------------------------------------------------------
 strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
 On Error Resume Next 'handle permission errors
 Set objWMIService = GetObject(strConnectionStr)
 If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
 End If
 On Error GoTo 0
 strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
 Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
 If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
 End If
 ' there should only be one volume found
 For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
 Next
 ' objVolume is now our found BitLocker-capable disk volume
 ' --------------------------------------------------------------------------------
 ' Perform BitLocker WMI provider functionality
 ' --------------------------------------------------------------------------------
 ' Collect all possible valid key protector ID's that can be used to get the package
 ' ----------------------------------------------------------------------------------
 nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector
 nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 nExternalKeyProtectorType = 2 ' type associated with "External Key" protector
 nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 ' Get first key protector of the type "Numerical Password" or "External Key", if any
 ' ----------------------------------------------------------------------------------
 if strDefaultKeyProtectorID = "" Then
 ' Save first numerical password, if exists
 If UBound(aNumericalKeyProtectorIDs) <> -1 Then
 strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
 End If
 ' No numerical passwords exist, save the first external key
 If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
 strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
 End If
 ' Fail case: no recovery key protectors exist.
 If strDefaultKeyProtectorID = "" Then
 WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
 WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""."
 WScript.Quit -1
 End If
 End If
 ' Get some information about the chosen key protector ID
 ' ----------------------------------------------------------------------------------
 ' is the type valid?
 nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)
 If Hex(nRC) = "80070057" Then
 WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
 WScript.Echo "This ID value may have been provided by the script writer."
 ElseIf nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 ' what's a string that can be used to describe it?
 strDefaultKeyProtectorType = ""
 Select Case nDefaultKeyProtectorType
  Case nNumericalKeyProtectorType
      strDefaultKeyProtectorType = "recovery password"
  Case nExternalKeyProtectorType
      strDefaultKeyProtectorType = "recovery key"
  Case Else
      WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
      WScript.Echo "This ID value may have been provided by the script writer."
 End Select
 ' Save the backup key package using the chosen key protector ID
 ' ----------------------------------------------------------------------------------
 nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 ' Validate file path
 Set fso = CreateObject("Scripting.FileSystemObject")
 If (fso.FileExists(strFilePath)) Then
 WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
 WScript.Quit -1
 End If
 Dim oKeyPackageByte, bKeyPackage
 For Each oKeyPackageByte in oKeyPackage
  'WScript.echo "key package byte: " & oKeyPackageByte
  bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
 Next
 ' Save binary data to the file
 SaveBinaryDataText strFilePath, bKeyPackage
 ' Display helpful information
 ' ----------------------------------------------------------------------------------
 WScript.Echo "The backup key package has been saved to " & strFilePath & "."
 WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."
 ' Display the recovery password or a note about saving the recovery key file
 If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then
 nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
 If nRC <> 0 Then
 WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
 WScript.Quit -1
 End If
 WScript.Echo "Save this recovery password: " & sNumericalPassword
 ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
 WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
 WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?"""
 End If
 '----------------------------------------------------------------------------------------
 ' Utility functions to save binary data
 '----------------------------------------------------------------------------------------
 Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)
  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
 End Function
 Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
 End Function
 ```
 </details>
 ## Related articles
 - [BitLocker overview](index.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@ -1,228 +0,0 @@
 ---
 title: How to use the BitLocker drive encryption tools to manage BitLocker 
 description: Learn how to use tools to manage BitLocker.
 ms.collection: 
  - tier1
 ms.topic: how-to
 ms.date: 07/25/2023
 ---
 # How to use the BitLocker drive encryption tools to manage BitLocker
 BitLocker drive encryption tools include the command-line tools *manage-bde.exe*, *repair-bde.exe*, and the cmdlets for Windows PowerShell.
 The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
 ## Manage-bde
 Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
 Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
 ### Using manage-bde with operating system volumes
 Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on <drive letter>` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.
 A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
 ```cmd
 manage-bde.exe -status
 ```
 This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
 ![Using manage-bde to check encryption status.](images/manage-bde-status.png)
 The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
 ```cmd
 manage-bde.exe -protectors -add C: -startupkey E:
 manage-bde.exe -on C:
 ```
 > [!NOTE]
 > After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
 An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:
 ```cmd
 manage-bde.exe -protectors -add C: -pw -sid <user or group>
 ```
 The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on.
 On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:
 ```cmd
 manage-bde.exe -on C:
 ```
 The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:
 ```cmd
 manage-bde.exe -protectors -get <volume>
 ```
 ### Using manage-bde with data volumes
 Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
 `manage-bde.exe -on <drive letter>`
 or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
 A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.
 ```cmd
 manage-bde.exe -protectors -add -pw C:
 manage-bde.exe -on C:
 ```
 ## BitLocker Repair Tool
 Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.
 The BitLocker Repair Tool (*repair-bde.exe*) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
 The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. The key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
 > [!TIP]
 > If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume:
 >
 > `manage-bde.exe -KeyPackage`
 The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions:
 - The drive is encrypted using BitLocker Drive Encryption
 - Windows doesn't start, or the BitLocker recovery console can't start
 - There isn't a backup copy of the data that is contained on the encrypted drive
 > [!NOTE]
 > Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
 The following limitations exist for Repair-bde:
 - The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
 - The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
 For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
 ## BitLocker cmdlets for Windows PowerShell
 Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
 |Name|Parameters|
 |--- |--- |
 |**Add-BitLockerKeyProtector**|<li>ADAccountOrGroup<li>ADAccountOrGroupProtector<li>Confirm<li>MountPoint<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>WhatIf|
 |**Backup-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
 |**Disable-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Disable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Enable-BitLocker**|<li>AdAccountOrGroup<li>AdAccountOrGroupProtector<li>Confirm<li>EncryptionMethod<li>HardwareEncryption<li>Password<li>PasswordProtector<li>Pin<li>RecoveryKeyPath<li>RecoveryKeyProtector<li>RecoveryPassword<li>RecoveryPasswordProtector<li>Service<li>SkipHardwareTest<li>StartupKeyPath<li>StartupKeyProtector<li>TpmAndPinAndStartupKeyProtector<li>TpmAndPinProtector<li>TpmAndStartupKeyProtector<li>TpmProtector<li>UsedSpaceOnly<li>WhatIf|
 |**Enable-BitLockerAutoUnlock**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Get-BitLockerVolume**|<li>MountPoint|
 |**Lock-BitLocker**|<li>Confirm<li>ForceDismount<li>MountPoint<li>WhatIf|
 |**Remove-BitLockerKeyProtector**|<li>Confirm<li>KeyProtectorId<li>MountPoint<li>WhatIf|
 |**Resume-BitLocker**|<li>Confirm<li>MountPoint<li>WhatIf|
 |**Suspend-BitLocker**|<li>Confirm<li>MountPoint<li>RebootCount<li>WhatIf|
 |**Unlock-BitLocker**|<li>AdAccountOrGroup<li>Confirm<li>MountPoint<li>Password<li>RecoveryKeyPath<li>RecoveryPassword<li>RecoveryPassword<li>WhatIf|
 Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
 A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet.
 The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details.
 > [!TIP]
 > Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors:
 > 
 > `Get-BitLockerVolume C: | fl`
 To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
 A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
 ```powershell
 $vol = Get-BitLockerVolume
 $keyprotectors = $vol.KeyProtector
 ```
 By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector.
 By using this information, the key protector for a specific volume can be removed using the command:
 ```powershell
 Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
 ```
 > [!NOTE]
 > The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
 ### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
 Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
 The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
 ```powershell
 Enable-BitLocker C:
 ```
 In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
 ```powershell
 Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
 ```
 ### Using the BitLocker Windows PowerShell cmdlets with data volumes
 Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
 SecureString value to store the user-defined password.
 ```powershell
 $pw = Read-Host -AsSecureString
 <user inputs password>
 Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
 ```
 ### Using an AD Account or Group protector in Windows PowerShell
 The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster.
 > [!WARNING]
 > The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
 To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
 ```powershell
 Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
 ```
 For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
 > [!NOTE]
 > Use of this command requires the RSAT-AD-PowerShell feature.
 ```powershell
 get-aduser -filter {samaccountname -eq "administrator"}
 ```
 > [!TIP]
 > In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
 The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
 ```powershell
 Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
 ```
 > [!NOTE]
 > Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
 ## Related articles
 - [BitLocker overview](index.md)
 - [BitLocker frequently asked questions (FAQ)](faq.yml)
 - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
 - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
 - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
@ -1,45 +0,0 @@
 ---
 title: How to use BitLocker Recovery Password Viewer 
 description: Learn how to use the BitLocker Recovery Password Viewer tool.
 ms.collection: 
  - tier1
 ms.topic: how-to
 ms.date: 07/25/2023
 ---
 # How to use BitLocker Recovery Password Viewer
 BitLocker Recovery Password Viewer is an optional tool included with the *Remote Server Administration Tools (RSAT)*. With Recovery Password Viewer you can view the BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). The tool is an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in.
 With BitLocker Recovery Password Viewer you can:
 - Check the Active Directory computer object's properties to find the associated BitLocker recovery passwords
 - Search Active Directory for BitLocker recovery password across all the domains in the Active Directory forest. Passwords can also be searched by password identifier (ID)
 ## Requirements
 To complete the procedures in this scenario, the following requirements must be met:
 - Domain administrator credentials
 - Devices must be joined to the domain
 - On the domain-joined devices, BitLocker must be enabled
 The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
 ## View the recovery passwords for a computer object
 1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located
 1. Right-click the computer object and select **Properties**
 1. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer
 ## Copy the recovery passwords for a computer object
 1. Follow the steps in the previous procedure to view the BitLocker recovery passwords
 1. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**
 1. Press <kbd>CTRL</kbd>+<kbd>V</kbd> to paste the copied text to a destination location, such as a text file or spreadsheet
 ## Locate a recovery password by using a password ID
 1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password**
 1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search**
 1. Once the recovery password is located, you can use the previous procedure to copy it
--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@ -0,0 +1,182 @@
 ---
 title: Configure BitLocker
 description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
 ms.topic: how-to
 ms.date: 10/30/2023
 ---
 # Configure BitLocker
 To configure BitLocker, you can use one of the following options:
 - Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance polices](/mem/intune/protect/compliance-policy-create-windows#encryption), combining them with [Conditional Access](/azure/active-directory/conditional-access/overview). Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
    - [Manage BitLocker policy for Windows devices with Intune](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
    - [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor)
    - [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)
 - Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
 - Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management](/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent)
 > [!NOTE]
 > Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
 While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the section [BitLocker policy settings](#bitlocker-policy-settings).
 [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
 ## BitLocker policy settings
 This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
 > [!IMPORTANT]
 > Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
 ### Policy settings list
 The list of settings is sorted alphabetically and organized in four categories:
 - **Common settings**: settings applicable to all BitLocker-protected drives
 - **Operating system drive**: settings applicable to the drive where Windows is installed
 - **Fixed data drives**: settings applicable to any local drives, except the operating system drive
 - **Removable data drives**: settings applicable to any removable drives
 Select one of the tabs to see the list of available settings:
 #### [:::image type="icon" source="images/locked-drive.svg"::: **Common settings**](#tab/common)
 The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
 |Policy name| CSP | GPO |
 |-|-|-|
 |[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
 |[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
 |[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
 |[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
 |[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
 |[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
 |[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
 |[Require device encryption](#require-device-encryption)|✅|❌|
 |[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
 [!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
 [!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
 [!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
 [!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
 [!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
 [!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
 [!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
 [!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
 [!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
 #### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
 |Policy name| CSP | GPO |
 |-|-|-|
 |[Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN](#allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-preboot-pin)|✅|✅|
 |[Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)|✅|✅|
 |[Allow network unlock at startup](#allow-network-unlock-at-startup)|❌|✅|
 |[Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)|❌|✅|
 |[Allow Warning For Other Disk Encryption](#allow-warning-for-other-disk-encryption)|✅|❌|
 |[Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)|✅|✅|
 |[Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)|✅|✅|
 |[Configure pre-boot recovery message and URL](#configure-preboot-recovery-message-and-url)|✅|✅|
 |[Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)|❌|✅|
 |[Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)|❌|✅|
 |[Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)|❌|✅|
 |[Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)|❌|✅|
 |[Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)|✅|✅|
 |[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅|
 |[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅|
 |[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅|
 |[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅|
 |[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅|
 [!INCLUDE [allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin](includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md)]
 [!INCLUDE [allow-enhanced-pins-for-startup](includes/allow-enhanced-pins-for-startup.md)]
 [!INCLUDE [allow-network-unlock-at-startup](includes/allow-network-unlock-at-startup.md)]
 [!INCLUDE [allow-secure-boot-for-integrity-validation](includes/allow-secure-boot-for-integrity-validation.md)]
 [!INCLUDE [allow-warning-for-other-disk-encryption](includes/allow-warning-for-other-disk-encryption.md)]
 [!INCLUDE [choose-how-bitlocker-protected-operating-system-drives-can-be-recovered](includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md)]
 [!INCLUDE [configure-minimum-pin-length-for-startup](includes/configure-minimum-pin-length-for-startup.md)]
 [!INCLUDE [configure-pre-boot-recovery-message-and-url](includes/configure-pre-boot-recovery-message-and-url.md)]
 [!INCLUDE [configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md)]
 [!INCLUDE [configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md)]
 [!INCLUDE [configure-use-of-hardware-based-encryption-for-operating-system-drives](includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md)]
 [!INCLUDE [configure-use-of-passwords-for-operating-system-drives](includes/configure-use-of-passwords-for-operating-system-drives.md)]
 [!INCLUDE [disallow-standard-users-from-changing-the-pin-or-password](includes/disallow-standard-users-from-changing-the-pin-or-password.md)]
 [!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)]
 [!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)]
 [!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)]
 [!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)]
 [!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)]
 #### [:::image type="icon" source="images/unlocked-drive.svg"::: **Fixed data drives**](#tab/fixed)
 |Policy name| CSP | GPO |
 |-|-|-|
 |[Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)|✅|✅|
 |[Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)|❌|✅|
 |[Configure use of passwords for fixed data drives](#configure-use-of-passwords-for-fixed-data-drives)|❌|✅|
 |[Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)|❌|✅|
 |[Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)|✅|✅|
 |[Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)|✅|✅|
 [!INCLUDE [choose-how-bitlocker-protected-fixed-drives-can-be-recovered](includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md)]
 [!INCLUDE [configure-use-of-hardware-based-encryption-for-fixed-data-drives](includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md)]
 [!INCLUDE [configure-use-of-passwords-for-fixed-data-drives](includes/configure-use-of-passwords-for-fixed-data-drives.md)]
 [!INCLUDE [configure-use-of-smart-cards-on-fixed-data-drives](includes/configure-use-of-smart-cards-on-fixed-data-drives.md)]
 [!INCLUDE [deny-write-access-to-fixed-drives-not-protected-by-bitlocker](includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md)]
 [!INCLUDE [enforce-drive-encryption-type-on-fixed-data-drives](includes/enforce-drive-encryption-type-on-fixed-data-drives.md)]
 #### [:::image type="icon" source="images/unlocked-drive.svg"::: **Removable data drives**](#tab/removable)
 |Policy name| CSP | GPO |
 |-|-|-|
 |[Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)|❌|✅|
 |[Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)|❌|✅|
 |[Configure use of passwords for removable data drives](#configure-use-of-passwords-for-removable-data-drives)|❌|✅|
 |[Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)|❌|✅|
 |[Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)|✅|✅|
 |[Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)|✅|✅|
 |[Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)|✅|✅|
 |[Removable Drives Excluded From Encryption](#removable-drives-excluded-from-encryption)|✅|❌|
 [!INCLUDE [choose-how-bitlocker-protected-removable-drives-can-be-recovered](includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md)]
 [!INCLUDE [configure-use-of-hardware-based-encryption-for-removable-data-drives](includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md)]
 [!INCLUDE [configure-use-of-passwords-for-removable-data-drives](includes/configure-use-of-passwords-for-removable-data-drives.md)]
 [!INCLUDE [configure-use-of-smart-cards-on-removable-data-drives](includes/configure-use-of-smart-cards-on-removable-data-drives.md)]
 [!INCLUDE [control-use-of-bitlocker-on-removable-drives](includes/control-use-of-bitlocker-on-removable-drives.md)]
 [!INCLUDE [deny-write-access-to-removable-drives-not-protected-by-bitlocker](includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md)]
 [!INCLUDE [enforce-drive-encryption-type-on-removable-data-drives](includes/enforce-drive-encryption-type-on-removable-data-drives.md)]
 [!INCLUDE [removable-drives-excluded-from-encryption](includes/removable-drives-excluded-from-encryption.md)]
 ---
 ## BitLocker and policy settings compliance
 If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
 If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
 In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.
 To learn more how to manage BitLocker, review the [BitLocker operations guide](operations-guide.md).
 ## Configure and manage servers
 Servers are often deployed, configured, and managed using PowerShell. The recommendation is to use group policy settings to configure BitLocker on servers, and to manage BitLocker using PowerShell.
 BitLocker is an optional component in Windows Server. Follow the directions in [Install BitLocker on Windows Server](install-server.md) to add the BitLocker optional component.
 The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). If a server is installed manually, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
 Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [Network Unlock](network-unlock.md).
 ## Next steps
 > [!div class="nextstepaction"]
 > Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.
 >
 >
 > [BitLocker operations guide >](operations-guide.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@ -0,0 +1,146 @@
 ---
 title: BitLocker countermeasures
 description: Learn about technologies and features to protect against attacks on the BitLocker encryption key. 
 ms.topic: concept-article
 ms.date: 10/30/2023
 ---
 # BitLocker countermeasures
 Windows uses hardware solutions and security features that protect BitLocker encryption keys against attacks. These technologies include *Trusted Platform Module (TPM)*, *Secure Boot*, and *Measured Boot*.
 ## Protection before startup
 Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot:
 - a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
 - *Unified Extensible Firmware Interface (UEFI)* is a programmable boot environment that initializes devices and starts the operating system's bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md)
 - *Secure Boot* blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key
 ### BitLocker and reset attacks
 To defend against malicious reset attacks, BitLocker uses the *TCG Reset Attack Mitigation*, also known as *MOR bit* (Memory Overwrite Request), before extracting keys into memory.
 ## Security policies
 Preboot authentication and DMA policies provide extra protection for BitLocker.
 ### Preboot authentication
 Preboot authentication with BitLocker can require the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.
 BitLocker accesses and stores the encryption keys in memory only after preboot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing preboot authentication is entering the *recovery key*.
 Preboot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor. This feature helps mitigate DMA and memory remanence attacks.
 On devices with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
 - **TPM-only**: this option doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. The user must then enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor
 - **TPM with startup key**: in addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a *startup key*. Data on the encrypted volume can't be accessed without the startup key
 - **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN
 - **TPM with startup key and PIN**: in addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the PIN is also required
 Preboot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Preboot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
 On the other hand, Preboot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Preboot authentication can also make it more difficult to update unattended or remotely administered devices because a PIN must be entered when a device reboots or resumes from hibernation.
 To address these issues, [BitLocker Network Unlock](network-unlock.md) can be deployed. Network Unlock allows systems that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to a Windows Deployment Services (WDS) server.
 To learn more, see the policy setting [Require additional authentication at startup](configure.md?tabs=os#require-additional-authentication-at-startup).
