deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client

Browse Source
This commit is contained in:
Patti Short 2018-06-05 10:27:49 -07:00
commit ecfde30935
29 changed files with 88 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
education/windows/get-minecraft-device-promotion.md
View File

@ -10,7 +10,7 @@ author: trudyha
searchScope:
- Store
ms.author: trudyha
ms.date: 07/27/2017
ms.date: 06/05/2018
ms.technology: Windows
---
@ -20,6 +20,19 @@ ms.technology: Windows
- Windows 10
The **Minecraft: Education Edition** with Windows 10 device promotion ended January 31, 2018.
Qualifying customers that received one-year subscriptions for Minecraft: Education Edition as part of this program and wish to continue using the game in their schools can purchase new subscriptions in Microsoft Store for Education.
For more information on purchasing Minecraft: Education Edition, see [Add Minecraft to your Store for Education](https://docs.microsoft.com/education/windows/school-get-minecraft?toc=/microsoft-store/education/toc.json).
>[!Note]
>**Minecraft: Education Edition** with Windows 10 device promotion subscriptions are valid for 1 year from the time
of redemption. At the end of 1 year, the promotional subscriptions will expire and any people using these subscriptions will be reverted to a trial license of **Minecraft: Education Edition**.
To prevent being reverted to a trial license, admins or teachers need to purchase new **Minecraft: Education Edition** subscriptions from Store for Education, and assign licenses to users who used a promotional subscription.
<!---
For qualifying customers, receive a one-year, single-user subscription for Minecraft: Education Edition for each Windows 10 device you purchase for your K-12 school. Youll need your invoice or receipt, so be sure to keep track of that. For more information including terms of use, see [Minecraft: Education Edition promotion](https://info.microsoft.com/Minecraft-Education-Edition-Signup.html).
## Requirements
@ -73,3 +86,4 @@ After that, well add the appropriate number of Minecraft: Education Edition l
Teachers or admins can distribute the licenses:
- [Learn how teachers can distribute **Minecraft: Education Edition**](teacher-get-minecraft.md#distribute-minecraft)
- [Learn how IT administrators can distribute **Minecraft: Education Edition**](school-get-minecraft.md#distribute-minecraft)
-->

8
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,13 +10,19 @@ ms.localizationpriority: high
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 05/31/2018
ms.date: 06/05/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## June 2018
New or changed topic | Description
--- | ---
[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Updated instructions for using Microsoft Intune to configure a kiosk.
## May 2018
New or changed topic | Description

20
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: high
ms.date: 04/30/2018
ms.date: 06/05/2018
ms.author: jdecker
ms.topic: article
---
@ -38,9 +38,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
<span id="intune"/>
## Configure a kiosk in Microsoft Intune
Watch how to use Intune to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false]
1. [Generate the Start layout for the kiosk device.](#startlayout)
2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
@ -49,14 +46,15 @@ Watch how to use Intune to configure a multi-app kiosk.
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Multi app kiosk**.
11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
8. Select **Kiosk (Preview)** for the profile type.
9. Select **Kiosk - 1 setting available**.
10. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
12. Enter a friendly name for the configuration.
13. Select an app type, either **Win32 App** for a classic desktop application or **UWP App** for a Universal Windows Platform app.
- For **Win32 App**, enter the fully qualified pathname of the executable, with respect to the device.
- For **UWP App**, enter the Application User Model ID for an installed app.
10. In **Kiosk Mode**, select **Multi app kiosk**.
13. Select an app type.
- For **Add Win32 app**, enter the **App Name** and **Identifier**.
- For **Add managed apps**, select an app that you manage through Intune.
- For **Add app by AUMID**, enter the Application User Model ID (AUMID) for an installed UWP app.
14. Select whether to enable the taskbar.
15. Browse to and select the Start layout XML file that you generated in step 1.
16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.

12
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: high
ms.date: 05/25/2018
ms.date: 06/05/2018
---
# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
@ -268,11 +268,11 @@ The following steps explain how to configure a kiosk in Microsoft Intune. For ot
5. Select **Create profile**.
6. Enter a friendly name for the profile.
7. Select **Windows 10 and later** for the platform.
8. Select **Device restrictions** for the profile type.
9. Select **Kiosk**.
10. In **Kiosk Mode**, select **Single app kiosk**.
1. Enter the user account (Azure AD or a local standard user account).
11. Enter the Application User Model ID for an installed app.
8. Select **Kiosk (Preview)** for the profile type.
9. Enter a friendly name for the kiosk configuration.
10. In **Kiosk Mode**, select **Single full-screen app kiosk**.
10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate.
1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account.
14. Select **OK**, and then select **Create**.
18. Assign the profile to a device group to configure the devices in that group as kiosks.

