Merged PR 15050: BitLocker hotfix for EHD

windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 04/02/2019
 ---
 
 # BitLocker Group Policy settings
@@ -1167,7 +1167,8 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. 
+</p></td>
 </tr>
 </tbody>
 </table>
@@ -1221,7 +1222,7 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. </p></td>
 </tr>
 </tbody>
 </table>
@@ -1277,7 +1278,7 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. </p></td>
 </tr>
 </tbody>
 </table>

windows/security/information-protection/encrypted-hard-drive.md

@@ -7,28 +7,28 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
-ms.topic: article
+ms.date: 04/02/2019
 ---
 
 # Encrypted Hard Drive
 
 **Applies to**
 - Windows 10
+- Windows Server 2019
 - Windows Server 2016
 
 Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
 
 By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
 
-Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification.
+Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012.
 
-Some of the benefits of Encrypted Hard Drives include:
+Encrypted Hard Drives provide:
 
 -   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
 -   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
--   **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
--   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+-   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+-   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
 
 Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
 
@@ -38,20 +38,21 @@ Encrypted Hard Drives are supported natively in the operating system through the
 -   **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
 -   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
 
->**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
+>[!WARNING]  
+>Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
  
 If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
 
 ## System Requirements
 
-To use Encrypted Hard Drive, the following system requirements apply:
+To use Encrypted Hard Drives, the following system requirements apply:
 
-For Encrypted Hard Drives used as **data drives**:
+For an Encrypted Hard Drive used as a **data drive**:
 
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
 
-For Encrypted Hard Drives used as **startup drives**:
+For an Encrypted Hard Drive used as a **startup drive**:
 
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
@@ -59,7 +60,8 @@ For Encrypted Hard Drives used as **startup drives**:
 -   The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
 -   The computer must always boot natively from UEFI.
 
->**Warning:**  All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
+>[!WARNING]  
+>All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
  
 ## Technical overview
 
@@ -74,7 +76,15 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
 -   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](https://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
 -   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.
 
-### Encrypted Hard Drive Architecture
+## Configuring hardware-based encryption with Group Policy
+
+There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
+
+- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdefxdaconfigure-use-of-hardware-based-encryption-for-fixed-data-drives)  
+- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hderddaconfigure-use-of-hardware-based-encryption-for-removable-data-drives)
+- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdeosdaconfigure-use-of-hardware-based-encryption-for-operating-system-drives)
+
+## Encrypted Hard Drive Architecture
 
 Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).