 ### Protect DMA ports
 It's important to protect DMA ports, as external peripherals might gain unauthorized access to memory. Depending on the device capabilities, there are different options to protect DMA ports. To learn more, see the policy setting [Disable new DMA devices when this computer is locked](configure.md?tabs=common#disable-new-dma-devices-when-this-computer-is-locked).
 ## Attack countermeasures
 This section covers countermeasures for specific types of attacks.
 ### Bootkits and rootkits
 A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key isn't released.
 > [!NOTE]
 > BitLocker protects against this attack by default.
 A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
 ### Brute force attacks against a PIN
 Require TPM + PIN for anti-hammering protection.
 ### DMA attacks
 See [Protect DMA ports](#protect-dma-ports) earlier in this article.
 ### Paging file, crash dump, and Hyberfil.sys attacks
 These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
 ### Memory remanence
 Enable secure boot and mandatorily use a password to change BIOS settings. For scenarios requiring protection against these advanced attacks, configure a `TPM+PIN` protector, disable *standby* power management, and shut down or hibernate the device before it leaves the control of an authorized user.
 The Windows default power settings cause devices to enter *sleep mode* when idle. When a device transitions to sleep, running programs and documents are persisted in memory. When a device resumes from sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This scenario might lead to conditions where data security is compromised.
 When a device *hibernates*, the drive is locked. When the device resumes from hibernation, the drive is unlocked, which means that users must provide a PIN or a startup key if using multifactor authentication with BitLocker.
 Therefore, organizations that use BitLocker might want to use Hibernate instead of Sleep for improved security.
 > [!NOTE]
 > This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
 ### Tricking BitLocker to pass the key to a rogue operating system
 An attacker might modify the boot manager configuration database (BCD), which is stored on a nonencrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code makes sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
 An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
 ## Attacker countermeasures
 The following sections cover mitigations for different types of attackers.
 ### Attacker without much skill or with limited physical access
 Physical access might be limited in a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
 This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
 Mitigation:
 - Preboot authentication set to TPM only (the default)
 ### Attacker with skill and lengthy physical access
 Targeted attack with plenty of time; the attacker opens the case, solder, and uses sophisticated hardware or software.
 Mitigation:
 - Preboot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
  -And-
 - Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following policy settings:
  - **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Show hibernate in the power options menu**
  - **Computer Configuration** > **Policies** > **Administrative Templates** > **Power Management** > **Sleep Settings** >
    - **Allow standby states (S1-S3) when sleeping (plugged in)**
    - **Allow standby states (S1-S3) when sleeping (on battery)**
 > [!IMPORTANT]
 > These settings are **not configured** by default.
 For some systems, bypassing TPM-only might require opening the case and require soldering, but can be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. To learn more about the policy setting, see [Allow enhanced PINs for startup](configure.md?tabs=os#allow-enhanced-pins-for-startup).
 For secure administrative workstations, it's recommended to:
 - use a TPM with PIN protector
 - disable standby power management
 - shut down or hibernate the device before it leaves the control of an authorized user
 ## Next steps
 > [!div class="nextstepaction"]
 > Learn how to plan for a BitLocker deployment in your organization:
 >
 > [BitLocker planning guide >](planning-guide.md)
--- a/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@ -1,33 +1,31 @@
 ---
-title: Protecting cluster shared volumes and storage area networks with BitLocker 
+title: Protect cluster shared volumes and storage area networks with BitLocker
-description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
+description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
-ms.topic: conceptual
+ms.topic: how-to
-ms.date: 11/08/2022
+ms.date: 10/30/2023
 appliesto:
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016</a>
 ---
-# Protecting cluster shared volumes and storage area networks with BitLocker
+# Protect cluster shared volumes and storage area networks with BitLocker
-**Applies to:**
+This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) with BitLocker.
- Windows Server 2016 and above
+BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
-This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker.
+## Configure BitLocker on cluster shared volumes
-BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
+Volumes within a cluster are managed with the help of BitLocker based on how the cluster service *sees* the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN, or network attached storage (NAS).
 ## Configuring BitLocker on Cluster Shared Volumes
 ### Using BitLocker with clustered volumes
 Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS).
 > [!IMPORTANT]
-> SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
+> SANs used with BitLocker must have obtained Windows Hardware Certification. For more information, check [Windows Hardware Lab Kit](/windows-hardware/drivers/).
-Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks:
+The volumes that are designated for a cluster must do the following tasks:
- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool.
+- turn on BitLocker: only after this task is done, the volumes can be added to the storage pool
- It must put the resource into maintenance mode before BitLocker operations are completed.
+- must put the resource into maintenance mode before BitLocker operations are completed.
 Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
@ -60,7 +58,7 @@ An Active Directory Domain Services (AD DS) protector can also be used for prote
 BitLocker encryption is available for disks before these disks are added to a cluster storage pool.
 > [!NOTE]
-> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool.
+> The advantage of The BitLocker encryption can even be made available for disks after they are added to a cluster storage pool.
 The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
 To turn on BitLocker for a disk before adding it to a cluster:
@ -92,27 +90,19 @@ To turn on BitLocker for a disk before adding it to a cluster:
 When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps:
 1. Install the BitLocker drive encryption feature if it isn't already installed.
 2. Check the status of the cluster disk using Windows PowerShell.
    ```powershell
    Get-ClusterResource "Cluster Disk 1"
    ```
 3. Put the physical disk resource into maintenance mode using Windows PowerShell.
    ```powershell
    Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
    ```
 4. Identify the name of the cluster with Windows PowerShell.
    ```powershell
    Get-Cluster
    ```
 5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
    ```powershell
    Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
    ```
@ -133,17 +123,14 @@ When the cluster service owns a disk resource already, the disk resource needs t
 **`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
 1. Verify that the BitLocker drive encryption feature is installed on the computer.
 2. Ensure new storage is formatted as NTFS.
-
+3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a Command Prompt window. For example:
 3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
    ```cmd
    manage-bde.exe -on -used <drive letter> -RP -sid domain\CNO$ -sync
    ```
    1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
    2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
@ -153,7 +140,6 @@ When the cluster service owns a disk resource already, the disk resource needs t
 5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
    1. If the volume isn't BitLocker enabled, traditional cluster online operations occur.
    2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
 6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**".
@ -196,16 +182,10 @@ In the case where a physical disk resource experiences a failover event during c
 Some other considerations to take into account for BitLocker on clustered storage include:
- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
+- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume
-
+- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete.
+- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode
-
+- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster
- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
+- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster
-
+- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance
- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
+- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode
 - If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
 - If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
 - If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@ -5,7 +5,7 @@ metadata:
  ms.collection:
    - tier1
  ms.topic: faq
-  ms.date: 07/25/2023
+  ms.date: 10/30/2023
 title: BitLocker FAQ
 summary: Learn more about BitLocker by reviewing the frequently asked questions.
@ -14,55 +14,29 @@ sections:
 ### YamlMime:FAQ
  - name: Overview and requirements
    questions:
      - question: How does BitLocker work?
        answer: |
          **How BitLocker works with operating system drives**
          BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
          **How BitLocker works with fixed and removable data drives**
          BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
      - question: Does BitLocker support multifactor authentication?
        answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
-      - question: What are the BitLocker hardware and software requirements?
+      - question: Why are two partitions required?
        answer: |
          For requirements, see [System requirements](index.md#system-requirements).
          > [!NOTE]
          > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
      - question: Why are two partitions required? Why does the system drive have to be so large?
        answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
      - question: Which Trusted Platform Modules (TPMs) does BitLocker support?
        answer: |
          BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. 
          > [!NOTE]
          > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
          > 
          > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
      - question: How can I tell if a computer has a TPM?
-        answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
+        answer: The TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. 
      - question: Can I use BitLocker on an operating system drive without a TPM?
        answer: |
-          Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
+          Yes, BitLocker can be enabled on an operating system drive without a TPM, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
          To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
      - question: How do I obtain BIOS support for the TPM on my computer?
        answer: |
          Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
-          - It's compliant with the TCG standards for a client computer.
+          - It's compliant with the TCG standards for a client computer
-          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+          - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer
-      - question: What credentials are required to use BitLocker?
+      - question: What user rights are required to use BitLocker?
-        answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
+        answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership to the local *Administrators* group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
      - question: What is the recommended boot order for computers that are going to be BitLocker-protected?
        answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked. 
@ -70,16 +44,16 @@ sections:
  - name: BitLocker and Windows upgrade
    questions:
      - question: |
-          Can I upgrade to Windows 10 with BitLocker enabled?
+          Can I upgrade Windows versions with BitLocker enabled?
        answer: |
          Yes. 
      - question: |
          What is the difference between suspending and decrypting BitLocker?
        answer: |
-          **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
+          *Decrypt* completely removes BitLocker protection and fully decrypts the drive.
-          **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
+          *Suspend* keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the *Suspend* option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
      - question: |
          Do I have to suspend BitLocker protection to download and install system updates and upgrades?
@ -87,25 +61,22 @@ sections:
          No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start). 
          Users need to suspend BitLocker for Non-Microsoft software updates, such as:   
-          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
+          -	Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection
-          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration.
+          -	Non-Microsoft application updates that modify the UEFI\BIOS configuration
-          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
+          -	Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
-          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
+          -	Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates)
-           -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
+          -	BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it reports **Uses Secure Boot for integrity validation**
          > [!NOTE]
-          > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+          > If BitLocker is suspended, you can resume BitLocker protection after the upgrade or update is installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
  - name: Deployment and administration
    questions:
      - question: Can BitLocker deployment be automated in an enterprise environment?
        answer: |
-          Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
+          Yes, the deployment and configuration BitLocker can be automated using either Windows PowerShell or with the `manage-bde.exe` command. For more information about common BitLocker management commands, check the [BitLocker operations guide](operations-guide.md).
      - question: Can BitLocker encrypt more than just the operating system drive?
        answer: Yes.
      - question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
        answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
@ -121,39 +92,41 @@ sections:
      - question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
        answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
-      - question: How can I prevent users on a network from storing data on an unencrypted drive?
+      - question: How can I prevent users from storing data on an unencrypted drive?
        answer: |
-          Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+          Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker policy settings](configure.md).
          When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
-      - question: What is Used Disk Space Only encryption?
+      - question: |
          What is Used Disk Space Only encryption?
        answer: |
-          BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+          BitLocker lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](planning-guide.md#used-disk-space-only-encryption).
-      - question: What system changes would cause the integrity check on my operating system drive to fail?
+      - question: |
          What system changes would cause the integrity check on the OS drive to fail?
        answer: |
          The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
-          - Moving the BitLocker-protected drive into a new computer.
+          - Moving the BitLocker-protected drive into a new computer
-          - Installing a new motherboard with a new TPM.
+          - Installing a new motherboard with a new TPM
-          - Turning off, disabling, or clearing the TPM.
+          - Turning off, disabling, or clearing the TPM
-          - Changing any boot configuration settings.
+          - Changing any boot configuration settings
-          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+          - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data
      - question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
        answer: |
          Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode. 
          For example: 
-          - Changing the BIOS boot order to boot another drive in advance of the hard drive.
+          - Changing the BIOS boot order to boot another drive in advance of the hard drive
-          - Adding or removing hardware, such as inserting a new card in the computer.
+          - Adding or removing hardware, such as inserting a new card in the computer
-          - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+          - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer
          In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. 
          The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
      - question: What can prevent BitLocker from binding to PCR 7?
-        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
+        answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it's disabled or the hardware doesn't support it.
      - question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
        answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
@ -161,57 +134,79 @@ sections:
      - question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
        answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
-      - question: Why is **Turn BitLocker on** not available when I right-click a drive?
+      - question: Why isn't the "Turn BitLocker on" option available when I right-click a drive?
        answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
      - question: What type of disk configurations are supported by BitLocker?
        answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
  - name: Key Management
-    questions:
+    questions:      
      - question: How can I authenticate or unlock my removable data drive?
        answer: |
-          Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
+          Removable data drives can be unlocked using a password or a smart card. A SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
          ```cmd
-          Manage-bde.exe -protectors -add e: -sid <i>domain\username</i></code>
+          Manage-bde.exe -protectors -add e: -sid domain\username
          ```
-      - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
+      - question: What is the difference between a TPM owner password, recovery password, recovery key, PIN, enhanced PIN, and startup key?
        answer: |
-          For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods). 
+          There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
          **TPM owner password**
          Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout.
          **Recovery password and recovery key**
          When you set up BitLocker, you must choose how access to BitLocker-protected drives can be recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot validate the boot components, the personal identification number (PIN) is forgotten, or the password is forgotten). In these situations, you must be able to supply either the recovery key or the recovery password to unlock the encrypted data on the drive. When you supply the recovery information, you can use either of the following formats:
          - A recovery password consisting of 48 digits divided into eight groups. During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard
          - A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device
          **PIN and enhanced PIN**
          For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the *Configure minimum PIN length for startup* policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.\
          For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the *Allow enhanced PINs for startup* policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.
          **Startup key**
          Configuring a startup key is another method to enable a higher level of security with the TPM. The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.
          >[!IMPORTANT]
          > You must have a startup key to use BitLocker on a non-TPM computer.
      - question: How can the recovery password and recovery key be stored?
        answer: |
          The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
          For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
-          A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+          A domain administrator can also configure policy settings to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) or Microsoft Entra ID for any BitLocker-protected drive.
      - question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
        answer: |
-          The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
+          The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated Command Prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
          ```cmd
          manage-bde.exe -protectors -delete %systemdrive% -type tpm
-         
+
          manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
          ```
-          
+
      - question: When should an additional method of authentication be considered?
        answer: |
          New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack. 
-          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. 
+          For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](configure.md) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers. 
      - question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
        answer: |
          BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
          > [!IMPORTANT]
-          > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
+          > Store the recovery information in Microsoft Entra ID, AD DS, Microsoft Account, or another safe location.
-           
+
      - question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
        answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
@ -247,7 +242,7 @@ sections:
          It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
          The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
-          After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
+          After the TPM's manufacturer is determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
      - question: How can I determine the manufacturer of my TPM?
        answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
@ -260,11 +255,15 @@ sections:
          - What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
          - What actions can cause the failure count and lockout duration to be decreased or reset?
-      - question: Can PIN length and complexity be managed with Group Policy?
+      - question: Can PIN length and complexity be managed with policy settings?
        answer: |
-          Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
+          The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** policy setting. PIN complexity can't be required via policy settings.
-          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+          For more info, see [BitLocker policy settings](configure.md).
      - question: How are the PIN and TPM used to derive the volume master key?
        answer: |
          BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, you are required to enter the PIN each time the computer restarts or resumes from hibernation.
  - name: BitLocker To Go
    questions:
@ -288,34 +287,23 @@ sections:
        answer: |
          Stored information | Description
          -------------------|------------
          Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
          BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
          BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. 
      - question: |
-          What if BitLocker is enabled on a computer before the computer has joined the domain?
+          What if BitLocker is enabled on a computer before the computer joins the domain?
        answer: |
-          If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
+          If BitLocker is enabled on a drive before policy settings are applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when the policy settings are subsequently applied. However, the policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
-          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+          For more information how to back up the recovery password to AD DS or Microsoft Entra ID, review the [BitLocker operations guide](operations-guide.md).
          The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
          ```powershell
          $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
          $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
          Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
          ```
          > [!IMPORTANT]
-          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+          > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled with policy settings).
      - question: |
-          Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
+          Is there an event log entry recorded on the client computer to indicate the success or failure of the Microsoft Entra ID or Active Directory backup?
        answer: |
-          Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
+          Yes, an event log entry that indicates the success or failure of a backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
          Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
@ -329,28 +317,28 @@ sections:
        answer: |
          If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
-          When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+          When an administrator selects the **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
-          For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+          For more info, see [BitLocker policy settings](configure.md).
-          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
+          When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer joins the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-joins-the-domain-) to capture the information after connectivity is restored.
  - name: Security
    questions:
      - question: |
          What form of encryption does BitLocker use? Is it configurable?
        answer: |
-          BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
+          BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using policy settings.
      - question: |
          What is the best practice for using BitLocker on an operating system drive?
        answer: |
-          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
+          The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher.
      - question: |
          What are the implications of using the sleep or hibernate power management options?
        answer: |
-          BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). 
+          BitLocker on operating system drives in its basic configuration provides extra security for the hibernate mode. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode. Startup authentication can be configured by using a [policy setting](configure.md). 
      - question: |
          What are the advantages of a TPM?
@ -363,9 +351,9 @@ sections:
  - name: Network Unlock
    questions:
      - question: |
-          BitLocker Network Unlock FAQ
+          What is BitLocker Network Unlock?
        answer: |  
-          BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
+          BitLocker Network Unlock enables easier management for BitLocker-enabled clients and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
          To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
@ -373,7 +361,7 @@ sections:
          Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
-          For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+          For more info, see [BitLocker: How to enable Network Unlock](network-unlock.md).
  - name: Use BitLocker with other programs
    questions:
@ -412,13 +400,13 @@ sections:
        answer: |
          The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
-          - The computer's BIOS or UEFI firmware can't read USB flash drives.
+          - The computer's BIOS or UEFI firmware can't read USB flash drives
-          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
+          - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled
-          - There are multiple USB flash drives inserted into the computer.
+          - There are multiple USB flash drives inserted into the computer
-          - The PIN wasn't entered correctly.
+          - The PIN wasn't entered correctly
-          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
+          - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment
-          - The startup key was removed before the computer finished rebooting.
+          - The startup key was removed before the computer finished rebooting
-          - The TPM has malfunctioned and fails to unseal the keys.
+          - The TPM has malfunctioned and fails to unseal the keys
      - question: |
          What can I do if the recovery key on my USB flash drive can't be read?
@ -466,11 +454,11 @@ sections:
        answer: |
          BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
          - With TPM: Yes, it's supported.
-          - Without  TPM: Yes, it's supported (with password protector).
+          - Without TPM: Yes, it's supported (with password protector).
-          BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
+          BitLocker is also supported on data volume VHDs, such as those used by clusters.
      - question: |
          Can I use BitLocker with virtual machines (VMs)?
        answer: |
-          Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Microsoft Entra joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+          Yes, BitLocker can be used with virtual machines (VMs) if the environment meets BitLocker's hardware and software requirements.