4
windows/configuration/windows-10-accessibility-for-ITPros.md
View File

@ -1,9 +1,11 @@
---
title: Windows 10 accessibility information for IT Pros (Windows 10)
description:
description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
ms.prod: W10
ms.mktglfcycl: manage
ms.sitesec: library
ms.author: jaimeo
author: jaimeo
ms.localizationpriority: high
ms.date: 01/12/2018

1
windows/deployment/update/WIP4Biz-intro.md
View File

@ -1,6 +1,7 @@
---
title: Introduction to the Windows Insider Program for Business
description: Introduction to the Windows Insider Program for Business and why IT Pros should join it
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

2
windows/deployment/update/device-health-get-started.md
View File

@ -8,6 +8,8 @@ ms.sitesec: library
ms.date: 03/20/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.localizationpriority: high
---
# Get started with Device Health

1
windows/deployment/update/device-health-monitor.md
View File

@ -9,6 +9,7 @@ ms.localizationpriority: medium
ms.date: 11/14/2017
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
---
# Monitor the health of devices with Device Health

3
windows/deployment/update/device-health-using.md
View File

@ -3,10 +3,13 @@ title: Using Device Health
description: Explains how to begin usihg Device Health.
ms.prod: w10
ms.mktglfcycl: deploy
keywords: oms, operations management suite, wdav, health, log analytics
ms.sitesec: library
ms.date: 03/30/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.localizationpriority: medium
---
# Using Device Health

9
windows/deployment/update/olympia/olympia-enrollment-guidelines.md
View File

@ -1,30 +1,31 @@
---
title: Olympia Corp enrollment guidelines
description: Olympia Corp enrollment guidelines
ms.author: nibr
ms.author: jaimeo
ms.topic: article
ms.prod: w10
ms.technology: windows
author: jaimeo
ms.date: 03/02/2018
keywords: insider, trial, enterprise, lab, corporation, test
---
# Olympia Corp
## What is Windows Insider Lab for Enterprise and Olympia Corp?
Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release Enterprise Privacy and Security features. To get the complete experience of these Enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features.
As an Olympia user, you will have an opportunity to:
- Use various Enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
- Validate and test pre-release software in your environment.
- Provide feedback.
- Interact with engineering team members through a variety of communication channels.
>[!Note]
>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the Enterprise features at any time without notice.
>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice.
For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ).

2
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -8,6 +8,8 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/27/2018
keywords: oms, operations management suite, optimization, downloads, updates, log analytics
ms.localizationpriority: high
---
# Delivery Optimization in Update Compliance

1
windows/deployment/update/update-compliance-get-started.md
View File

@ -9,6 +9,7 @@ ms.pagetype: deploy
author: Jaimeo
ms.author: jaimeo
ms.date: 03/15/2018
ms.localizationpriority: high
---
# Get started with Update Compliance

1
windows/deployment/update/update-compliance-monitor.md
View File

@ -9,6 +9,7 @@ ms.pagetype: deploy
author: Jaimeo
ms.author: jaimeo
ms.date: 02/09/2018
ms.localizationpriority: high
---
# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance

2
windows/deployment/update/update-compliance-using.md
View File

@ -1,6 +1,7 @@
---
title: Using Update Compliance (Windows 10)
description: Explains how to begin usihg Update Compliance.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,6 +9,7 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 10/13/2017
ms.localizationpriority: high
---
# Use Update Compliance

1
windows/deployment/update/waas-delivery-optimization.md
View File

@ -1,6 +1,7 @@
---
title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

1
windows/deployment/update/waas-overview.md
View File

@ -1,6 +1,7 @@
---
title: Overview of Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

1
windows/deployment/update/waas-quick-start.md
View File

@ -1,6 +1,7 @@
---
title: Quick guide to Windows as a service (Windows 10)
description: In Windows 10, Microsoft has streamlined servicing to make operating system updates simpler to test, manage, and deploy.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

1
windows/deployment/update/waas-windows-insider-for-business.md
View File

@ -1,6 +1,7 @@
---
title: Windows Insider Program for Business
description: Overview of the Windows Insider Program for Business
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

1
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -9,6 +9,7 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 05/02/2018
ms.localizationpriority: high
---
# Frequently asked questions and troubleshooting Windows Analytics

