updates

windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md

@@ -7,7 +7,12 @@ ms.topic: include
 
 ### Allow enhanced PINs for startup
 
-This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. Note:   Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. If you disable or do not configure this policy setting, enhanced PINs will not be used.
+This setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
+
+Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces).
+
+> [!IMPORTANT]
+> Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md

@@ -5,13 +5,12 @@ ms.date: 09/24/2023
 ms.topic: include
 ---
 
-### Allow Standard User Encryption
+### Allow standard user encryption
 
-With this policy you can enforce the [*RequireDeviceEncryption*](../policy-settings.md?tabs=os#require-device-encryption) policy for scenarios where policy is applied while current logged-on user is non-admin/standard user.
+With this policy you can enforce the [*Require device encryption*](../policy-settings.md?tabs=os#require-device-encryption) policy for scenarios where the policy is applied while the current logged-on user doesn't have administrative rights.
 
-*AllowStandardUserEncryption* policy is tied to [Allow warning for other disk encryption](../policy-settings.md?tabs=os#allow-warning-for-other-disk-encryption) policy being disabled (value `0`).
-
-If *AllowWarningForOtherDiskEncryption* isn't set, or is set to `1`, *RequireDeviceEncryption* policy doesn't try to encrypt drive(s) if a standard user is logged-on.
+> [!IMPORTANT]
+> The [Allow warning for other disk encryption](../policy-settings.md?tabs=os#allow-warning-for-other-disk-encryption) policy must be disabled to allow standard user encryption.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/allow-suspension-of-bitlocker-protection.md

@@ -7,10 +7,13 @@ ms.topic: include
 
 ### Allow suspension of BitLocker protection
 
-When enabled, this policy allows suspending BitLocker protection. When disabled, it prevents suspending BitLocker protection.
+When enabled, this policy allows the suspension of BitLocker protection. When disabled, it prevents suspending BitLocker protection.
 
 The default value is *enabled*.
 
+> [!NOTE]
+> This policy is applicable to Windows insider builds.
+
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowSuspensionOfBitLockerProtection](/windows/client-management/mdm/bitlocker-csp#allowsuspensionofbitlockerprotection)|

windows/security/operating-system-security/data-protection/bitlocker/includes/configure-minimum-pin-length-for-startup.md

@@ -7,7 +7,10 @@ ms.topic: include
 
 ### Configure minimum PIN length for startup
 
-This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
+This policy configures a minimum length for a Trusted Platform Module (TPM) startup PIN. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
+
+
+NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md

@@ -7,7 +7,27 @@ ms.topic: include
 
 ### Configure use of passwords for operating system drives
 
-This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select "Require complexity". When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box. If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
+This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
+
+For the complexity requirement setting to be effective, the policy *Password must meet complexity requirements*, which is located at **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
+
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+
+When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation.
+
+Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
+
+When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to:
+
+- Allow password complexity
+- Deny password complexity
+- Require password complexity
+
+> [!IMPORTANT]
+> Passwords can't be used if FIPS-compliance is enabled.
+>
+> The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS-compliance is enabled.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/disallow-standard-users-from-changing-the-pin-or-password.md

@@ -7,7 +7,10 @@ ms.topic: include
 
 ### Disallow standard users from changing the PIN or password
 
-This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.  If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
+This policy allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive, if they can provide the existing PIN first.
+
+If you enable this policy, standard users can't change BitLocker PINs or passwords.
+If you disable or do not configure this policy, standard users can change BitLocker PINs and passwords.
 
 |  | Path |
 |--|--|

windows/security/operating-system-security/data-protection/bitlocker/includes/require-device-encryption.md

@@ -7,6 +7,21 @@ ms.topic: include
 
 ### Require device encryption
 
+This policy setting determines whether BitLocker is required on a drive.\
+If you disable the policy, BitLocker isn't turned off for the system drive, but it stops prompting the user to turn BitLocker on.
+
+Encryptable fixed data volumes are treated similarly to OS volumes. However, fixed data volumes must meet other criteria to be considered encryptable:
+
+- It must not be a dynamic volume
+- It must not be a recovery partition
+- It must not be a hidden volume
+- It must not be a system partition
+- It must not be backed by virtual storage
+- It must not have a reference in the BCD store
+
+> [!NOTE]
+> Only full disk encryption is supported when using this policy for silent encryption. For non-silent encryption, encryption type will depend on the [*Enforce drive encryption type on operating system drives*](../policy-settings.md?tabs=fixed#enforce-drive-encryption-type-on-operating-system-drives) and [*Enforce drive encryption type on fixed data drives*](../policy-settings.md?tabs=fixed#enforce-drive-encryption-type-on-fixed-data-drives) policies configured on the device.
+
 |  | Path |
 |--|--|
 | **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RequireDeviceEncryption](/windows/client-management/mdm/bitlocker-csp#requiredeviceencryption) |