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.svg
@ -0,0 +1,9 @@
 <svg width="20" height="17" viewBox="0 0 20 17" fill="none" xmlns="http://www.w3.org/2000/svg">
 <rect x="0.90909" y="1.88889" width="18.1818" height="14.1667" fill="black"/>
 <path d="M4.45117 6.87549C4.30957 6.93245 4.17204 6.97477 4.03857 7.00244C3.90674 7.03011 3.76921 7.04395 3.62598 7.04395C3.39648 7.04395 3.19303 7.01058 3.01562 6.94385C2.83984 6.87549 2.69092 6.77458 2.56885 6.64111C2.4484 6.50765 2.35645 6.34245 2.29297 6.14551C2.23112 5.94694 2.2002 5.71663 2.2002 5.45459C2.2002 5.18604 2.23438 4.94759 2.30273 4.73926C2.37109 4.5293 2.46875 4.3527 2.5957 4.20947C2.72266 4.06462 2.87646 3.95475 3.05713 3.87988C3.23942 3.80339 3.44368 3.76514 3.66992 3.76514C3.74316 3.76514 3.81152 3.76676 3.875 3.77002C3.9401 3.77327 4.00358 3.77979 4.06543 3.78955C4.12728 3.79769 4.18994 3.80908 4.25342 3.82373C4.31689 3.83838 4.38281 3.8571 4.45117 3.87988V4.47559C4.31283 4.41048 4.18099 4.3641 4.05566 4.33643C3.93034 4.30876 3.81641 4.29492 3.71387 4.29492C3.5625 4.29492 3.43311 4.32259 3.32568 4.37793C3.21826 4.43164 3.12956 4.50814 3.05957 4.60742C2.99121 4.70508 2.94076 4.82227 2.9082 4.95898C2.87565 5.09408 2.85938 5.243 2.85938 5.40576C2.85938 5.57829 2.87565 5.73291 2.9082 5.86963C2.94238 6.00472 2.99447 6.11947 3.06445 6.21387C3.13444 6.30827 3.22396 6.3807 3.33301 6.43115C3.44206 6.47998 3.57145 6.50439 3.72119 6.50439C3.7749 6.50439 3.83268 6.49951 3.89453 6.48975C3.95801 6.47835 4.02148 6.46452 4.08496 6.44824C4.15007 6.43034 4.21354 6.40999 4.27539 6.38721C4.33887 6.36279 4.39746 6.33838 4.45117 6.31396V6.87549ZM6.12354 4.49512C6.18538 4.49512 6.24316 4.50651 6.29688 4.5293C6.35059 4.55208 6.39697 4.58382 6.43604 4.62451C6.4751 4.66357 6.50602 4.70996 6.52881 4.76367C6.5516 4.81738 6.56299 4.87435 6.56299 4.93457C6.56299 4.99642 6.5516 5.0542 6.52881 5.10791C6.50602 5.16162 6.4751 5.20801 6.43604 5.24707C6.39697 5.28613 6.35059 5.31706 6.29688 5.33984C6.24316 5.36263 6.18538 5.37402 6.12354 5.37402C6.06169 5.37402 6.00391 5.36263 5.9502 5.33984C5.89811 5.31706 5.85173 5.28613 5.81104 5.24707C5.77197 5.20801 5.74105 5.16162 5.71826 5.10791C5.69548 5.0542 5.68408 4.99642 5.68408 4.93457C5.68408 4.87435 5.69548 4.81738 5.71826 4.76367C5.74105 4.70996 5.77197 4.66357 5.81104 4.62451C5.85173 4.58382 5.89811 4.55208 5.9502 4.5293C6.00391 4.50651 6.06169 4.49512 6.12354 4.49512ZM6.12354 6.17725C6.18538 6.17725 6.24316 6.18864 6.29688 6.21143C6.35059 6.23421 6.39697 6.26514 6.43604 6.3042C6.4751 6.34326 6.50602 6.38965 6.52881 6.44336C6.5516 6.49707 6.56299 6.55404 6.56299 6.61426C6.56299 6.67611 6.5516 6.73389 6.52881 6.7876C6.50602 6.84131 6.4751 6.88851 6.43604 6.9292C6.39697 6.96826 6.35059 6.99919 6.29688 7.02197C6.24316 7.04476 6.18538 7.05615 6.12354 7.05615C6.06169 7.05615 6.00391 7.04476 5.9502 7.02197C5.89811 6.99919 5.85173 6.96826 5.81104 6.9292C5.77197 6.88851 5.74105 6.84131 5.71826 6.7876C5.69548 6.73389 5.68408 6.67611 5.68408 6.61426C5.68408 6.55404 5.69548 6.49707 5.71826 6.44336C5.74105 6.38965 5.77197 6.34326 5.81104 6.3042C5.85173 6.26514 5.89811 6.23421 5.9502 6.21143C6.00391 6.18864 6.06169 6.17725 6.12354 6.17725ZM8.36719 3.55029L10.0737 7.5249H9.49268L7.78857 3.55029H8.36719ZM10.2471 8.00098V7.52979H12.9961V8.00098H10.2471ZM12.9961 8.00098V7.52979H15.7451V8.00098H12.9961Z" fill="white"/>
 <rect x="0.90909" y="0.944443" width="18.1818" height="1.88889" fill="#D9D9D9"/>
 <rect x="17.2727" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="15.4545" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="13.6364" y="0.944443" width="0.909091" height="0.944444" fill="#605E5C"/>
 <rect x="0.5" y="0.5" width="19" height="16" stroke="#CDCDCD"/>
 </svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/controlpanel.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/controlpanel.svg
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/drive.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/drive.svg
@ -0,0 +1,75 @@
 <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_49_3935)">
 <g clip-path="url(#clip1_49_3935)">
 <path d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="#E1E3E6"/>
 <path opacity="0.5" d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="url(#paint0_linear_49_3935)"/>
 <path opacity="0.5" d="M1.16016 9.1783L4.76679 5.19317C4.87925 5.07028 5.02383 5.00006 5.18448 5.00006H14.8156C14.9682 5.00006 15.1208 5.07028 15.2333 5.19317L18.8399 9.1783H1.16016Z" fill="url(#paint1_linear_49_3935)"/>
 <path d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint2_linear_49_3935)"/>
 <path opacity="0.6" d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint3_linear_49_3935)"/>
 <path opacity="0.6" d="M1.56477 15H18.4352C18.7499 15 19 14.7309 19 14.3922V9.60785C19 9.26921 18.7499 9.00003 18.4352 9.00003H1.56477C1.25011 9.00003 1 9.26921 1 9.60785V14.3922C1 14.7222 1.25818 15 1.56477 15Z" fill="url(#paint4_linear_49_3935)"/>
 <path d="M17.4667 14H2.53333C2.23619 14 2 13.752 2 13.44V9.00003H18V13.44C18 13.752 17.7638 14 17.4667 14Z" fill="url(#paint5_linear_49_3935)"/>
 <path d="M18.4375 9.07717C18.7107 9.07717 18.9277 9.3086 18.9277 9.60003V14.4C18.9277 14.6915 18.7107 14.9229 18.4375 14.9229H1.5625C1.28929 14.9229 1.07232 14.6915 1.07232 14.4V9.60003C1.07232 9.3086 1.28929 9.07717 1.5625 9.07717H18.4375ZM18.4375 9.00003H1.5625C1.24911 9.00003 1 9.26574 1 9.60003V14.4C1 14.7343 1.24911 15 1.5625 15H18.4375C18.7509 15 19 14.7343 19 14.4V9.60003C19 9.26574 18.7509 9.00003 18.4375 9.00003Z" fill="url(#paint6_linear_49_3935)"/>
 <path opacity="0.15" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.522914" stroke-miterlimit="10"/>
 <path opacity="0.3" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.261461" stroke-miterlimit="10"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" fill="#00B300"/>
 <path d="M4.3911 11.9616C4.77598 11.899 5.03555 11.5409 4.9729 11.1561C4.955 11.0755 4.92814 10.9949 4.89234 10.9233C4.74913 10.8249 4.57011 10.7801 4.38214 10.807C3.99726 10.8696 3.73769 11.2277 3.80034 11.6125C3.81824 11.6931 3.8451 11.7737 3.8809 11.8453C4.02411 11.9437 4.20313 11.9885 4.3911 11.9616Z" fill="url(#paint7_radial_49_3935)"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.0894687" stroke-miterlimit="10"/>
 </g>
 </g>
 <defs>
 <linearGradient id="paint0_linear_49_3935" x1="13.9892" y1="4.95508" x2="14.6969" y2="4.35094" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint1_linear_49_3935" x1="6.00862" y1="4.95507" x2="5.30105" y2="4.35125" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint2_linear_49_3935" x1="10.0039" y1="14.9968" x2="10.0039" y2="8.9946" gradientUnits="userSpaceOnUse">
 <stop stop-color="#ABABAB"/>
 <stop offset="0.1971" stop-color="#A7A7A7"/>
 <stop offset="0.3984" stop-color="#9B9B9B"/>
 <stop offset="0.6016" stop-color="#868686"/>
 <stop offset="0.8047" stop-color="#6A6A6A"/>
 <stop offset="1" stop-color="#474747"/>
 </linearGradient>
 <linearGradient id="paint3_linear_49_3935" x1="7.39469" y1="9.18753" x2="6.70448" y2="8.54622" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint4_linear_49_3935" x1="12.6133" y1="9.18753" x2="13.3035" y2="8.54621" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint5_linear_49_3935" x1="10" y1="14" x2="10" y2="8.99894" gradientUnits="userSpaceOnUse">
 <stop stop-color="#666666"/>
 <stop offset="0.109" stop-color="#5E5E5E"/>
 <stop offset="0.6917" stop-color="#393939"/>
 <stop offset="1" stop-color="#2B2B2B"/>
 </linearGradient>
 <linearGradient id="paint6_linear_49_3935" x1="10" y1="15" x2="10" y2="9.00003" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C9C9C9"/>
 <stop offset="0.3698" stop-color="#CDCDCD"/>
 <stop offset="0.7464" stop-color="#D9D9D9"/>
 <stop offset="1" stop-color="#E6E6E6"/>
 </linearGradient>
 <radialGradient id="paint7_radial_49_3935" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(4.33069 11.589) rotate(-117.661) scale(0.94236 0.847944)">
 <stop stop-color="#BDFFBD"/>
 <stop offset="1" stop-color="#00FF00"/>
 </radialGradient>
 <clipPath id="clip0_49_3935">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 <clipPath id="clip1_49_3935">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 </defs>
 </svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/locked-drive.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/locked-drive.svg
@ -0,0 +1,351 @@
 <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_49_4097)">
 <g clip-path="url(#clip1_49_4097)">
 <path d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="#E1E3E6"/>
 <path opacity="0.5" d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="url(#paint0_linear_49_4097)"/>
 <path opacity="0.5" d="M1.16016 9.1783L4.76679 5.19317C4.87925 5.07028 5.02383 5.00006 5.18448 5.00006H14.8156C14.9682 5.00006 15.1208 5.07028 15.2333 5.19317L18.8399 9.1783H1.16016Z" fill="url(#paint1_linear_49_4097)"/>
 <path d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint2_linear_49_4097)"/>
 <path opacity="0.6" d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint3_linear_49_4097)"/>
 <path opacity="0.6" d="M1.56477 15H18.4352C18.7499 15 19 14.7309 19 14.3922V9.60785C19 9.26921 18.7499 9.00003 18.4352 9.00003H1.56477C1.25011 9.00003 1 9.26921 1 9.60785V14.3922C1 14.7222 1.25818 15 1.56477 15Z" fill="url(#paint4_linear_49_4097)"/>
 <path d="M17.4667 14H2.53333C2.23619 14 2 13.752 2 13.44V9.00003H18V13.44C18 13.752 17.7638 14 17.4667 14Z" fill="url(#paint5_linear_49_4097)"/>
 <path d="M18.4375 9.07717C18.7107 9.07717 18.9277 9.3086 18.9277 9.60003V14.4C18.9277 14.6915 18.7107 14.9229 18.4375 14.9229H1.5625C1.28929 14.9229 1.07232 14.6915 1.07232 14.4V9.60003C1.07232 9.3086 1.28929 9.07717 1.5625 9.07717H18.4375ZM18.4375 9.00003H1.5625C1.24911 9.00003 1 9.26574 1 9.60003V14.4C1 14.7343 1.24911 15 1.5625 15H18.4375C18.7509 15 19 14.7343 19 14.4V9.60003C19 9.26574 18.7509 9.00003 18.4375 9.00003Z" fill="url(#paint6_linear_49_4097)"/>
 <path opacity="0.15" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.522914" stroke-miterlimit="10"/>
 <path opacity="0.3" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.261461" stroke-miterlimit="10"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" fill="#00B300"/>
 <path d="M4.3911 11.9616C4.77598 11.899 5.03555 11.5409 4.9729 11.1561C4.955 11.0755 4.92814 10.9949 4.89234 10.9233C4.74913 10.8249 4.57011 10.7801 4.38214 10.807C3.99726 10.8696 3.73769 11.2277 3.80034 11.6125C3.81824 11.6931 3.8451 11.7737 3.8809 11.8453C4.02411 11.9437 4.20313 11.9885 4.3911 11.9616Z" fill="url(#paint7_radial_49_4097)"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.0894687" stroke-miterlimit="10"/>
 <path d="M8.00439 6C8.00439 5.44772 8.45211 5 9.00439 5H15.0044C15.5567 5 16.0044 5.44772 16.0044 6V11C16.0044 11.5523 15.5567 12 15.0044 12H9.00439C8.45211 12 8.00439 11.5523 8.00439 11V6Z" fill="#FFC225"/>
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M10.5098 5.01077H8.50546C8.22872 5.01077 8.00438 5.23511 8.00438 5.51185V11.5248C8.00438 11.8015 8.22872 12.0259 8.50546 12.0259H10.5098V5.01077Z" fill="url(#paint8_linear_49_4097)" fill-opacity="0.5"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M16.0215 5.51185C16.0215 5.23511 15.7971 5.01077 15.5204 5.01077H8.50532C8.22858 5.01077 8.00424 5.23511 8.00424 5.51185V11.5248C8.00424 11.8015 8.22858 12.0259 8.50532 12.0259H15.5204C15.7971 12.0259 16.0215 11.8015 16.0215 11.5248V5.51185Z" fill="url(#paint9_linear_49_4097)" fill-opacity="0.5"/>
 </g>
 <path d="M10.0085 5.01077L10.0085 3.00646C10.0085 1.89951 10.9059 1.00215 12.0129 1.00215V1.00215C13.1198 1.00215 14.0172 1.89951 14.0172 3.00646V5.01077" stroke="#FFD400" stroke-width="1.5"/>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <path d="M8 5.99997H16V11H8V5.99997Z" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="8" y="11" width="8" height="1" fill="black"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="8" y="9.99997" width="8" height="1" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="8" y="4.99997" width="8" height="1" fill="black"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="8" y="5.99997" width="8" height="1" fill="white"/>
 </g>
 </g>
 <path d="M12.2264 7.5C11.7002 7.50298 11.1967 7.71448 10.8262 8.08812C10.4557 8.46177 10.2485 8.96707 10.25 9.49325C10.2552 9.9027 10.3822 10.3013 10.6148 10.6383C10.8475 10.9753 11.1753 11.2353 11.5563 11.3851L13.009 11.3345C13.4254 11.1485 13.766 10.8261 13.9745 10.4204C14.1829 10.0148 14.2468 9.55019 14.1556 9.10333C14.0644 8.65648 13.8235 8.25408 13.4728 7.96259C13.122 7.67109 12.6824 7.50791 12.2264 7.5V7.5ZM12.2264 9.0991C12.1324 9.10022 12.0401 9.07328 11.9615 9.02174C11.8829 8.9702 11.8214 8.8964 11.7849 8.80975C11.7484 8.72309 11.7385 8.62753 11.7566 8.53526C11.7747 8.44299 11.8198 8.3582 11.8863 8.29172C11.9528 8.22524 12.0376 8.18008 12.1299 8.16201C12.2221 8.14394 12.3177 8.15378 12.4044 8.19027C12.491 8.22676 12.5648 8.28826 12.6164 8.36689C12.6679 8.44553 12.6948 8.53774 12.6937 8.63176C12.6937 8.75571 12.6445 8.87458 12.5568 8.96222C12.4692 9.04987 12.3503 9.0991 12.2264 9.0991V9.0991Z" fill="url(#paint10_linear_49_4097)"/>
 <path d="M12.2264 7.5C11.7002 7.50298 11.1967 7.71448 10.8262 8.08812C10.4557 8.46177 10.2485 8.96707 10.25 9.49325C10.2552 9.9027 10.3822 10.3013 10.6148 10.6383C10.8475 10.9753 11.1753 11.2353 11.5563 11.3851L13.009 11.3345C13.4254 11.1485 13.766 10.8261 13.9745 10.4204C14.1829 10.0148 14.2468 9.55019 14.1556 9.10333C14.0644 8.65648 13.8235 8.25408 13.4728 7.96259C13.122 7.67109 12.6824 7.50791 12.2264 7.5V7.5ZM12.2264 9.07658C11.9842 9.07658 11.4156 8.87388 11.4156 8.63176C11.4156 8.38964 11.9786 8.18694 12.2264 8.18694C12.3443 8.18694 12.4575 8.2338 12.5409 8.31722C12.6243 8.40064 12.6712 8.51379 12.6712 8.63176C12.6712 8.74973 12.6243 8.86288 12.5409 8.9463C12.4575 9.02972 12.3443 9.07658 12.2264 9.07658V9.07658Z" fill="url(#paint11_linear_49_4097)"/>
 <path d="M12.2263 7.83691C11.8611 7.86375 11.5144 8.00856 11.2387 8.24951C10.9629 8.49046 10.7729 8.81451 10.6973 9.17284C10.6217 9.53116 10.6646 9.90435 10.8195 10.2362C10.9744 10.568 11.233 10.8405 11.5562 11.0126V11.5757C11.5562 11.5757 11.5562 14.9822 11.5562 15.6128C11.697 15.7536 12.1193 16.0802 12.2882 16.2547C12.3727 16.1928 12.3502 16.0689 12.4909 15.6128C12.4395 15.4531 12.4018 15.2892 12.3783 15.123C12.3783 15.0836 12.3051 14.802 12.3051 14.7851C12.3415 14.6871 12.3661 14.585 12.3783 14.4811C12.3783 14.3572 12.4515 14.2277 12.4515 14.0982C12.4515 14.0982 12.4065 13.8786 12.4121 13.873C12.4177 13.8673 12.3783 13.6534 12.3783 13.6477C12.3783 12.9214 12.3783 12.2063 12.3783 11.7953C12.5979 11.7953 13.0089 11.8516 13.0089 11.6095V10.9563C13.3124 10.7672 13.5481 10.4868 13.6821 10.1552C13.816 9.82371 13.8413 9.45823 13.7543 9.11141C13.6673 8.7646 13.4724 8.45434 13.1978 8.22531C12.9233 7.99628 12.5831 7.86029 12.2263 7.83691V7.83691ZM12.2263 9.09818C12.1323 9.09929 12.0401 9.07236 11.9614 9.02082C11.8828 8.96928 11.8213 8.89547 11.7848 8.80882C11.7483 8.72217 11.7385 8.62661 11.7565 8.53434C11.7746 8.44207 11.8198 8.35728 11.8862 8.29079C11.9527 8.22431 12.0375 8.17915 12.1298 8.16108C12.2221 8.14301 12.3176 8.15285 12.4043 8.18935C12.4909 8.22584 12.5647 8.28733 12.6163 8.36597C12.6678 8.44461 12.6947 8.53682 12.6936 8.63084C12.6936 8.75478 12.6444 8.87365 12.5567 8.9613C12.4691 9.04894 12.3502 9.09818 12.2263 9.09818Z" fill="url(#paint12_linear_49_4097)"/>