1
windows/deployment/update/windows-analytics-get-started.md
View File

@ -9,6 +9,7 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/08/2018
ms.localizationpriority: high
---
# Enrolling devices in Windows Analytics

2
windows/deployment/update/windows-analytics-overview.md
View File

@ -8,6 +8,8 @@ ms.sitesec: library
ms.date: 03/09/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.localizationpriority: high
---
# Windows Analytics overview

1
windows/deployment/update/windows-analytics-privacy.md
View File

@ -9,6 +9,7 @@ ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 04/05/2018
ms.localizationpriority: high
---
# Windows Analytics and privacy

3
windows/deployment/upgrade/upgrade-readiness-get-started.md
View File

@ -1,12 +1,15 @@
---
title: Get started with Upgrade Readiness (Windows 10)
description: Explains how to get started with Upgrade Readiness.
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/20/2018
ms.localizationpriority: high
---
# Get started with Upgrade Readiness

3
windows/deployment/upgrade/upgrade-readiness-requirements.md
View File

@ -1,9 +1,12 @@
---
title: Upgrade Readiness requirements (Windows 10)
description: Provides requirements for Upgrade Readiness.
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
ms.prod: w10
author: jaimeo
ms.author:
ms.date: 03/15/2018
ms.localizationpriority: high
---
# Upgrade Readiness requirements

3
windows/deployment/upgrade/upgrade-readiness-resolve-issues.md
View File

@ -1,9 +1,12 @@
---
title: Upgrade Readiness - Resolve application and driver issues (Windows 10)
description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness.
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
ms.prod: w10
author: jaimeo
ms.author: jaimeo
ms.date: 08/31/2017
ms.localizationpriority: high
---
# Upgrade Readiness - Step 2: Resolve app and driver issues

3
windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
View File

@ -1,8 +1,11 @@
---
title: Use Upgrade Readiness to manage Windows upgrades (Windows 10)
description: Describes how to use Upgrade Readiness to manage Windows upgrades.
keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics,
ms.localizationpriority: high
ms.prod: w10
author: jaimeo
ms.author: jaimeo
ms.date: 08/30/2017
---

4
windows/privacy/index.yml
View File

@ -46,7 +46,7 @@ sections:
items:
- href: \windows\privacy\gdpr-win10-whitepaper
- href: \windows\privacy\gdpr-it-guidance
html: <p>Learn about GDPR and how Microsoft helps you get started towards compliance</p>
@ -54,7 +54,7 @@ sections:
src: https://docs.microsoft.com/media/common/i_advanced.svg
title: Begin your GDPR journey
title: Start with GDPR basics
- href: \windows\privacy\configure-windows-diagnostic-data-in-your-organization

2
windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -218,7 +218,7 @@ Windows PowerShell
``` syntax
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow Group “Telnet Management”
```
If the group is not specified at rule creation time, the rule can be added to the rule group using dot notation in Windows PowerShell. You cannot specify the group using `Set-NetFirewallRule` since the command allows querying by rule group.

60
windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
ms.date: 04/19/2017
ms.date: 06/04/2018
---
# Prepare your organization for BitLocker: Planning and policies
@ -157,18 +157,13 @@ Full drive encryption means that the entire drive will be encrypted, regardless
## <a href="" id="bkmk-addscons"></a>Active Directory Domain Services considerations
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure Group Policy settings to enable backup of BitLocker or TPM recovery information. Before configuring these settings verify that access permissions have been granted to perform the backup.
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following Group Policy setting to enable backup of BitLocker recovery information:
By default, domain administrators are the only users that will have access to BitLocker recovery information. When you plan your support process, define what parts of your organization need access to BitLocker recovery information. Use this information to define how the appropriate rights will be delegated in your AD DS environment.
Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Turn on BitLocker backup to Active Directory Domain Services
It is a best practice to require backup of recovery information for both the TPM and BitLocker to AD DS. You can implement this practice by configuring the Group Policy settings below for your BitLocker-protected computers.
By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](https://blogs.technet.microsoft.com/craigf/2011/01/26/delegating-access-in-ad-to-bitlocker-recovery-information/).
| BitLocker Group Policy setting | Configuration |
| - | - |
| BitLocker Drive Encryption: Turn on BitLocker backup to Active Directory Domain Services| Require BitLocker backup to AD DS (Passwords and key packages)|
| Trusted Platform Module Services: Turn on TPM backup to Active Directory Domain Services | Require TPM backup to AD DS|
 