 <path d="M12.2263 7.83691C11.8611 7.86375 11.5144 8.00856 11.2387 8.24951C10.9629 8.49046 10.7729 8.81451 10.6973 9.17284C10.6217 9.53116 10.6646 9.90435 10.8195 10.2362C10.9744 10.568 11.233 10.8405 11.5562 11.0126V11.5757C11.5562 11.5757 11.5562 14.909 11.5562 15.5171" stroke="url(#paint13_linear_49_4097)" stroke-width="0.0337839" stroke-miterlimit="10"/>
 <path d="M12.3049 16.2497C12.3894 16.1878 12.4457 16.0133 12.7441 15.6078C12.7441 15.5234 12.7441 15.1968 12.7441 14.966C12.6772 14.8814 12.6151 14.793 12.5583 14.7013C12.6143 14.6249 12.6745 14.5516 12.7385 14.4817C12.7385 14.3578 12.7385 14.2283 12.7385 14.0988C12.7385 14.0988 12.547 13.8792 12.5583 13.8736C12.5696 13.868 12.7385 13.654 12.7385 13.6484C12.7385 12.922 12.7385 12.2069 12.7385 11.7959H12.3049V16.2497Z" fill="#EBB850"/>
 <path d="M11.7812 15.7993V11.7959H12.0403V16.0245L11.7812 15.7993Z" fill="#EBB850"/>
 <path d="M11.7812 15.7993V11.7959H11.8939H12.0403L11.8939 11.9479V15.895L11.7812 15.7993Z" fill="url(#paint14_linear_49_4097)"/>
 <path d="M12.3049 16.2497V11.7959H12.4119H12.7103L12.4119 11.9479V16.0977L12.3049 16.2497Z" fill="url(#paint15_linear_49_4097)"/>
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <path d="M12.2264 7.51689C12.678 7.52524 13.1134 7.68718 13.4607 7.97605C13.808 8.26492 14.0465 8.66347 14.137 9.10605C14.2275 9.54863 14.1645 10.0088 13.9584 10.4108C13.7524 10.8128 13.4155 11.1326 13.0034 11.3176V11.3176V11.6047C13.0034 11.7061 12.9246 11.7624 12.75 11.7737C12.75 12.2297 12.75 12.8998 12.75 13.6149C12.75 13.6149 12.6487 13.7444 12.6092 13.7951C12.6072 13.8081 12.6072 13.8214 12.6092 13.8345C12.6473 13.8928 12.6906 13.9475 12.7387 13.9978L12.7894 14.0597V14.2117C12.7894 14.2849 12.7894 14.3581 12.7894 14.4313C12.7272 14.4992 12.6689 14.5707 12.6149 14.6453V14.6453C12.6656 14.7426 12.728 14.8334 12.8007 14.9156C12.8007 15.2703 12.8007 15.4786 12.8007 15.5462C12.6917 15.6899 12.5921 15.8403 12.5023 15.9967C12.4701 16.0515 12.4344 16.1042 12.3953 16.1543V16.1543H12.3615C12.2874 16.0762 12.2084 16.0028 12.125 15.9347V15.9347L11.8153 15.7883L11.6858 15.687L11.5732 15.5912C11.5732 15.3435 11.5732 14.7016 11.5732 14.0259C11.5732 13.6487 11.5732 13.2602 11.5732 12.8998V11.3739C11.1939 11.2247 10.8673 10.9664 10.6348 10.6317C10.4023 10.2969 10.2743 9.90077 10.2669 9.49325C10.2654 8.97155 10.4708 8.47054 10.8381 8.10007C11.2054 7.72959 11.7047 7.51987 12.2264 7.51689V7.51689ZM12.2264 7.51689C11.7031 7.51985 11.2021 7.72902 10.8321 8.09902C10.4621 8.46902 10.253 8.97 10.25 9.49325C10.2551 9.9027 10.3822 10.3013 10.6148 10.6383C10.8475 10.9753 11.1752 11.2353 11.5563 11.3851V12.9167C11.5563 13.9415 11.5563 15.2421 11.5563 15.6081C11.6014 15.6532 11.6914 15.7207 11.7815 15.7996L12.0405 16.0248C12.1419 16.1093 12.2264 16.1937 12.2883 16.2557C12.3728 16.1937 12.4291 16.0192 12.7275 15.6138C12.7275 15.5293 12.7275 15.2027 12.7275 14.9719C12.6605 14.8873 12.5985 14.7989 12.5417 14.7072C12.5977 14.6308 12.6579 14.5575 12.7219 14.4876C12.7219 14.3638 12.7219 14.2343 12.7219 14.1048C12.7219 14.1048 12.536 13.8852 12.5417 13.8795L12.7219 13.6543C12.7219 12.9336 12.7219 12.2185 12.7219 11.8074C12.8739 11.8074 12.9921 11.7511 12.9921 11.616V11.3345C13.4074 11.1492 13.7474 10.8282 13.9562 10.4242C14.165 10.0202 14.2302 9.55725 14.1412 9.1113C14.0521 8.66535 13.814 8.26294 13.4661 7.97013C13.1181 7.67733 12.681 7.51155 12.2264 7.5V7.51689Z" fill="black"/>
 </g>
 </g>
 <path d="M13.0088 10.9678V11.3112C13.0881 11.2759 13.1636 11.2325 13.234 11.1817L13.0088 10.9678Z" fill="url(#paint16_linear_49_4097)"/>
 <path d="M12.2263 8.01182C12.1034 8.00959 11.9825 8.044 11.8792 8.11069C11.7759 8.17737 11.6948 8.2733 11.6461 8.38626C11.5975 8.49922 11.5837 8.6241 11.6063 8.74497C11.6289 8.86585 11.687 8.97727 11.7731 9.06502C11.8593 9.15277 11.9696 9.21288 12.09 9.23771C12.2105 9.26254 12.3356 9.25095 12.4494 9.20442C12.5633 9.15789 12.6607 9.07852 12.7292 8.97644C12.7978 8.87435 12.8344 8.75417 12.8344 8.63119C12.8352 8.55059 12.82 8.47064 12.7899 8.39589C12.7597 8.32114 12.7151 8.25307 12.6587 8.19556C12.6022 8.13804 12.535 8.09221 12.4608 8.06069C12.3866 8.02916 12.3069 8.01256 12.2263 8.01182V8.01182ZM12.2263 9.07601C12.1368 9.07825 12.0486 9.05375 11.9731 9.00563C11.8975 8.95752 11.8381 8.88798 11.8022 8.80589C11.7664 8.7238 11.7559 8.6329 11.7719 8.54479C11.788 8.45668 11.83 8.37537 11.8926 8.31124C11.9551 8.24711 12.0353 8.20308 12.123 8.18477C12.2106 8.16645 12.3018 8.17469 12.3848 8.20843C12.4677 8.24217 12.5387 8.29987 12.5888 8.37417C12.6388 8.44847 12.6655 8.536 12.6655 8.62556C12.667 8.74258 12.6224 8.85549 12.5412 8.9398C12.4601 9.02412 12.349 9.07306 12.232 9.07601H12.2263Z" fill="url(#paint17_linear_49_4097)"/>
 <g opacity="0.5">
 <path opacity="0.5" d="M12.2264 8.10191C12.3313 8.1008 12.4342 8.13089 12.522 8.18836C12.6097 8.24584 12.6785 8.32811 12.7194 8.42472C12.7603 8.52133 12.7716 8.62792 12.7518 8.73096C12.732 8.834 12.6821 8.92883 12.6083 9.00342C12.5345 9.078 12.4402 9.12897 12.3374 9.14986C12.2346 9.17074 12.1278 9.16059 12.0308 9.1207C11.9338 9.08081 11.8508 9.01298 11.7924 8.92583C11.7339 8.83867 11.7028 8.73612 11.7027 8.6312C11.702 8.56196 11.715 8.49326 11.741 8.42907C11.767 8.36489 11.8054 8.3065 11.8541 8.25727C11.9028 8.20805 11.9608 8.16897 12.0247 8.14231C12.0886 8.11564 12.1572 8.10191 12.2264 8.10191V8.10191ZM12.2264 8.0625C12.115 8.0625 12.0062 8.09552 11.9136 8.15739C11.821 8.21926 11.7488 8.3072 11.7062 8.41009C11.6636 8.51298 11.6524 8.62619 11.6741 8.73541C11.6959 8.84464 11.7495 8.94497 11.8282 9.02371C11.907 9.10246 12.0073 9.15609 12.1165 9.17781C12.2258 9.19954 12.339 9.18839 12.4419 9.14577C12.5448 9.10315 12.6327 9.03098 12.6946 8.93839C12.7564 8.84579 12.7895 8.73693 12.7895 8.62557C12.7895 8.47623 12.7301 8.33301 12.6245 8.22742C12.5189 8.12182 12.3757 8.0625 12.2264 8.0625V8.0625Z" fill="url(#paint18_linear_49_4097)"/>
 </g>
 <path d="M11.6487 7.5C11.1226 7.50298 10.619 7.71448 10.2486 8.08812C9.87808 8.46177 9.67087 8.96707 9.67237 9.49325C9.67752 9.9027 9.80452 10.3013 10.0372 10.6383C10.2698 10.9753 10.5976 11.2353 10.9787 11.3851L12.4314 11.3345C12.8478 11.1485 13.1884 10.8261 13.3968 10.4204C13.6053 10.0148 13.6692 9.55019 13.578 9.10333C13.4868 8.65648 13.2459 8.25408 12.8951 7.96259C12.5444 7.67109 12.1047 7.50791 11.6487 7.5V7.5ZM11.6487 9.0991C11.5547 9.10022 11.4625 9.07328 11.3839 9.02174C11.3052 8.9702 11.2437 8.8964 11.2072 8.80975C11.1707 8.72309 11.1609 8.62753 11.179 8.53526C11.197 8.44299 11.2422 8.3582 11.3087 8.29172C11.3752 8.22524 11.46 8.18008 11.5522 8.16201C11.6445 8.14394 11.7401 8.15378 11.8267 8.19027C11.9134 8.22676 11.9872 8.28826 12.0387 8.36689C12.0903 8.44553 12.1172 8.53774 12.1161 8.63176C12.1161 8.75571 12.0668 8.87458 11.9792 8.96222C11.8915 9.04987 11.7727 9.0991 11.6487 9.0991V9.0991Z" fill="url(#paint19_linear_49_4097)"/>
 <path d="M11.6487 7.5C11.1226 7.50298 10.619 7.71448 10.2486 8.08812C9.87808 8.46177 9.67087 8.96707 9.67237 9.49325C9.67752 9.9027 9.80452 10.3013 10.0372 10.6383C10.2698 10.9753 10.5976 11.2353 10.9787 11.3851L12.4314 11.3345C12.8478 11.1485 13.1884 10.8261 13.3968 10.4204C13.6053 10.0148 13.6692 9.55019 13.578 9.10333C13.4868 8.65648 13.2459 8.25408 12.8951 7.96259C12.5444 7.67109 12.1047 7.50791 11.6487 7.5V7.5ZM11.6487 9.07658C11.4066 9.07658 10.8379 8.87388 10.8379 8.63176C10.8379 8.38964 11.401 8.18694 11.6487 8.18694C11.7667 8.18694 11.8798 8.2338 11.9633 8.31722C12.0467 8.40064 12.0936 8.51379 12.0936 8.63176C12.0936 8.74973 12.0467 8.86288 11.9633 8.9463C11.8798 9.02972 11.7667 9.07658 11.6487 9.07658V9.07658Z" fill="url(#paint20_linear_49_4097)"/>
 <path d="M11.6486 7.83691C11.2834 7.86375 10.9368 8.00856 10.661 8.24951C10.3853 8.49046 10.1952 8.81451 10.1196 9.17284C10.044 9.53116 10.0869 9.90435 10.2419 10.2362C10.3968 10.568 10.6553 10.8405 10.9786 11.0126V11.5757C10.9786 11.5757 10.9786 14.9822 10.9786 15.6128C11.1194 15.7536 11.5417 16.0802 11.7106 16.2547C11.795 16.1928 11.7725 16.0689 11.9133 15.6128C11.8619 15.4531 11.8242 15.2892 11.8007 15.123C11.8007 15.0836 11.7275 14.802 11.7275 14.7851C11.7639 14.6871 11.7885 14.585 11.8007 14.4811C11.8007 14.3572 11.8739 14.2277 11.8739 14.0982C11.8739 14.0982 11.8288 13.8786 11.8345 13.873C11.8401 13.8673 11.8007 13.6534 11.8007 13.6477C11.8007 12.9214 11.8007 12.2063 11.8007 11.7953C12.0203 11.7953 12.4313 11.8516 12.4313 11.6095V10.9563C12.7348 10.7672 12.9705 10.4868 13.1044 10.1552C13.2384 9.82371 13.2637 9.45823 13.1766 9.11141C13.0896 8.7646 12.8948 8.45434 12.6202 8.22531C12.3456 7.99628 12.0054 7.86029 11.6486 7.83691V7.83691ZM11.6486 9.09818C11.5546 9.09929 11.4624 9.07236 11.3838 9.02082C11.3051 8.96928 11.2437 8.89547 11.2072 8.80882C11.1707 8.72217 11.1608 8.62661 11.1789 8.53434C11.197 8.44207 11.2421 8.35728 11.3086 8.29079C11.3751 8.22431 11.4599 8.17915 11.5521 8.16108C11.6444 8.14301 11.74 8.15285 11.8266 8.18935C11.9133 8.22584 11.9871 8.28733 12.0386 8.36597C12.0902 8.44461 12.1171 8.53682 12.116 8.63084C12.116 8.75478 12.0668 8.87365 11.9791 8.9613C11.8915 9.04894 11.7726 9.09818 11.6486 9.09818Z" fill="url(#paint21_linear_49_4097)"/>
 <path d="M11.6486 7.83691C11.2834 7.86375 10.9368 8.00856 10.661 8.24951C10.3853 8.49046 10.1952 8.81451 10.1196 9.17284C10.044 9.53116 10.0869 9.90435 10.2419 10.2362C10.3968 10.568 10.6553 10.8405 10.9786 11.0126V11.5757C10.9786 11.5757 10.9786 14.909 10.9786 15.5171" stroke="url(#paint22_linear_49_4097)" stroke-width="0.0337839" stroke-miterlimit="10"/>
 <path d="M11.7273 16.2497C11.8118 16.1878 11.8681 16.0133 12.1665 15.6078C12.1665 15.5234 12.1665 15.1968 12.1665 14.966C12.0995 14.8814 12.0375 14.793 11.9807 14.7013C12.0367 14.6249 12.0969 14.5516 12.1609 14.4817C12.1609 14.3578 12.1609 14.2283 12.1609 14.0988C12.1609 14.0988 11.9694 13.8792 11.9807 13.8736C11.9919 13.868 12.1609 13.654 12.1609 13.6484C12.1609 12.922 12.1609 12.2069 12.1609 11.7959H11.7273V16.2497Z" fill="#EBB850"/>
 <path d="M11.2036 15.7993V11.7959H11.4626V16.0245L11.2036 15.7993Z" fill="#EBB850"/>
 <path d="M11.2036 15.7993V11.7959H11.3162H11.4626L11.3162 11.9479V15.895L11.2036 15.7993Z" fill="url(#paint23_linear_49_4097)"/>
 <path d="M11.7273 16.2497V11.7959H11.8343H12.1327L11.8343 11.9479V16.0977L11.7273 16.2497Z" fill="url(#paint24_linear_49_4097)"/>
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <path d="M11.6487 7.51689C12.1004 7.52524 12.5357 7.68718 12.883 7.97605C13.2303 8.26492 13.4689 8.66347 13.5593 9.10605C13.6498 9.54863 13.5869 10.0088 13.3808 10.4108C13.1747 10.8128 12.8379 11.1326 12.4258 11.3176V11.3176V11.6047C12.4258 11.7061 12.3469 11.7624 12.1724 11.7737C12.1724 12.2297 12.1724 12.8998 12.1724 13.6149C12.1724 13.6149 12.071 13.7444 12.0316 13.7951C12.0296 13.8081 12.0296 13.8214 12.0316 13.8345C12.0696 13.8928 12.113 13.9475 12.1611 13.9978L12.2118 14.0597V14.2117C12.2118 14.2849 12.2118 14.3581 12.2118 14.4313C12.1495 14.4992 12.0912 14.5707 12.0372 14.6453V14.6453C12.0879 14.7426 12.1503 14.8334 12.223 14.9156C12.223 15.2703 12.223 15.4786 12.223 15.5462C12.1141 15.6899 12.0144 15.8403 11.9246 15.9967C11.8925 16.0515 11.8567 16.1042 11.8176 16.1543V16.1543H11.7839C11.7098 16.0762 11.6308 16.0028 11.5474 15.9347V15.9347L11.2377 15.7883L11.1082 15.687L10.9956 15.5912C10.9956 15.3435 10.9956 14.7016 10.9956 14.0259C10.9956 13.6487 10.9956 13.2602 10.9956 12.8998V11.3739C10.6163 11.2247 10.2897 10.9664 10.0572 10.6317C9.82465 10.2969 9.69662 9.90077 9.68926 9.49325C9.68776 8.97155 9.89318 8.47054 10.2605 8.10007C10.6278 7.72959 11.127 7.51987 11.6487 7.51689V7.51689ZM11.6487 7.51689C11.1255 7.51985 10.6245 7.72902 10.2545 8.09902C9.88449 8.46902 9.67532 8.97 9.67236 9.49325C9.67751 9.9027 9.80451 10.3013 10.0372 10.6383C10.2698 10.9753 10.5976 11.2353 10.9787 11.3851V12.9167C10.9787 13.9415 10.9787 15.2421 10.9787 15.6081C11.0237 15.6532 11.1138 15.7207 11.2039 15.7996L11.4629 16.0248C11.5643 16.1093 11.6487 16.1937 11.7107 16.2557C11.7951 16.1937 11.8514 16.0192 12.1498 15.6138C12.1498 15.5293 12.1498 15.2027 12.1498 14.9719C12.0829 14.8873 12.0209 14.7989 11.964 14.7072C12.0201 14.6308 12.0802 14.5575 12.1442 14.4876C12.1442 14.3638 12.1442 14.2343 12.1442 14.1048C12.1442 14.1048 11.9584 13.8852 11.964 13.8795L12.1442 13.6543C12.1442 12.9336 12.1442 12.2185 12.1442 11.8074C12.2962 11.8074 12.4145 11.7511 12.4145 11.616V11.3345C12.8298 11.1492 13.1698 10.8282 13.3786 10.4242C13.5874 10.0202 13.6526 9.55725 13.5635 9.1113C13.4745 8.66535 13.2364 8.26294 12.8885 7.97013C12.5405 7.67733 12.1033 7.51155 11.6487 7.5V7.51689Z" fill="black"/>
 </g>
 </g>
 <path d="M12.4312 10.9678V11.3112C12.5104 11.2759 12.5859 11.2325 12.6564 11.1817L12.4312 10.9678Z" fill="url(#paint25_linear_49_4097)"/>
 <path d="M11.6487 8.01182C11.5257 8.00959 11.4049 8.044 11.3016 8.11069C11.1983 8.17737 11.1171 8.2733 11.0685 8.38626C11.0199 8.49922 11.006 8.6241 11.0286 8.74497C11.0512 8.86585 11.1093 8.97727 11.1955 9.06502C11.2816 9.15277 11.392 9.21288 11.5124 9.23771C11.6328 9.26254 11.758 9.25095 11.8718 9.20442C11.9856 9.15789 12.083 9.07852 12.1516 8.97644C12.2202 8.87435 12.2568 8.75417 12.2568 8.63119C12.2576 8.55059 12.2424 8.47064 12.2123 8.39589C12.1821 8.32114 12.1375 8.25307 12.081 8.19556C12.0246 8.13804 11.9573 8.09221 11.8831 8.06069C11.809 8.02916 11.7293 8.01256 11.6487 8.01182V8.01182ZM11.6487 9.07601C11.5592 9.07825 11.471 9.05375 11.3954 9.00563C11.3199 8.95752 11.2604 8.88798 11.2246 8.80589C11.1888 8.7238 11.1782 8.6329 11.1943 8.54479C11.2104 8.45668 11.2524 8.37537 11.3149 8.31124C11.3774 8.24711 11.4577 8.20308 11.5453 8.18477C11.633 8.16645 11.7241 8.17469 11.8071 8.20843C11.8901 8.24217 11.9611 8.29987 12.0111 8.37417C12.0611 8.44847 12.0879 8.536 12.0879 8.62556C12.0894 8.74258 12.0448 8.85549 11.9636 8.9398C11.8824 9.02412 11.7713 9.07306 11.6543 9.07601H11.6487Z" fill="url(#paint26_linear_49_4097)"/>
 <g opacity="0.5">
 <path opacity="0.5" d="M11.6488 8.10191C11.7537 8.1008 11.8566 8.13089 11.9443 8.18836C12.0321 8.24584 12.1008 8.32811 12.1417 8.42472C12.1827 8.52133 12.194 8.62792 12.1742 8.73096C12.1544 8.834 12.1044 8.92883 12.0306 9.00342C11.9569 9.078 11.8626 9.12897 11.7597 9.14986C11.6569 9.17074 11.5502 9.16059 11.4532 9.1207C11.3561 9.08081 11.2731 9.01298 11.2147 8.92583C11.1563 8.83867 11.1251 8.73612 11.1251 8.6312C11.1244 8.56196 11.1374 8.49326 11.1633 8.42907C11.1893 8.36489 11.2278 8.3065 11.2765 8.25727C11.3252 8.20805 11.3832 8.16897 11.4471 8.14231C11.511 8.11564 11.5795 8.10191 11.6488 8.10191V8.10191ZM11.6488 8.0625C11.5374 8.0625 11.4285 8.09552 11.3359 8.15739C11.2433 8.21926 11.1712 8.3072 11.1286 8.41009C11.0859 8.51298 11.0748 8.62619 11.0965 8.73541C11.1182 8.84464 11.1719 8.94497 11.2506 9.02371C11.3294 9.10246 11.4297 9.15609 11.5389 9.17781C11.6481 9.19954 11.7613 9.18839 11.8642 9.14577C11.9671 9.10315 12.0551 9.03098 12.1169 8.93839C12.1788 8.84579 12.2118 8.73693 12.2118 8.62557C12.2118 8.47623 12.1525 8.33301 12.0469 8.22742C11.9413 8.12182 11.7981 8.0625 11.6488 8.0625V8.0625Z" fill="url(#paint27_linear_49_4097)"/>