The following recovery data will be saved for each computer object:
The following recovery data is saved for each computer object:
- **Recovery password**
@ -178,51 +173,6 @@ The following recovery data will be saved for each computer object:
With this key package and the recovery password, you will be able decrypt portions of a BitLocker-protected volume if the disk is severely damaged. Each key package will only work with the volume it was created on, which can be identified by the corresponding volume ID.
- **TPM owner authorization password hash**
When ownership of the TPM is taken a hash of the ownership password can be taken and stored in AD DS. This information can then be used to reset ownership of the TPM.
Starting in Windows 8, a change to how the TPM owner authorization value is stored in AD DS was implemented in the AD DS schema. The TPM owner authorization value is now stored in a separate object which is linked to the Computer object. This value was stored as a property in the Computer object itself for the default Windows Server 2008 R2 and later schemas.
To take advantage of this integration, you must upgrade your domain controllers to Windows Server 2012 or extend the Active Directory schema and configure BitLocker-specific Group Policy objects.
>**Note:**  The account that you use to update the Active Directory schema must be a member of the Schema Admins group.
 
Windows Server 2012 domain controllers have the default schema to backup TPM owner authorization information in the separate object. If you are not upgrading your domain controller to Windows Server 2012 you need to extend the schema to support this change.
**To support Windows 8 and later computers that are managed by a Windows Server 2003 or Windows 2008 domain controller**
There are two schema extensions that you can copy down and add to your AD DS schema:
- **TpmSchemaExtension.ldf**
This schema extension brings parity with the Windows Server 2012 schema. With this change, the TPM owner authorization information is stored in a separate TPM object linked to the corresponding computer object. Only the Computer object that has created the TPM object can update it. This means that any subsequent updates to the TPM objects will not succeed in dual boot scenarios or scenarios where the computer is reimaged resulting in a new AD computer object being created. To support such scenarios, an update to the schema was created.
- **TpmSchemaExtensionACLChanges.ldf**
This schema update modifies the ACLs on the TPM object to be less restrictive so that any subsequent operating system which takes ownership of the computer object can update the owner authorization value in AD DS. However, this is less secure as any computer in the domain can now update the OwnerAuth of the TPM object (although it cannot read the OwnerAuth) and DOS attacks can be made from within the enterprise. The recommended mitigation in such a scenario is to do regular backup of TPM objects and enable auditing to track changes for these objects.
To download the schema extensions, see [AD DS schema extensions to support TPM backup](https://technet.microsoft.com/library/jj635854.aspx).
If you have a Windows Server 2012 domain controller in your environment, the schema extensions are already in place and do not need to be updated.
>**Caution:**  To configure Group Policy objects to backup TPM and BitLocker information in AD DS at least one of the domain controllers in your forest must be running at least Windows Server 2008 R2.
If Active Directory backup of the TPM owner authorization value is enabled in an environment without the required schema extensions, the TPM provisioning will fail and the TPM will remain in a Not Ready state for computers running Windows 8 and later.
 
**Setting the correct permissions in AD DS**
To initialize the TPM successfully so that you can turn on BitLocker requires that the correct permissions for the SELF account in be set in AD DS for the **ms-TPMOwnerInformation** attribute. The following steps detail setting these permissions as required by BitLocker:
1. Open **Active Directory Users and Computers**.
2. Select the organizational unit (OU) which contains the computer accounts that will have BitLocker turned on.
3. Right-click the OU and click **Delegate Control** to open the **Delegation of Control** wizard.
4. Click **Next** to go to the **Users or Groups** page and then click **Add**.
5. In the **Select Users, Computers, or Groups** dialog box, type **SELF** as the object name and then click **OK** Once the object has been validated you will be returned to the **Users or Groups** wizard page and the SELF account will be listed. Click **Next**.
6. On the **Tasks to Delegate** page, choose **Create a custom task to delegate** and then click **Next**.
7. On the **Active Directory Object Type** page, choose **Only the following objects in the folder** and then check **Computer Objects** and then click **Next**.
8. On the **Permissions** page, for **Show these permissions**, check **General**, **Property-specific**, and **Creation/deletion of specific child objects**. Scroll down the **Permissions** list and check both **Write msTPM-OwnerInformation** and **Write msTPM-TpmInformationForComputer** then click **Next**.
9. Click **Finish** to apply the permissions settings.
## <a href="" id="bkmk-fipssupport"></a>FIPS support for recovery password protector
Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.