 </g>
 <path d="M11.1613 8.58772C10.794 8.96422 10.5884 9.46938 10.5884 9.99538C10.5884 10.5214 10.794 11.0265 11.1613 11.403C11.452 11.69 11.823 11.8819 12.2252 11.9533C12.6274 12.0247 13.0419 11.9722 13.4136 11.8028L14.382 10.7611C14.5314 10.3972 14.571 9.99746 14.496 9.61126C14.421 9.22506 14.2345 8.86925 13.9597 8.58772C13.7773 8.40163 13.5596 8.25381 13.3193 8.15289C13.0791 8.05198 12.8211 8 12.5605 8C12.2999 8 12.042 8.05198 11.8017 8.15289C11.5614 8.25381 11.3437 8.40163 11.1613 8.58772V8.58772ZM12.248 9.71385C12.1652 9.76276 12.0683 9.78197 11.9731 9.76829C11.8779 9.75461 11.7903 9.70888 11.7246 9.63863C11.659 9.56839 11.6193 9.47785 11.6121 9.38198C11.6048 9.28611 11.6306 9.19064 11.6849 9.11137C11.7612 9.03971 11.8619 8.99981 11.9665 8.99981C12.0711 8.99981 12.1718 9.03971 12.248 9.11137C12.3261 9.1922 12.3698 9.30021 12.3698 9.41261C12.3698 9.525 12.3261 9.63301 12.248 9.71385V9.71385Z" fill="#C6C6C6"/>
 <path d="M11.1613 8.58772C10.794 8.96422 10.5884 9.46938 10.5884 9.99538C10.5884 10.5214 10.794 11.0265 11.1613 11.403C11.452 11.69 11.823 11.8819 12.2252 11.9533C12.6274 12.0247 13.0419 11.9722 13.4136 11.8028L14.382 10.7611C14.5314 10.3972 14.571 9.99746 14.496 9.61126C14.421 9.22506 14.2345 8.86925 13.9597 8.58772C13.7773 8.40163 13.5596 8.25381 13.3193 8.15289C13.0791 8.05198 12.8211 8 12.5605 8C12.2999 8 12.042 8.05198 11.8017 8.15289C11.5614 8.25381 11.3437 8.40163 11.1613 8.58772V8.58772ZM12.2874 9.77015C12.246 9.81254 12.1965 9.84623 12.1419 9.86923C12.0872 9.89223 12.0286 9.90407 11.9693 9.90407C11.91 9.90407 11.8513 9.89223 11.7967 9.86923C11.7421 9.84623 11.6926 9.81254 11.6512 9.77015C11.6036 9.68361 11.5854 9.58396 11.5993 9.48619C11.6132 9.38841 11.6585 9.2978 11.7284 9.22797C11.7982 9.15814 11.8888 9.11286 11.9866 9.09894C12.0843 9.08502 12.184 9.10321 12.2705 9.15078C12.3525 9.23754 12.3982 9.35237 12.3982 9.47173C12.3982 9.59108 12.3525 9.70592 12.2705 9.79267L12.2874 9.77015Z" fill="url(#paint28_linear_49_4097)"/>
 <path d="M11.398 8.85257C11.0935 9.16755 10.9233 9.58849 10.9233 10.0266C10.9233 10.4646 11.0935 10.8856 11.398 11.2006C11.6213 11.4255 11.905 11.5809 12.2148 11.6479C12.5246 11.7148 12.8472 11.6905 13.1435 11.5778L13.5376 11.972C13.5376 11.972 15.9081 14.3875 16.353 14.8154C16.55 14.8154 17.0681 14.7479 17.3045 14.7591C17.3045 14.6521 17.2201 14.5789 17.0005 14.1566C16.9442 14.0947 16.7415 14.0553 16.5782 13.892C16.5782 13.8639 16.3023 13.7175 16.2854 13.7062C16.2487 13.6107 16.1974 13.5214 16.1334 13.4416C16.0433 13.3571 16.0095 13.2107 15.9194 13.1206C15.8552 13.0788 15.7932 13.0336 15.7336 12.9855C15.6687 12.9447 15.6066 12.8995 15.5478 12.8503C15.041 12.3436 14.5399 11.8368 14.2584 11.544C14.416 11.3864 14.7426 11.1274 14.5737 10.981L14.4611 10.8402L14.1345 10.5136C14.2162 10.2272 14.2206 9.9242 14.1475 9.63545C14.0743 9.34671 13.9261 9.08244 13.7178 8.86946C13.5675 8.71446 13.3879 8.59091 13.1893 8.50603C12.9908 8.42114 12.7774 8.37662 12.5614 8.37504C12.3455 8.37347 12.1315 8.41488 11.9317 8.49687C11.732 8.57885 11.5505 8.69977 11.398 8.85257V8.85257ZM12.2876 9.74785C12.2445 9.79334 12.1925 9.82957 12.1349 9.85433C12.0773 9.87908 12.0153 9.89185 11.9526 9.89185C11.8899 9.89185 11.8279 9.87908 11.7703 9.85433C11.7127 9.82957 11.6607 9.79334 11.6176 9.74785C11.5282 9.65814 11.478 9.53665 11.478 9.41001C11.478 9.28336 11.5282 9.16188 11.6176 9.07217C11.6615 9.02807 11.7137 8.99309 11.7712 8.96922C11.8287 8.94534 11.8904 8.93306 11.9526 8.93306C12.0149 8.93306 12.0765 8.94534 12.134 8.96922C12.1915 8.99309 12.2437 9.02807 12.2876 9.07217C12.377 9.16188 12.4272 9.28336 12.4272 9.41001C12.4272 9.53665 12.377 9.65814 12.2876 9.74785V9.74785Z" fill="url(#paint29_linear_49_4097)"/>
 <path d="M11.398 8.85254C11.0935 9.16752 10.9233 9.58846 10.9233 10.0265C10.9233 10.4646 11.0935 10.8855 11.398 11.2005C11.6213 11.4255 11.905 11.5809 12.2148 11.6478C12.5246 11.7148 12.8472 11.6905 13.1435 11.5778L13.5376 11.9719C13.5376 11.9719 15.8575 14.3312 16.3135 14.7872" stroke="url(#paint30_linear_49_4097)" stroke-width="0.0337839" stroke-miterlimit="10"/>
 <path d="M17.3327 14.748C17.303 14.4884 17.2578 14.2308 17.1976 13.9766L16.7528 13.5205L16.4375 13.4642C16.4375 13.4642 16.4093 13.2052 16.4093 13.1771L16.139 12.9124C16.0434 12.9185 15.9475 12.9185 15.8519 12.9124C15.8519 12.9124 15.8519 12.6309 15.8181 12.6253L14.5287 11.2852L14.219 11.6005L17.3327 14.748Z" fill="#C2C5C7"/>
 <path d="M16.6456 14.7985L13.8528 11.9719L14.0386 11.7861L16.9891 14.7704L16.6456 14.7985Z" fill="#C2C5C7"/>
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M16.6456 14.7985L13.8528 11.9719L13.9316 11.8931L14.0386 11.7861V12.0001L16.7976 14.7873L16.6456 14.7985Z" fill="black"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M17.3327 14.7479L14.219 11.6004L14.2978 11.516L14.5118 11.3076L14.4048 11.6229L17.3102 14.5565L17.3327 14.7479Z" fill="black"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <path d="M12.5577 8.02451C12.8144 8.02191 13.069 8.07034 13.3068 8.167C13.5446 8.26367 13.7608 8.40663 13.9428 8.58758C14.2213 8.86558 14.4115 9.21957 14.4896 9.6052C14.5677 9.99082 14.5303 10.3909 14.382 10.7554L14.4214 10.7948L14.5566 10.9299C14.6298 11.0031 14.6073 11.0988 14.4946 11.234C14.8156 11.5606 15.2886 12.0504 15.7841 12.5403C15.7841 12.5403 15.7841 12.7092 15.7841 12.7712C15.7841 12.8331 15.7841 12.8106 15.7841 12.8218C15.7841 12.8218 15.7841 12.8218 16.0037 12.8612H16.0769C16.1153 12.894 16.1511 12.9298 16.1838 12.9682L16.3415 13.1203C16.3365 13.2122 16.3365 13.3043 16.3415 13.3962V13.3962C16.4461 13.4276 16.5536 13.4483 16.6624 13.4581C16.9102 13.7058 17.051 13.8522 17.096 13.9029C17.1203 14.0829 17.1542 14.2614 17.1974 14.4378C17.2153 14.5005 17.2285 14.5645 17.2368 14.6293V14.6293V14.6687H17.203H16.9215H16.882L16.6343 14.7813H16.364C16.0937 14.5223 15.1872 13.6157 14.4721 12.895L13.5487 11.966L13.4136 11.8308C13.0405 11.9942 12.6267 12.0408 12.2267 11.9644C11.8267 11.888 11.4591 11.6923 11.1726 11.4029C10.8012 11.0285 10.5928 10.5226 10.5928 9.99524C10.5928 9.46792 10.8012 8.96196 11.1726 8.58758C11.355 8.40713 11.5713 8.2645 11.809 8.16787C12.0467 8.07125 12.3011 8.02253 12.5577 8.02451V8.02451ZM12.5577 8.02451C12.2994 8.02197 12.043 8.07039 11.8034 8.167C11.5638 8.26362 11.3456 8.40654 11.1613 8.58758C10.794 8.96408 10.5884 9.46924 10.5884 9.99524C10.5884 10.5212 10.794 11.0264 11.1613 11.4029C11.3478 11.5857 11.5688 11.7296 11.8114 11.8263C12.054 11.923 12.3135 11.9704 12.5746 11.966C12.8602 11.9654 13.1423 11.904 13.4023 11.7858L13.5374 11.966L14.4721 12.9232C15.1928 13.6495 16.105 14.5673 16.3696 14.8151L16.6343 14.7813H16.9778H17.2593H17.31C17.289 14.5108 17.2514 14.2419 17.1974 13.9761L16.7525 13.52L16.4372 13.4637C16.4372 13.4637 16.4091 13.2047 16.4091 13.1766L16.1388 12.9119C16.0432 12.9177 15.9473 12.9177 15.8516 12.9119C15.8456 12.8157 15.8343 12.7198 15.8178 12.6248L14.5341 11.2847C14.6298 11.172 14.6805 11.0538 14.5904 10.9581L14.4609 10.8398L14.382 10.761C14.5314 10.397 14.571 9.99733 14.496 9.61112C14.421 9.22492 14.2345 8.86912 13.9597 8.58758C13.5851 8.22214 13.0811 8.01973 12.5577 8.02451V8.02451Z" fill="black"/>
 </g>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.3">
 <path d="M14.1401 10.502L14.3766 10.7441C14.4255 10.6722 14.4547 10.5887 14.4611 10.502H14.1401Z" fill="#808080"/>
 </g>
 <g opacity="0.5">
 <path opacity="0.5" d="M11.9499 8.86875C12.091 8.87218 12.2256 8.92845 12.3271 9.02641C12.4237 9.13053 12.4774 9.26729 12.4774 9.4093C12.4774 9.5513 12.4237 9.68806 12.3271 9.79218C12.2782 9.84381 12.2193 9.88492 12.1539 9.91302C12.0886 9.94112 12.0182 9.95561 11.9471 9.95561C11.8759 9.95561 11.8056 9.94112 11.7402 9.91302C11.6749 9.88492 11.6159 9.84381 11.567 9.79218C11.4704 9.68806 11.4168 9.5513 11.4168 9.4093C11.4168 9.26729 11.4704 9.13053 11.567 9.02641C11.6652 8.92683 11.7988 8.87015 11.9386 8.86875H11.9499ZM11.9386 8.83497C11.8641 8.83528 11.7904 8.85037 11.7218 8.87937C11.6532 8.90836 11.591 8.95069 11.5389 9.00389C11.4861 9.05828 11.4449 9.12275 11.4177 9.19344C11.3905 9.26413 11.3778 9.33958 11.3805 9.41529C11.3831 9.49099 11.401 9.56538 11.433 9.63401C11.4651 9.70264 11.5106 9.7641 11.567 9.8147C11.6194 9.86833 11.6821 9.91095 11.7512 9.94004C11.8203 9.96913 11.8946 9.98412 11.9696 9.98412C12.0446 9.98412 12.1189 9.96913 12.188 9.94004C12.2571 9.91095 12.3197 9.86833 12.3722 9.8147C12.4267 9.76218 12.47 9.69921 12.4996 9.62955C12.5292 9.55989 12.5445 9.48498 12.5445 9.4093C12.5445 9.33361 12.5292 9.2587 12.4996 9.18904C12.47 9.11939 12.4267 9.05641 12.3722 9.00389C12.3194 8.95001 12.2563 8.90729 12.1866 8.87827C12.117 8.84926 12.0422 8.83453 11.9668 8.83497H11.9386Z" fill="url(#paint31_linear_49_4097)"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.3">
 <path d="M8.84172 10.4687C8.88113 10.5982 9.90591 10.0746 10.0354 10.0352C10.0261 10.2235 10.0374 10.4123 10.0692 10.5982L10.362 10.4124L10.6717 10.3054V10.221L11.0039 10.0352L11.9048 9.71423L12.13 9.62414C12.023 9.65792 11.9273 9.66355 11.8879 9.53968L12.1751 9.37076C12.13 9.24125 12.13 9.15116 11.978 9.20184L8.99374 10.1647C8.93354 10.1852 8.88384 10.2286 8.8554 10.2855C8.82695 10.3424 8.82203 10.4082 8.84172 10.4687V10.4687Z" fill="black"/>
 </g>
 <path style="mix-blend-mode:multiply" d="M11.5218 8.98202C11.408 9.09875 11.3442 9.25535 11.3442 9.4184C11.3442 9.58145 11.408 9.73805 11.5218 9.85477C11.6366 9.96791 11.7913 10.0313 11.9525 10.0313C12.1137 10.0313 12.2685 9.96791 12.3833 9.85477C12.4971 9.73805 12.5608 9.58145 12.5608 9.4184C12.5608 9.25535 12.4971 9.09875 12.3833 8.98202C12.3272 8.92465 12.2602 8.87906 12.1862 8.84794C12.1122 8.81681 12.0328 8.80078 11.9525 8.80078C11.8723 8.80078 11.7929 8.81681 11.7189 8.84794C11.6449 8.87906 11.5779 8.92465 11.5218 8.98202V8.98202ZM12.265 9.71401C12.2242 9.75538 12.1755 9.78822 12.1219 9.81064C12.0682 9.83306 12.0107 9.8446 11.9525 9.8446C11.8944 9.8446 11.8368 9.83306 11.7832 9.81064C11.7296 9.78822 11.6809 9.75538 11.64 9.71401C11.5985 9.67267 11.5655 9.62354 11.543 9.56943C11.5206 9.51532 11.509 9.45729 11.509 9.39869C11.509 9.34009 11.5206 9.28207 11.543 9.22796C11.5655 9.17384 11.5985 9.12471 11.64 9.08338C11.6809 9.04201 11.7296 9.00916 11.7832 8.98674C11.8368 8.96432 11.8944 8.95278 11.9525 8.95278C12.0107 8.95278 12.0682 8.96432 12.1219 8.98674C12.1755 9.00916 12.2242 9.04201 12.265 9.08338C12.3066 9.12471 12.3395 9.17384 12.362 9.22796C12.3845 9.28207 12.3961 9.34009 12.3961 9.39869C12.3961 9.45729 12.3845 9.51532 12.362 9.56943C12.3395 9.62354 12.3066 9.67267 12.265 9.71401Z" fill="url(#paint32_linear_49_4097)"/>
 <path d="M11.1613 7.93928C10.794 8.31578 10.5884 8.82094 10.5884 9.34694C10.5884 9.87294 10.794 10.3781 11.1613 10.7546C11.452 11.0416 11.823 11.2335 12.2252 11.3049C12.6274 11.3763 13.0419 11.3238 13.4136 11.1544L14.382 10.1127C14.5314 9.74875 14.571 9.34903 14.496 8.96282C14.421 8.57662 14.2345 8.22082 13.9597 7.93928C13.7773 7.7532 13.5596 7.60537 13.3193 7.50446C13.0791 7.40354 12.8211 7.35156 12.5605 7.35156C12.2999 7.35156 12.042 7.40354 11.8017 7.50446C11.5614 7.60537 11.3437 7.7532 11.1613 7.93928V7.93928ZM12.248 9.06541C12.1652 9.11432 12.0683 9.13353 11.9731 9.11985C11.8779 9.10618 11.7903 9.06044 11.7246 8.9902C11.659 8.91995 11.6193 8.82941 11.6121 8.73354C11.6048 8.63767 11.6306 8.5422 11.6849 8.46293C11.7612 8.39127 11.8619 8.35138 11.9665 8.35138C12.0711 8.35138 12.1718 8.39127 12.248 8.46293C12.3261 8.54376 12.3698 8.65177 12.3698 8.76417C12.3698 8.87657 12.3261 8.98457 12.248 9.06541V9.06541Z" fill="#C6C6C6"/>
 <path d="M11.1613 7.93928C10.794 8.31578 10.5884 8.82094 10.5884 9.34694C10.5884 9.87294 10.794 10.3781 11.1613 10.7546C11.452 11.0416 11.823 11.2335 12.2252 11.3049C12.6274 11.3763 13.0419 11.3238 13.4136 11.1544L14.382 10.1127C14.5314 9.74875 14.571 9.34903 14.496 8.96282C14.421 8.57662 14.2345 8.22082 13.9597 7.93928C13.7773 7.7532 13.5596 7.60537 13.3193 7.50446C13.0791 7.40354 12.8211 7.35156 12.5605 7.35156C12.2999 7.35156 12.042 7.40354 11.8017 7.50446C11.5614 7.60537 11.3437 7.7532 11.1613 7.93928V7.93928ZM12.2874 9.12171C12.246 9.16411 12.1965 9.19779 12.1419 9.22079C12.0872 9.24379 12.0286 9.25564 11.9693 9.25564C11.91 9.25564 11.8513 9.24379 11.7967 9.22079C11.7421 9.19779 11.6926 9.16411 11.6512 9.12171C11.6036 9.03517 11.5854 8.93552 11.5993 8.83775C11.6132 8.73998 11.6585 8.64936 11.7284 8.57953C11.7982 8.5097 11.8888 8.46442 11.9866 8.4505C12.0843 8.43658 12.184 8.45477 12.2705 8.50234C12.3525 8.5891 12.3982 8.70393 12.3982 8.82329C12.3982 8.94265 12.3525 9.05748 12.2705 9.14424L12.2874 9.12171Z" fill="url(#paint33_linear_49_4097)"/>
 <path d="M11.398 8.20414C11.0935 8.51911 10.9233 8.94005 10.9233 9.37813C10.9233 9.8162 11.0935 10.2371 11.398 10.5521C11.6213 10.7771 11.905 10.9325 12.2148 10.9994C12.5246 11.0664 12.8472 11.0421 13.1435 10.9294L13.5376 11.3235C13.5376 11.3235 15.9081 13.7391 16.353 14.167C16.55 14.167 17.0681 14.0994 17.3045 14.1107C17.3045 14.0037 17.2201 13.9305 17.0005 13.5082C16.9442 13.4463 16.7415 13.4069 16.5782 13.2436C16.5782 13.2154 16.3023 13.069 16.2854 13.0578C16.2487 12.9622 16.1974 12.8729 16.1334 12.7931C16.0433 12.7087 16.0095 12.5623 15.9194 12.4722C15.8552 12.4303 15.7932 12.3852 15.7336 12.337C15.6687 12.2963 15.6066 12.2511 15.5478 12.2019C15.041 11.6951 14.5399 11.1884 14.2584 10.8956C14.416 10.7379 14.7426 10.4789 14.5737 10.3325L14.4611 10.1918L14.1345 9.86518C14.2162 9.57872 14.2206 9.27576 14.1475 8.98701C14.0743 8.69827 13.9261 8.43401 13.7178 8.22103C13.5675 8.06602 13.3879 7.94247 13.1893 7.85759C12.9908 7.7727 12.7774 7.72818 12.5614 7.72661C12.3455 7.72503 12.1315 7.76645 11.9317 7.84843C11.732 7.93041 11.5505 8.05133 11.398 8.20414V8.20414ZM12.2876 9.09941C12.2445 9.1449 12.1925 9.18113 12.1349 9.20589C12.0773 9.23065 12.0153 9.24341 11.9526 9.24341C11.8899 9.24341 11.8279 9.23065 11.7703 9.20589C11.7127 9.18113 11.6607 9.1449 11.6176 9.09941C11.5282 9.0097 11.478 8.88822 11.478 8.76157C11.478 8.63492 11.5282 8.51344 11.6176 8.42373C11.6615 8.37964 11.7137 8.34465 11.7712 8.32078C11.8287 8.29691 11.8904 8.28462 11.9526 8.28462C12.0149 8.28462 12.0765 8.29691 12.134 8.32078C12.1915 8.34465 12.2437 8.37964 12.2876 8.42373C12.377 8.51344 12.4272 8.63492 12.4272 8.76157C12.4272 8.88822 12.377 9.0097 12.2876 9.09941V9.09941Z" fill="url(#paint34_linear_49_4097)"/>
 <path d="M11.398 8.2041C11.0935 8.51908 10.9233 8.94002 10.9233 9.37809C10.9233 9.81616 11.0935 10.2371 11.398 10.5521C11.6213 10.7771 11.905 10.9324 12.2148 10.9994C12.5246 11.0664 12.8472 11.042 13.1435 10.9293L13.5376 11.3235C13.5376 11.3235 15.8575 13.6827 16.3135 14.1388" stroke="url(#paint35_linear_49_4097)" stroke-width="0.0337839" stroke-miterlimit="10"/>
 <path d="M17.3327 14.0996C17.303 13.84 17.2578 13.5824 17.1976 13.3282L16.7528 12.8721L16.4375 12.8158C16.4375 12.8158 16.4093 12.5568 16.4093 12.5286L16.139 12.264C16.0434 12.2701 15.9475 12.2701 15.8519 12.264C15.8519 12.264 15.8519 11.9824 15.8181 11.9768L14.5287 10.6367L14.219 10.952L17.3327 14.0996Z" fill="#C2C5C7"/>
 <path d="M16.6456 14.1501L13.8528 11.3235L14.0386 11.1377L16.9891 14.1219L16.6456 14.1501Z" fill="#C2C5C7"/>
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M16.6456 14.1501L13.8528 11.3235L13.9316 11.2447L14.0386 11.1377V11.3517L16.7976 14.1388L16.6456 14.1501Z" fill="black"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M17.3327 14.0995L14.219 10.952L14.2978 10.8675L14.5118 10.6592L14.4048 10.9745L17.3102 13.9081L17.3327 14.0995Z" fill="black"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <g style="mix-blend-mode:multiply" opacity="0.2">
 <path d="M12.5577 7.37608C12.8144 7.37347 13.069 7.4219 13.3068 7.51857C13.5446 7.61523 13.7608 7.75819 13.9428 7.93914C14.2213 8.21714 14.4115 8.57113 14.4896 8.95676C14.5677 9.34238 14.5303 9.74249 14.382 10.1069L14.4214 10.1464L14.5566 10.2815C14.6298 10.3547 14.6073 10.4504 14.4946 10.5855C14.8156 10.9121 15.2886 11.402 15.7841 11.8919C15.7841 11.8919 15.7841 12.0608 15.7841 12.1227C15.7841 12.1847 15.7841 12.1621 15.7841 12.1734C15.7841 12.1734 15.7841 12.1734 16.0037 12.2128H16.0769C16.1153 12.2456 16.1511 12.2814 16.1838 12.3198L16.3415 12.4718C16.3365 12.5637 16.3365 12.6558 16.3415 12.7477V12.7477C16.4461 12.7792 16.5536 12.7999 16.6624 12.8097C16.9102 13.0574 17.051 13.2038 17.096 13.2545C17.1203 13.4344 17.1542 13.613 17.1974 13.7894C17.2153 13.8521 17.2285 13.9161 17.2368 13.9808V13.9808V14.0202H17.203H16.9215H16.882L16.6343 14.1329H16.364C16.0937 13.8738 15.1872 12.9673 14.4721 12.2466L13.5487 11.3175L13.4136 11.1824C13.0405 11.3458 12.6267 11.3924 12.2267 11.316C11.8267 11.2396 11.4591 11.0438 11.1726 10.7545C10.8012 10.3801 10.5928 9.87412 10.5928 9.3468C10.5928 8.81948 10.8012 8.31353 11.1726 7.93914C11.355 7.7587 11.5713 7.61606 11.809 7.51944C12.0467 7.42281 12.3011 7.37409 12.5577 7.37608V7.37608ZM12.5577 7.37608C12.2994 7.37353 12.043 7.42195 11.8034 7.51857C11.5638 7.61518 11.3456 7.7581 11.1613 7.93914C10.794 8.31564 10.5884 8.82081 10.5884 9.3468C10.5884 9.8728 10.794 10.378 11.1613 10.7545C11.3478 10.9373 11.5688 11.0812 11.8114 11.1779C12.054 11.2745 12.3135 11.322 12.5746 11.3175C12.8602 11.3169 13.1423 11.2555 13.4023 11.1374L13.5374 11.3175L14.4721 12.2747C15.1928 13.0011 16.105 13.9189 16.3696 14.1666L16.6343 14.1329H16.9778H17.2593H17.31C17.289 13.8624 17.2514 13.5935 17.1974 13.3277L16.7525 12.8716L16.4372 12.8153C16.4372 12.8153 16.4091 12.5563 16.4091 12.5281L16.1388 12.2635C16.0432 12.2693 15.9473 12.2693 15.8516 12.2635C15.8456 12.1672 15.8343 12.0714 15.8178 11.9763L14.5341 10.6362C14.6298 10.5236 14.6805 10.4054 14.5904 10.3096L14.4609 10.1914L14.382 10.1126C14.5314 9.74861 14.571 9.34889 14.496 8.96269C14.421 8.57648 14.2345 8.22068 13.9597 7.93914C13.5851 7.5737 13.0811 7.37129 12.5577 7.37608V7.37608Z" fill="black"/>
 </g>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.3">
 <path d="M14.1401 9.85352L14.3766 10.0956C14.4255 10.0237 14.4547 9.94023 14.4611 9.85352H14.1401Z" fill="#808080"/>
 </g>
 <g opacity="0.5">
 <path opacity="0.5" d="M11.9499 8.22032C12.091 8.22374 12.2256 8.28001 12.3271 8.37798C12.4237 8.48209 12.4774 8.61885 12.4774 8.76086C12.4774 8.90286 12.4237 9.03962 12.3271 9.14374C12.2782 9.19537 12.2193 9.23649 12.1539 9.26459C12.0886 9.29268 12.0182 9.30718 11.9471 9.30718C11.8759 9.30718 11.8056 9.29268 11.7402 9.26459C11.6749 9.23649 11.6159 9.19537 11.567 9.14374C11.4704 9.03962 11.4168 8.90286 11.4168 8.76086C11.4168 8.61885 11.4704 8.48209 11.567 8.37798C11.6652 8.27839 11.7988 8.22171 11.9386 8.22032H11.9499ZM11.9386 8.18653C11.8641 8.18684 11.7904 8.20193 11.7218 8.23093C11.6532 8.25992 11.591 8.30225 11.5389 8.35545C11.4861 8.40985 11.4449 8.47432 11.4177 8.54501C11.3905 8.61569 11.3778 8.69115 11.3805 8.76685C11.3831 8.84255 11.401 8.91694 11.433 8.98557C11.4651 9.0542 11.5106 9.11566 11.567 9.16627C11.6194 9.2199 11.6821 9.26251 11.7512 9.2916C11.8203 9.32069 11.8946 9.33568 11.9696 9.33568C12.0446 9.33568 12.1189 9.32069 12.188 9.2916C12.2571 9.26251 12.3197 9.2199 12.3722 9.16627C12.4267 9.11374 12.47 9.05077 12.4996 8.98111C12.5292 8.91146 12.5445 8.83655 12.5445 8.76086C12.5445 8.68517 12.5292 8.61026 12.4996 8.54061C12.47 8.47095 12.4267 8.40798 12.3722 8.35545C12.3194 8.30157 12.2563 8.25885 12.1866 8.22984C12.117 8.20082 12.0422 8.18609 11.9668 8.18653H11.9386Z" fill="url(#paint36_linear_49_4097)"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.3">
 <path d="M8.84172 9.8203C8.88113 9.9498 9.90591 9.42615 10.0354 9.38674C10.0261 9.5751 10.0374 9.76391 10.0692 9.9498L10.362 9.76399L10.6717 9.65701V9.57255L11.0039 9.38674L11.9048 9.06579L12.13 8.9757C12.023 9.00948 11.9273 9.01512 11.8879 8.89124L12.1751 8.72232C12.13 8.59282 12.13 8.50273 11.978 8.5534L8.99374 9.51624C8.93354 9.53679 8.88384 9.58021 8.8554 9.6371C8.82695 9.694 8.82203 9.75981 8.84172 9.8203V9.8203Z" fill="black"/>
 </g>
 <path style="mix-blend-mode:multiply" d="M11.5218 8.33359C11.408 8.45032 11.3442 8.60691 11.3442 8.76996C11.3442 8.93301 11.408 9.08961 11.5218 9.20634C11.6366 9.31947 11.7913 9.38289 11.9525 9.38289C12.1137 9.38289 12.2685 9.31947 12.3833 9.20634C12.4971 9.08961 12.5608 8.93301 12.5608 8.76996C12.5608 8.60691 12.4971 8.45032 12.3833 8.33359C12.3272 8.27621 12.2602 8.23062 12.1862 8.1995C12.1122 8.16838 12.0328 8.15234 11.9525 8.15234C11.8723 8.15234 11.7929 8.16838 11.7189 8.1995C11.6449 8.23062 11.5779 8.27621 11.5218 8.33359V8.33359ZM12.265 9.06557C12.2242 9.10694 12.1755 9.13979 12.1219 9.1622C12.0682 9.18462 12.0107 9.19617 11.9525 9.19617C11.8944 9.19617 11.8368 9.18462 11.7832 9.1622C11.7296 9.13979 11.6809 9.10694 11.64 9.06557C11.5985 9.02424 11.5655 8.9751 11.543 8.92099C11.5206 8.86688 11.509 8.80886 11.509 8.75025C11.509 8.69165 11.5206 8.63363 11.543 8.57952C11.5655 8.52541 11.5985 8.47627 11.64 8.43494C11.6809 8.39357 11.7296 8.36072 11.7832 8.33831C11.8368 8.31589 11.8944 8.30434 11.9525 8.30434C12.0107 8.30434 12.0682 8.31589 12.1219 8.33831C12.1755 8.36072 12.2242 8.39357 12.265 8.43494C12.3066 8.47627 12.3395 8.52541 12.362 8.57952C12.3845 8.63363 12.3961 8.69165 12.3961 8.75025C12.3961 8.80886 12.3845 8.86688 12.362 8.92099C12.3395 8.9751 12.3066 9.02424 12.265 9.06557Z" fill="url(#paint37_linear_49_4097)"/>
 <path d="M8.75152 9.78612C8.76105 9.81637 8.77656 9.84439 8.79714 9.86853C8.81773 9.89266 8.84295 9.9124 8.87132 9.92659C8.89969 9.94077 8.93062 9.9491 8.96227 9.95109C8.99393 9.95307 9.02566 9.94867 9.05557 9.93815L12.0398 8.98094C12.1004 8.9592 12.1502 8.91471 12.1786 8.8569C12.207 8.79909 12.2117 8.7325 12.1918 8.67125C12.1846 8.64158 12.1716 8.61365 12.1534 8.58906C12.1353 8.56448 12.1125 8.54373 12.0863 8.52802C12.0602 8.51231 12.0311 8.50195 12.0009 8.49754C11.9707 8.49313 11.9399 8.49476 11.9103 8.50233L8.92044 9.47643C8.88889 9.48548 8.85945 9.5007 8.83383 9.52122C8.80822 9.54174 8.78693 9.56714 8.77122 9.59595C8.7555 9.62476 8.74567 9.65641 8.74229 9.68906C8.7389 9.7217 8.74204 9.7547 8.75152 9.78612V9.78612Z" fill="url(#paint38_linear_49_4097)"/>
 <g style="mix-blend-mode:multiply" opacity="0.85">
 <g style="mix-blend-mode:multiply" opacity="0.85">
 <path d="M8.75158 9.78604C8.7611 9.81629 8.77662 9.84432 8.7972 9.86845C8.81778 9.89258 8.84301 9.91232 8.87138 9.92651C8.89974 9.94069 8.93067 9.94902 8.96233 9.95101C8.99398 9.953 9.02571 9.94859 9.05563 9.93807L12.0286 8.98086C12.0589 8.97125 12.0871 8.95577 12.1114 8.93529C12.1357 8.9148 12.1558 8.88973 12.1704 8.86149C12.1851 8.83326 12.194 8.80241 12.1967 8.77072C12.1994 8.73903 12.1959 8.70712 12.1863 8.6768C12.1703 8.61498 12.1306 8.56196 12.0758 8.52927C12.021 8.49658 11.9554 8.48687 11.8935 8.50225L8.91486 9.48198C8.88404 9.491 8.85531 9.50606 8.83036 9.52629C8.80541 9.54652 8.78473 9.57151 8.76954 9.59981C8.75434 9.62811 8.74492 9.65915 8.74184 9.69112C8.73876 9.72309 8.74207 9.75536 8.75158 9.78604V9.78604Z" fill="white"/>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.85">
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M8.75158 9.78604C8.7611 9.81629 8.77662 9.84432 8.7972 9.86845C8.81778 9.89258 8.84301 9.91232 8.87138 9.92651C8.89974 9.94069 8.93067 9.94902 8.96233 9.95101C8.99398 9.953 9.02571 9.94859 9.05563 9.93807L12.0286 8.98086C12.0589 8.97125 12.0871 8.95577 12.1114 8.93529C12.1357 8.9148 12.1558 8.88973 12.1704 8.86149C12.1851 8.83326 12.194 8.80241 12.1967 8.77072C12.1994 8.73903 12.1959 8.70712 12.1863 8.6768C12.1703 8.61498 12.1306 8.56196 12.0758 8.52927C12.021 8.49658 11.9554 8.48687 11.8935 8.50225L8.91486 9.48198C8.88404 9.491 8.85531 9.50606 8.83036 9.52629C8.80541 9.54652 8.78473 9.57151 8.76954 9.59981C8.75434 9.62811 8.74492 9.65915 8.74184 9.69112C8.73876 9.72309 8.74207 9.75536 8.75158 9.78604V9.78604Z" fill="black"/>
 </g>
 </g>
 </g>
 </g>
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <g style="mix-blend-mode:multiply" opacity="0.4">
 <path d="M12.2087 8.70508C12.2284 8.76557 12.2235 8.83138 12.195 8.88827C12.1666 8.94517 12.1169 8.98859 12.0567 9.00913L9.07804 9.96634C9.04679 9.97968 9.01308 9.98628 8.97911 9.98573C8.94514 9.98518 8.91166 9.97748 8.88086 9.96314C8.85005 9.9488 8.82261 9.92814 8.80032 9.9025C8.77803 9.87686 8.76138 9.84681 8.75146 9.81432V9.81432C8.78755 9.84474 8.83112 9.86496 8.87765 9.87289C8.92418 9.88081 8.97199 9.87614 9.01611 9.85936C9.21881 9.80869 12.0623 8.89652 12.0623 8.89652C12.0623 8.89652 12.2143 8.82895 12.2087 8.70508Z" fill="black"/>
 </g>
 </g>
 </g>
 <defs>
 <linearGradient id="paint0_linear_49_4097" x1="13.9892" y1="4.95508" x2="14.6969" y2="4.35094" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint1_linear_49_4097" x1="6.00862" y1="4.95507" x2="5.30105" y2="4.35125" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint2_linear_49_4097" x1="10.0039" y1="14.9968" x2="10.0039" y2="8.9946" gradientUnits="userSpaceOnUse">
 <stop stop-color="#ABABAB"/>
 <stop offset="0.1971" stop-color="#A7A7A7"/>
 <stop offset="0.3984" stop-color="#9B9B9B"/>
 <stop offset="0.6016" stop-color="#868686"/>
 <stop offset="0.8047" stop-color="#6A6A6A"/>
 <stop offset="1" stop-color="#474747"/>
 </linearGradient>
 <linearGradient id="paint3_linear_49_4097" x1="7.39469" y1="9.18753" x2="6.70448" y2="8.54622" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint4_linear_49_4097" x1="12.6133" y1="9.18753" x2="13.3035" y2="8.54621" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint5_linear_49_4097" x1="10" y1="14" x2="10" y2="8.99894" gradientUnits="userSpaceOnUse">
 <stop stop-color="#666666"/>
 <stop offset="0.109" stop-color="#5E5E5E"/>
 <stop offset="0.6917" stop-color="#393939"/>
 <stop offset="1" stop-color="#2B2B2B"/>
 </linearGradient>
 <linearGradient id="paint6_linear_49_4097" x1="10" y1="15" x2="10" y2="9.00003" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C9C9C9"/>
 <stop offset="0.3698" stop-color="#CDCDCD"/>
 <stop offset="0.7464" stop-color="#D9D9D9"/>
 <stop offset="1" stop-color="#E6E6E6"/>
 </linearGradient>
 <radialGradient id="paint7_radial_49_4097" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(4.33069 11.589) rotate(-117.661) scale(0.94236 0.847944)">
 <stop stop-color="#BDFFBD"/>
 <stop offset="1" stop-color="#00FF00"/>
 </radialGradient>
 <linearGradient id="paint8_linear_49_4097" x1="10.5098" y1="8.51832" x2="8.00438" y2="8.51832" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1"/>
 </linearGradient>
 <linearGradient id="paint9_linear_49_4097" x1="16.0215" y1="8.51832" x2="8.00424" y2="8.51832" gradientUnits="userSpaceOnUse">
 <stop/>
 <stop offset="1" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint10_linear_49_4097" x1="13.634" y1="10.9009" x2="10.8243" y2="8.08559" gradientUnits="userSpaceOnUse">
 <stop stop-color="#D68731"/>
 <stop offset="1" stop-color="#FECA54"/>
 </linearGradient>
 <linearGradient id="paint11_linear_49_4097" x1="12.2264" y1="10.884" x2="12.2264" y2="6.88626" gradientUnits="userSpaceOnUse">
 <stop stop-color="#E6B035"/>
 <stop offset="1" stop-color="#F0DA86"/>
 </linearGradient>
 <linearGradient id="paint12_linear_49_4097" x1="13.6058" y1="13.1016" x2="9.03371" y2="8.52948" gradientUnits="userSpaceOnUse">
 <stop offset="0.18" stop-color="#FFBC35"/>
 <stop offset="1" stop-color="#F7F1AF"/>
 </linearGradient>
 <linearGradient id="paint13_linear_49_4097" x1="10.5652" y1="11.677" x2="12.2263" y2="11.677" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0.5"/>
 <stop offset="0.78" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint14_linear_49_4097" x1="11.9108" y1="15.895" x2="11.9108" y2="11.7959" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint15_linear_49_4097" x1="-11.1357" y1="-38.7998" x2="-11.1357" y2="-74.0297" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint16_linear_49_4097" x1="86.575" y1="-179.494" x2="86.6658" y2="-179.403" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint17_linear_49_4097" x1="12.2263" y1="8.09628" x2="12.2263" y2="9.32939" gradientUnits="userSpaceOnUse">
 <stop offset="0.21" stop-color="#D47C1D" stop-opacity="0.6"/>
 <stop offset="0.32" stop-color="#D47C1D" stop-opacity="0.39"/>
 <stop offset="0.44" stop-color="#D47C1D" stop-opacity="0.22"/>
 <stop offset="0.54" stop-color="#D47C1D" stop-opacity="0.1"/>
 <stop offset="0.64" stop-color="#D47C1D" stop-opacity="0.03"/>
 <stop offset="0.71" stop-color="#D47C1D" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint18_linear_49_4097" x1="12.6262" y1="9.02534" x2="11.8322" y2="8.23142" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1" stop-color="white" stop-opacity="0.7"/>
 </linearGradient>
 <linearGradient id="paint19_linear_49_4097" x1="13.0564" y1="10.9009" x2="10.2467" y2="8.08559" gradientUnits="userSpaceOnUse">
 <stop stop-color="#D68731"/>
 <stop offset="1" stop-color="#FECA54"/>
 </linearGradient>
 <linearGradient id="paint20_linear_49_4097" x1="11.6487" y1="10.884" x2="11.6487" y2="6.88626" gradientUnits="userSpaceOnUse">
 <stop stop-color="#E6B035"/>
 <stop offset="1" stop-color="#F0DA86"/>
 </linearGradient>
 <linearGradient id="paint21_linear_49_4097" x1="13.0282" y1="13.1016" x2="8.45607" y2="8.52948" gradientUnits="userSpaceOnUse">
 <stop offset="0.18" stop-color="#FFBC35"/>
 <stop offset="1" stop-color="#F7F1AF"/>
 </linearGradient>
 <linearGradient id="paint22_linear_49_4097" x1="9.98761" y1="11.677" x2="11.6486" y2="11.677" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0.5"/>
 <stop offset="0.78" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint23_linear_49_4097" x1="11.3331" y1="15.895" x2="11.3331" y2="11.7959" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint24_linear_49_4097" x1="-11.7133" y1="-38.7998" x2="-11.7133" y2="-74.0297" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint25_linear_49_4097" x1="85.9973" y1="-179.494" x2="86.0881" y2="-179.403" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CF8D3A"/>
 <stop offset="0.46" stop-color="#C68234"/>
 <stop offset="1" stop-color="#BF7B30"/>
 </linearGradient>
 <linearGradient id="paint26_linear_49_4097" x1="11.6487" y1="8.09628" x2="11.6487" y2="9.32939" gradientUnits="userSpaceOnUse">
 <stop offset="0.21" stop-color="#D47C1D" stop-opacity="0.6"/>
 <stop offset="0.32" stop-color="#D47C1D" stop-opacity="0.39"/>
 <stop offset="0.44" stop-color="#D47C1D" stop-opacity="0.22"/>
 <stop offset="0.54" stop-color="#D47C1D" stop-opacity="0.1"/>
 <stop offset="0.64" stop-color="#D47C1D" stop-opacity="0.03"/>
 <stop offset="0.71" stop-color="#D47C1D" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint27_linear_49_4097" x1="12.0485" y1="9.02534" x2="11.2546" y2="8.23142" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1" stop-color="white" stop-opacity="0.7"/>
 </linearGradient>
 <linearGradient id="paint28_linear_49_4097" x1="13.5572" y1="11.019" x2="10.7462" y2="8.20806" gradientUnits="userSpaceOnUse">
 <stop offset="0.12" stop-color="#909899"/>
 <stop offset="1" stop-color="#C1CACC"/>
 </linearGradient>
 <linearGradient id="paint29_linear_49_4097" x1="15.7352" y1="13.1971" x2="11.1804" y2="8.64226" gradientUnits="userSpaceOnUse">
 <stop offset="0.16" stop-color="#B1B4B5"/>
 <stop offset="1" stop-color="#D0D6D9"/>
 </linearGradient>
 <linearGradient id="paint30_linear_49_4097" x1="-1726.64" y1="-4955.06" x2="-1715.29" y2="-4966.42" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0.5"/>
 <stop offset="0.78" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint31_linear_49_4097" x1="19.1814" y1="11.6619" x2="16.8178" y2="11.6619" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1" stop-color="white" stop-opacity="0.7"/>
 </linearGradient>
 <linearGradient id="paint32_linear_49_4097" x1="11.5771" y1="9.04428" x2="12.4411" y2="9.90826" gradientUnits="userSpaceOnUse">
 <stop offset="0.22" stop-opacity="0.5"/>
 <stop offset="0.71" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint33_linear_49_4097" x1="13.5572" y1="10.3705" x2="10.7462" y2="7.55963" gradientUnits="userSpaceOnUse">
 <stop offset="0.12" stop-color="#909899"/>
 <stop offset="1" stop-color="#C1CACC"/>
 </linearGradient>
 <linearGradient id="paint34_linear_49_4097" x1="15.7352" y1="12.5486" x2="11.1804" y2="7.99382" gradientUnits="userSpaceOnUse">
 <stop offset="0.16" stop-color="#B1B4B5"/>
 <stop offset="1" stop-color="#D0D6D9"/>
 </linearGradient>
 <linearGradient id="paint35_linear_49_4097" x1="-1726.64" y1="-4955.71" x2="-1715.29" y2="-4967.06" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0.5"/>
 <stop offset="0.78" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint36_linear_49_4097" x1="19.1814" y1="11.0134" x2="16.8178" y2="11.0134" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1" stop-color="white" stop-opacity="0.7"/>
 </linearGradient>
 <linearGradient id="paint37_linear_49_4097" x1="11.5771" y1="8.39585" x2="12.4411" y2="9.25983" gradientUnits="userSpaceOnUse">
 <stop offset="0.22" stop-opacity="0.5"/>
 <stop offset="0.71" stop-opacity="0"/>
 </linearGradient>
 <linearGradient id="paint38_linear_49_4097" x1="11.0103" y1="7.47412" x2="11.1593" y2="7.93076" gradientUnits="userSpaceOnUse">
 <stop stop-color="#E1ECF0"/>
 <stop offset="0.25" stop-color="#EEFAFF"/>
 <stop offset="0.48" stop-color="#D8E3E8"/>
 <stop offset="0.57" stop-color="#D4DFE4"/>
 <stop offset="0.66" stop-color="#C9D3D7"/>
 <stop offset="0.76" stop-color="#B5BEC2"/>
 <stop offset="0.85" stop-color="#9AA2A4"/>
 <stop offset="0.95" stop-color="#787D7F"/>
 <stop offset="1" stop-color="#646869"/>
 </linearGradient>
 <clipPath id="clip0_49_4097">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 <clipPath id="clip1_49_4097">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 </defs>
 </svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/os-drive.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/os-drive.svg
@ -0,0 +1,129 @@
 <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_49_4341)">
 <g clip-path="url(#clip1_49_4341)">
 <path d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="#E1E3E6"/>
 <path opacity="0.5" d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="url(#paint0_linear_49_4341)"/>
 <path opacity="0.5" d="M1.16016 9.1783L4.76679 5.19317C4.87925 5.07028 5.02383 5.00006 5.18448 5.00006H14.8156C14.9682 5.00006 15.1208 5.07028 15.2333 5.19317L18.8399 9.1783H1.16016Z" fill="url(#paint1_linear_49_4341)"/>
 <path d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint2_linear_49_4341)"/>
 <path opacity="0.6" d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint3_linear_49_4341)"/>
 <path opacity="0.6" d="M1.56477 15H18.4352C18.7499 15 19 14.7309 19 14.3922V9.60785C19 9.26921 18.7499 9.00003 18.4352 9.00003H1.56477C1.25011 9.00003 1 9.26921 1 9.60785V14.3922C1 14.7222 1.25818 15 1.56477 15Z" fill="url(#paint4_linear_49_4341)"/>
 <path d="M17.4667 14H2.53333C2.23619 14 2 13.752 2 13.44V9.00003H18V13.44C18 13.752 17.7638 14 17.4667 14Z" fill="url(#paint5_linear_49_4341)"/>
 <path d="M18.4375 9.07717C18.7107 9.07717 18.9277 9.3086 18.9277 9.60003V14.4C18.9277 14.6915 18.7107 14.9229 18.4375 14.9229H1.5625C1.28929 14.9229 1.07232 14.6915 1.07232 14.4V9.60003C1.07232 9.3086 1.28929 9.07717 1.5625 9.07717H18.4375ZM18.4375 9.00003H1.5625C1.24911 9.00003 1 9.26574 1 9.60003V14.4C1 14.7343 1.24911 15 1.5625 15H18.4375C18.7509 15 19 14.7343 19 14.4V9.60003C19 9.26574 18.7509 9.00003 18.4375 9.00003Z" fill="url(#paint6_linear_49_4341)"/>
 <path opacity="0.15" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.522914" stroke-miterlimit="10"/>
 <path opacity="0.3" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.261461" stroke-miterlimit="10"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" fill="#00B300"/>
 <path d="M4.3911 11.9616C4.77598 11.899 5.03555 11.5409 4.9729 11.1561C4.955 11.0755 4.92814 10.9949 4.89234 10.9233C4.74913 10.8249 4.57011 10.7801 4.38214 10.807C3.99726 10.8696 3.73769 11.2277 3.80034 11.6125C3.81824 11.6931 3.8451 11.7737 3.8809 11.8453C4.02411 11.9437 4.20313 11.9885 4.3911 11.9616Z" fill="url(#paint7_radial_49_4341)"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.0894687" stroke-miterlimit="10"/>
 </g>
 <mask id="path-14-inside-1_49_4341" fill="white">
 <path fill-rule="evenodd" clip-rule="evenodd" d="M16 16C17.3807 16 18.5 14.8807 18.5 13.5C18.5 12.1193 17.3807 11 16 11C14.6193 11 13.5 12.1193 13.5 13.5C13.5 14.8807 14.6193 16 16 16ZM16.0004 15.5C16.2075 15.5 16.3754 15.3321 16.3754 15.125C16.3754 14.9179 16.2075 14.75 16.0004 14.75C15.7933 14.75 15.6254 14.9179 15.6254 15.125C15.6254 15.3321 15.7933 15.5 16.0004 15.5Z"/>
 </mask>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M16 16C17.3807 16 18.5 14.8807 18.5 13.5C18.5 12.1193 17.3807 11 16 11C14.6193 11 13.5 12.1193 13.5 13.5C13.5 14.8807 14.6193 16 16 16ZM16.0004 15.5C16.2075 15.5 16.3754 15.3321 16.3754 15.125C16.3754 14.9179 16.2075 14.75 16.0004 14.75C15.7933 14.75 15.6254 14.9179 15.6254 15.125C15.6254 15.3321 15.7933 15.5 16.0004 15.5Z" fill="url(#paint8_linear_49_4341)"/>
 <path d="M18.3747 13.5C18.3747 14.8115 17.3115 15.8747 16 15.8747V16.1253C17.4499 16.1253 18.6253 14.9499 18.6253 13.5H18.3747ZM16 11.1253C17.3115 11.1253 18.3747 12.1885 18.3747 13.5H18.6253C18.6253 12.0501 17.4499 10.8747 16 10.8747V11.1253ZM13.6253 13.5C13.6253 12.1885 14.6885 11.1253 16 11.1253V10.8747C14.5501 10.8747 13.3747 12.0501 13.3747 13.5H13.6253ZM16 15.8747C14.6885 15.8747 13.6253 14.8115 13.6253 13.5H13.3747C13.3747 14.9499 14.5501 16.1253 16 16.1253V15.8747ZM16.25 15.125C16.25 15.2629 16.1382 15.3747 16.0004 15.3747V15.6254C16.2767 15.6254 16.5007 15.4014 16.5007 15.125H16.25ZM16.0004 14.8754C16.1382 14.8754 16.25 14.9871 16.25 15.125H16.5007C16.5007 14.8487 16.2767 14.6247 16.0004 14.6247V14.8754ZM15.7507 15.125C15.7507 14.9871 15.8625 14.8754 16.0004 14.8754V14.6247C15.724 14.6247 15.5 14.8487 15.5 15.125H15.7507ZM16.0004 15.3747C15.8625 15.3747 15.7507 15.2629 15.7507 15.125H15.5C15.5 15.4014 15.724 15.6254 16.0004 15.6254V15.3747Z" fill="#8A9299" mask="url(#path-14-inside-1_49_4341)"/>
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#A1AAB3"/>
 <mask id="mask0_49_4341" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="12" y="5" width="9" height="7">
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#FFC225"/>
 </mask>
 <g mask="url(#mask0_49_4341)">
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M14.5098 5.01074H12.5011C12.2243 5.01074 12 5.23508 12 5.51182V11.5248C12 11.8015 12.2243 12.0258 12.5011 12.0258H14.5098V5.01074Z" fill="url(#paint9_linear_49_4341)" fill-opacity="0.5"/>
 </g>
 </g>
 <mask id="mask1_49_4341" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="12" y="5" width="9" height="7">
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#FFC225"/>
 </mask>
 <g mask="url(#mask1_49_4341)">
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M20.0217 5.51182C20.0217 5.23508 19.7974 5.01074 19.5207 5.01074H12.5056C12.2288 5.01074 12.0045 5.23508 12.0045 5.51182V11.5248C12.0045 11.8015 12.2288 12.0258 12.5056 12.0258H19.5207C19.7974 12.0258 20.0217 11.8015 20.0217 11.5248V5.51182Z" fill="url(#paint10_linear_49_4341)" fill-opacity="0.5"/>
 </g>
 </g>
 <path d="M14.0085 5.01077L14.0085 3.00646C14.0085 1.89951 14.9059 1.00215 16.0129 1.00215V1.00215C17.1198 1.00215 18.0172 1.89951 18.0172 3.00646V3.04842" stroke="#B8C2CC" stroke-width="1.5"/>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <path d="M12 5.99997H20V11H12V5.99997Z" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay">
 <rect x="12" y="11" width="8" height="1" fill="#0078D4"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="12" y="9.99997" width="8" height="1" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay">
 <path d="M12 4.99997H20V5.99997H12V4.99997Z" fill="#0078D4"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="12" y="5.99997" width="8" height="1" fill="white"/>
 </g>
 <rect width="3.34783" height="3.34783" transform="matrix(-1 0 0 1 7 0)" fill="#0883D9"/>
 <rect width="3.34783" height="3.34783" transform="matrix(-1 0 0 1 7 3.65218)" fill="#0883D9"/>
 <rect width="3.34783" height="3.34783" transform="matrix(-1 0 0 1 3.3479 0)" fill="#0883D9"/>
 <rect width="3.34783" height="3.34783" transform="matrix(-1 0 0 1 3.3479 3.65218)" fill="#0883D9"/>
 </g>
 <defs>
 <linearGradient id="paint0_linear_49_4341" x1="13.9892" y1="4.95508" x2="14.6969" y2="4.35094" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint1_linear_49_4341" x1="6.00862" y1="4.95507" x2="5.30105" y2="4.35125" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint2_linear_49_4341" x1="10.0039" y1="14.9968" x2="10.0039" y2="8.9946" gradientUnits="userSpaceOnUse">
 <stop stop-color="#ABABAB"/>
 <stop offset="0.1971" stop-color="#A7A7A7"/>
 <stop offset="0.3984" stop-color="#9B9B9B"/>
 <stop offset="0.6016" stop-color="#868686"/>
 <stop offset="0.8047" stop-color="#6A6A6A"/>
 <stop offset="1" stop-color="#474747"/>
 </linearGradient>
 <linearGradient id="paint3_linear_49_4341" x1="7.39469" y1="9.18753" x2="6.70448" y2="8.54622" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint4_linear_49_4341" x1="12.6133" y1="9.18753" x2="13.3035" y2="8.54621" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint5_linear_49_4341" x1="10" y1="14" x2="10" y2="8.99894" gradientUnits="userSpaceOnUse">
 <stop stop-color="#666666"/>
 <stop offset="0.109" stop-color="#5E5E5E"/>
 <stop offset="0.6917" stop-color="#393939"/>
 <stop offset="1" stop-color="#2B2B2B"/>
 </linearGradient>
 <linearGradient id="paint6_linear_49_4341" x1="10" y1="15" x2="10" y2="9.00003" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C9C9C9"/>
 <stop offset="0.3698" stop-color="#CDCDCD"/>
 <stop offset="0.7464" stop-color="#D9D9D9"/>
 <stop offset="1" stop-color="#E6E6E6"/>
 </linearGradient>
 <radialGradient id="paint7_radial_49_4341" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(4.33069 11.589) rotate(-117.661) scale(0.94236 0.847944)">
 <stop stop-color="#BDFFBD"/>
 <stop offset="1" stop-color="#00FF00"/>
 </radialGradient>
 <linearGradient id="paint8_linear_49_4341" x1="15.4676" y1="11" x2="16.3629" y2="16.0117" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CAD2D9"/>
 <stop offset="1" stop-color="#A1AAB3"/>
 </linearGradient>
 <linearGradient id="paint9_linear_49_4341" x1="14.5098" y1="8.51829" x2="12" y2="8.51829" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1"/>
 </linearGradient>
 <linearGradient id="paint10_linear_49_4341" x1="20.0217" y1="8.51829" x2="12.0045" y2="8.51829" gradientUnits="userSpaceOnUse">
 <stop/>
 <stop offset="1" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <clipPath id="clip0_49_4341">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 <clipPath id="clip1_49_4341">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 </defs>
 </svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-password.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-password.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-pin.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-pin.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-message.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-message.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url-single-backup.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url-single-backup.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-hint.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-hint.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-key.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-key.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-backups.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-backups.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-passwords-multiple-backups.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-passwords-multiple-backups.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-startup-key.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-startup-key.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png
--- a/windows/security/operating-system-security/data-protection/bitlocker/images/unlocked-drive.svg
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/unlocked-drive.svg
@ -0,0 +1,125 @@
 <svg width="20" height="20" viewBox="0 0 20 20" fill="none" xmlns="http://www.w3.org/2000/svg">
 <g clip-path="url(#clip0_49_4004)">
 <g clip-path="url(#clip1_49_4004)">
 <path d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="#E1E3E6"/>
 <path opacity="0.5" d="M18.8399 9.1783L15.2316 5.19317C15.1191 5.07028 14.9745 5.00006 14.8137 5.00006H5.17828C5.02559 5.00006 4.8729 5.07028 4.76039 5.19317L1.16016 9.1783H18.8399Z" fill="url(#paint0_linear_49_4004)"/>
 <path opacity="0.5" d="M1.16016 9.1783L4.76679 5.19317C4.87925 5.07028 5.02383 5.00006 5.18448 5.00006H14.8156C14.9682 5.00006 15.1208 5.07028 15.2333 5.19317L18.8399 9.1783H1.16016Z" fill="url(#paint1_linear_49_4004)"/>
 <path d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint2_linear_49_4004)"/>
 <path opacity="0.6" d="M18.4431 15H1.56476C1.25011 15 1 14.7309 1 14.3922V9.60785C1 9.26921 1.25011 9.00003 1.56476 9.00003H18.4351C18.7497 9.00003 18.9998 9.26921 18.9998 9.60785V14.3922C19.0079 14.7222 18.7497 15 18.4431 15Z" fill="url(#paint3_linear_49_4004)"/>
 <path opacity="0.6" d="M1.56477 15H18.4352C18.7499 15 19 14.7309 19 14.3922V9.60785C19 9.26921 18.7499 9.00003 18.4352 9.00003H1.56477C1.25011 9.00003 1 9.26921 1 9.60785V14.3922C1 14.7222 1.25818 15 1.56477 15Z" fill="url(#paint4_linear_49_4004)"/>
 <path d="M17.4667 14H2.53333C2.23619 14 2 13.752 2 13.44V9.00003H18V13.44C18 13.752 17.7638 14 17.4667 14Z" fill="url(#paint5_linear_49_4004)"/>
 <path d="M18.4375 9.07717C18.7107 9.07717 18.9277 9.3086 18.9277 9.60003V14.4C18.9277 14.6915 18.7107 14.9229 18.4375 14.9229H1.5625C1.28929 14.9229 1.07232 14.6915 1.07232 14.4V9.60003C1.07232 9.3086 1.28929 9.07717 1.5625 9.07717H18.4375ZM18.4375 9.00003H1.5625C1.24911 9.00003 1 9.26574 1 9.60003V14.4C1 14.7343 1.24911 15 1.5625 15H18.4375C18.7509 15 19 14.7343 19 14.4V9.60003C19 9.26574 18.7509 9.00003 18.4375 9.00003Z" fill="url(#paint6_linear_49_4004)"/>
 <path opacity="0.15" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.522914" stroke-miterlimit="10"/>
 <path opacity="0.3" d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.261461" stroke-miterlimit="10"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" fill="#00B300"/>
 <path d="M4.3911 11.9616C4.77598 11.899 5.03555 11.5409 4.9729 11.1561C4.955 11.0755 4.92814 10.9949 4.89234 10.9233C4.74913 10.8249 4.57011 10.7801 4.38214 10.807C3.99726 10.8696 3.73769 11.2277 3.80034 11.6125C3.81824 11.6931 3.8451 11.7737 3.8809 11.8453C4.02411 11.9437 4.20313 11.9885 4.3911 11.9616Z" fill="url(#paint7_radial_49_4004)"/>
 <path d="M4.99972 12.0003C5.27602 11.7244 5.27627 11.2766 5.00028 11.0003C4.7243 10.724 4.27658 10.7238 4.00028 10.9998C3.72398 11.2758 3.72373 11.7235 3.99972 11.9998C4.2757 12.2761 4.72342 12.2763 4.99972 12.0003Z" stroke="#00FF00" stroke-width="0.0894687" stroke-miterlimit="10"/>
 </g>
 <mask id="path-14-inside-1_49_4004" fill="white">
 <path fill-rule="evenodd" clip-rule="evenodd" d="M16 16C17.3807 16 18.5 14.8807 18.5 13.5C18.5 12.1193 17.3807 11 16 11C14.6193 11 13.5 12.1193 13.5 13.5C13.5 14.8807 14.6193 16 16 16ZM16.0004 15.5C16.2075 15.5 16.3754 15.3321 16.3754 15.125C16.3754 14.9179 16.2075 14.75 16.0004 14.75C15.7933 14.75 15.6254 14.9179 15.6254 15.125C15.6254 15.3321 15.7933 15.5 16.0004 15.5Z"/>
 </mask>
 <path fill-rule="evenodd" clip-rule="evenodd" d="M16 16C17.3807 16 18.5 14.8807 18.5 13.5C18.5 12.1193 17.3807 11 16 11C14.6193 11 13.5 12.1193 13.5 13.5C13.5 14.8807 14.6193 16 16 16ZM16.0004 15.5C16.2075 15.5 16.3754 15.3321 16.3754 15.125C16.3754 14.9179 16.2075 14.75 16.0004 14.75C15.7933 14.75 15.6254 14.9179 15.6254 15.125C15.6254 15.3321 15.7933 15.5 16.0004 15.5Z" fill="url(#paint8_linear_49_4004)"/>
 <path d="M18.3747 13.5C18.3747 14.8115 17.3115 15.8747 16 15.8747V16.1253C17.4499 16.1253 18.6253 14.9499 18.6253 13.5H18.3747ZM16 11.1253C17.3115 11.1253 18.3747 12.1885 18.3747 13.5H18.6253C18.6253 12.0501 17.4499 10.8747 16 10.8747V11.1253ZM13.6253 13.5C13.6253 12.1885 14.6885 11.1253 16 11.1253V10.8747C14.5501 10.8747 13.3747 12.0501 13.3747 13.5H13.6253ZM16 15.8747C14.6885 15.8747 13.6253 14.8115 13.6253 13.5H13.3747C13.3747 14.9499 14.5501 16.1253 16 16.1253V15.8747ZM16.25 15.125C16.25 15.2629 16.1382 15.3747 16.0004 15.3747V15.6254C16.2767 15.6254 16.5007 15.4014 16.5007 15.125H16.25ZM16.0004 14.8754C16.1382 14.8754 16.25 14.9871 16.25 15.125H16.5007C16.5007 14.8487 16.2767 14.6247 16.0004 14.6247V14.8754ZM15.7507 15.125C15.7507 14.9871 15.8625 14.8754 16.0004 14.8754V14.6247C15.724 14.6247 15.5 14.8487 15.5 15.125H15.7507ZM16.0004 15.3747C15.8625 15.3747 15.7507 15.2629 15.7507 15.125H15.5C15.5 15.4014 15.724 15.6254 16.0004 15.6254V15.3747Z" fill="#8A9299" mask="url(#path-14-inside-1_49_4004)"/>
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#A1AAB3"/>
 <mask id="mask0_49_4004" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="12" y="5" width="9" height="7">
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#FFC225"/>
 </mask>
 <g mask="url(#mask0_49_4004)">
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M14.5098 5.01074H12.5011C12.2243 5.01074 12 5.23508 12 5.51182V11.5248C12 11.8015 12.2243 12.0258 12.5011 12.0258H14.5098V5.01074Z" fill="url(#paint9_linear_49_4004)" fill-opacity="0.5"/>
 </g>
 </g>
 <mask id="mask1_49_4004" style="mask-type:alpha" maskUnits="userSpaceOnUse" x="12" y="5" width="9" height="7">
 <path d="M12.0044 6C12.0044 5.44772 12.4521 5 13.0044 5H19.0044C19.5567 5 20.0044 5.44772 20.0044 6V11C20.0044 11.5523 19.5567 12 19.0044 12H13.0044C12.4521 12 12.0044 11.5523 12.0044 11V6Z" fill="#FFC225"/>
 </mask>
 <g mask="url(#mask1_49_4004)">
 <g style="mix-blend-mode:overlay" opacity="0.5">
 <path d="M20.0217 5.51182C20.0217 5.23508 19.7974 5.01074 19.5207 5.01074H12.5056C12.2288 5.01074 12.0045 5.23508 12.0045 5.51182V11.5248C12.0045 11.8015 12.2288 12.0258 12.5056 12.0258H19.5207C19.7974 12.0258 20.0217 11.8015 20.0217 11.5248V5.51182Z" fill="url(#paint10_linear_49_4004)" fill-opacity="0.5"/>
 </g>
 </g>
 <path d="M14.0085 5.01077L14.0085 3.00646C14.0085 1.89951 14.9059 1.00215 16.0129 1.00215V1.00215C17.1198 1.00215 18.0172 1.89951 18.0172 3.00646V3.04842" stroke="#B8C2CC" stroke-width="1.5"/>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <path d="M12 5.99997H20V11H12V5.99997Z" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay">
 <rect x="12" y="11" width="8" height="1" fill="#0078D4"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="12" y="9.99997" width="8" height="1" fill="white"/>
 </g>
 <g style="mix-blend-mode:overlay">
 <path d="M12 4.99997H20V5.99997H12V4.99997Z" fill="#0078D4"/>
 </g>
 <g style="mix-blend-mode:overlay" opacity="0.25">
 <rect x="12" y="5.99997" width="8" height="1" fill="white"/>
 </g>
 </g>
 <defs>
 <linearGradient id="paint0_linear_49_4004" x1="13.9892" y1="4.95508" x2="14.6969" y2="4.35094" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint1_linear_49_4004" x1="6.00862" y1="4.95507" x2="5.30105" y2="4.35125" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.2836" stop-color="#DCDCDC" stop-opacity="0.1418"/>
 <stop offset="0.9093" stop-color="#838383" stop-opacity="0.4546"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint2_linear_49_4004" x1="10.0039" y1="14.9968" x2="10.0039" y2="8.9946" gradientUnits="userSpaceOnUse">
 <stop stop-color="#ABABAB"/>
 <stop offset="0.1971" stop-color="#A7A7A7"/>
 <stop offset="0.3984" stop-color="#9B9B9B"/>
 <stop offset="0.6016" stop-color="#868686"/>
 <stop offset="0.8047" stop-color="#6A6A6A"/>
 <stop offset="1" stop-color="#474747"/>
 </linearGradient>
 <linearGradient id="paint3_linear_49_4004" x1="7.39469" y1="9.18753" x2="6.70448" y2="8.54622" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint4_linear_49_4004" x1="12.6133" y1="9.18753" x2="13.3035" y2="8.54621" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="0.4506" stop-color="#BBBBBB" stop-opacity="0.2253"/>
 <stop offset="0.8188" stop-color="#898989" stop-opacity="0.4094"/>
 <stop offset="1" stop-color="#767676" stop-opacity="0.5"/>
 </linearGradient>
 <linearGradient id="paint5_linear_49_4004" x1="10" y1="14" x2="10" y2="8.99894" gradientUnits="userSpaceOnUse">
 <stop stop-color="#666666"/>
 <stop offset="0.109" stop-color="#5E5E5E"/>
 <stop offset="0.6917" stop-color="#393939"/>
 <stop offset="1" stop-color="#2B2B2B"/>
 </linearGradient>
 <linearGradient id="paint6_linear_49_4004" x1="10" y1="15" x2="10" y2="9.00003" gradientUnits="userSpaceOnUse">
 <stop stop-color="#C9C9C9"/>
 <stop offset="0.3698" stop-color="#CDCDCD"/>
 <stop offset="0.7464" stop-color="#D9D9D9"/>
 <stop offset="1" stop-color="#E6E6E6"/>
 </linearGradient>
 <radialGradient id="paint7_radial_49_4004" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(4.33069 11.589) rotate(-117.661) scale(0.94236 0.847944)">
 <stop stop-color="#BDFFBD"/>
 <stop offset="1" stop-color="#00FF00"/>
 </radialGradient>
 <linearGradient id="paint8_linear_49_4004" x1="15.4676" y1="11" x2="16.3629" y2="16.0117" gradientUnits="userSpaceOnUse">
 <stop stop-color="#CAD2D9"/>
 <stop offset="1" stop-color="#A1AAB3"/>
 </linearGradient>
 <linearGradient id="paint9_linear_49_4004" x1="14.5098" y1="8.51829" x2="12" y2="8.51829" gradientUnits="userSpaceOnUse">
 <stop stop-color="white" stop-opacity="0"/>
 <stop offset="1"/>
 </linearGradient>
 <linearGradient id="paint10_linear_49_4004" x1="20.0217" y1="8.51829" x2="12.0045" y2="8.51829" gradientUnits="userSpaceOnUse">
 <stop/>
 <stop offset="1" stop-color="white" stop-opacity="0"/>
 </linearGradient>
 <clipPath id="clip0_49_4004">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 <clipPath id="clip1_49_4004">
 <rect width="20" height="20" fill="white"/>
 </clipPath>
 </defs>
 </svg>
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md
@ -0,0 +1,21 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow devices compliant with InstantGo or HSTI to opt out of preboot PIN
 This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
 The policy overrides the *Require startup PIN with TPM* and *Require startup key and PIN with TPM* options of the [*Require additional authentication at startup*](#require-additional-authentication-at-startup) policy on compliant hardware.
 - If you enable this policy setting, users on InstantGo and HSTI compliant devices can turn on BitLocker without preboot authentication
 - If the policy is disabled or not configured, the options of [*Require additional authentication at startup*](#require-additional-authentication-at-startup) policy apply
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEnablePreBootPinExceptionOnDECapableDevice](/windows/client-management/mdm/bitlocker-csp#systemdrivesenableprebootpinexceptionondecapabledevice) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md
@ -0,0 +1,20 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow enhanced PINs for startup
 This setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
 Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces).
 > [!IMPORTANT]
 > Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEnhancedPIN](/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin) |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
@ -0,0 +1,26 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow network unlock at startup
 This policy setting controls whether a BitLocker-protected device that is connected to a trusted wired Local Area Network (LAN) can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
 If you enable this policy, devices configured with a *BitLocker Network Unlock certificate* can create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer.
 The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create Network Key Protectors to automatically unlock with Network Unlock.
 If you disable or don't configure this policy setting, BitLocker clients won't be able to create and use Network Key Protectors.
 > [!NOTE]
 > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
 For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](../network-unlock.md)
 |  | Path |
 |--|--|
 | **CSP** | Not available |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
@ -0,0 +1,28 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow Secure Boot for integrity validation
 This policy setting allows you to configure whether Secure Boot is allowed as the platform integrity provider for BitLocker operating system drives.
 Secure Boot ensures that the device's preboot environment only loads firmware that is digitally signed by authorized software publishers.
 - If you enable or don't configure this policy setting, BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation
 - If you disable this policy setting, BitLocker uses legacy platform integrity validation, even on systems capable of Secure Boot-based integrity validation
 When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the *[Use enhanced Boot Configuration Data validation profile](../configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)* policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
 > [!NOTE]
 > If the policy setting *[Configure TPM platform validation profile for native UEFI firmware configurations](../configure.md?tabs=os#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)* is enabled and has PCR 7 omitted, BitLocker is prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
 > [!WARNING]
 > Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates.
 |  | Path |
 |--|--|
 | **CSP** | Not available |
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
@ -0,0 +1,18 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow standard user encryption
 With this policy you can enforce the [*Require device encryption*](../configure.md?tabs=os#require-device-encryption) policy for scenarios where the policy is applied while the current logged-on user doesn't have administrative rights.
 > [!IMPORTANT]
 > The [Allow warning for other disk encryption](../configure.md?tabs=os#allow-warning-for-other-disk-encryption) policy must be disabled to allow standard user encryption.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|
 | **GPO** | Not available |
--- a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md
@ -0,0 +1,39 @@
 ---
 author: paolomatarazzo
 ms.author: paoloma
 ms.date: 10/30/2023
 ms.topic: include
 ---
 ### Allow warning for other disk encryption
 With this policy you can disable all notification for encryption, warning prompt for other disk encryption, and turn on encryption silently.
 > [!IMPORTANT]
 > This policy applies to Microsoft Entra joined devices only.
 This policy takes effect only if [Require device encryption](../configure.md?tabs=os#require-device-encryption) policy is enabled.
 > [!WARNING]
 > When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
 The expected values for this policy are:
 - Enabled (default): warning prompt and encryption notification is allowed
 - Disabled: warning prompt and encryption notification are suppressed. Windows will attempt to silently enable BitLocker
 > [!NOTE]
 > When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra ID account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
 >
 > The endpoint for a fixed data drive's backup is chosen in the following order:
 >
 > 1. The user's Windows Server Active Directory Domain Services account
 > 2. The user's Microsoft Entra ID account
 > 3. The user's personal OneDrive (MDM/MAM only)
 >
 > Encryption will wait until one of these three locations backs up successfully.
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowWarningForOtherDiskEncryption](/windows/client-management/mdm/bitlocker-csp#allowwarningforotherdiskencryption) |
 | **GPO** | Not available |
--- a/Show More
+++ b/Show More