Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into pm-20231106-freshness

2025-06-19 20:33:42 +00:00 · 2023-11-07 08:00:41 -05:00
parent f074e91d7f 96119dc5a6
commit ef321b6860
8 changed files with 145 additions and 77 deletions
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@ -13,66 +13,70 @@ ms.localizationpriority: medium
 appliesto: 
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
 - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>	
-ms.date: 12/31/2017
+ms.date: 11/07/2023
 ---

 # What is Windows Update for Business?

-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)

 Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
+
 - Pro, including Pro for Workstations
 - Education
 - Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC

-Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
+Windows Update for Business enables IT administrators to keep their organization's Windows client devices always up to date with the latest security updates  and Windows features by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions, such as Microsoft Intune, to configure the Windows Update for Business settings that control how and when devices are updated.
  
 Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.

 ## What can I do with Windows Update for Business?

-Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
+Windows Update for Business enables commercial customers to manage which Windows Updates are received along with the experience a device has when it receives them.

-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either MDM tools or Group Policy management, such as local group policy or the Group Policy Management Console (GPMC), and various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud Policy).

+### Manage deployment of Windows Updates

-### Manage deployment of Windows Updates 
-By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves.
+By using Windows Update for Business, you can:
+- Control the types of Windows Updates are offered to devices in your organization
+- Control when updates are applied to the devices
+- Deploy updates to devices in your organization in waves

-### Manage which updates are offered 
-Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates. 
+### Manage which updates are offered
+
+Windows Update for Business enables an IT administrator to receive and manage various types of Windows Updates.

 ## Types of updates managed by Windows Update for Business

 Windows Update for Business provides management policies for several types of updates to Windows 10 devices:

- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. 
+- **Feature updates:** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
+- **Quality updates:** Quality updates are traditional operating system updates. Typically quality updates are released on the second Tuesday of each month, though they can be released at any time. These include security, critical, and driver updates.
+- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
 - **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.

-
 ## Offering
-You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.
+
+You can control when updates are applied. For example, you can defer when an update is installed on a device or by pausing updates for a certain period.

 ### Manage when updates are offered
+
 You can defer or pause the installation of updates for a set period of time.

 #### Enroll in prerelease updates

 The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:

- Windows Insider Canary
- Windows Insider Dev
- Windows Insider Beta
- Windows Insider Preview
- General Availability Channel
+- Windows Insider Canary channel
+- Windows Insider Dev channel
+- Windows Insider Beta channel
+- Windows Insider Release Preview channel


 #### Defer an update

-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
-
+An administrator can defer the installation of both feature and quality updates from deploying to devices within a range of time based on when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.

 |Category  |Maximum deferral period  |
 |---------|---------|
@ -85,13 +89,12 @@ A Windows Update for Business administrator can defer the installation of both f

 #### Pause an update

-If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
-If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
+If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.

 To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).

 Built-in benefits:
-When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device and a check to prevent repeated rollbacks.

 ### Recommendations

@ -104,28 +107,38 @@ For the best experience with Windows Update, follow these guidelines:

 ### Manage the end-user experience when receiving Windows Updates

-Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience. 
+Windows Update for Business provides controls to help meet your organization's security standards and provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.

 #### Recommended experience settings

 Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:

 1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
-2. Use the default notifications.
-3. Set update deadlines.
+1. Use the default notifications.
+1. Set update deadlines.

-##### Setting deadlines 
+##### Setting deadlines

-A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. 
+A compliance deadline policy enables you to set separate deadlines and grace periods for feature and quality updates.

 This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.

 #### Update Baseline

+> [!NOTE]
+> The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+
 The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.

 The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).

->[!NOTE]
->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+## Other Windows Update for Business services

+The following services are part of the Windows Update for Business product family:
+
+- [Windows Update for Business reports](wufb-reports-overview.md) is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the Azure portal. Windows Update for Business reports helps you:
+    - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
+    - Report on devices with update compliance issues
+    - Analyze and display your data in multiple ways
+
+- The [Windows Update for Business deployment service](deployment-service-overview.md) is a cloud service designed to work with your existing Windows Update for Business policies and Windows Update for Business reports. The deployment service provides additional control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices.
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@ -95,7 +95,7 @@ For the deployment rings that have passed quality updates deferral date, the OOB
 2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab.

 > [!NOTE]
-> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
+> Announcements and OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.

 ### Pause and resume a release

--- a/windows/security/operating-system-security/data-protection/bitlocker/configure.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@ -9,14 +9,14 @@ ms.date: 10/30/2023

 To configure BitLocker, you can use one of the following options:

- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance polices](/mem/intune/protect/compliance-policy-create-windows#encryption), combining them with [Conditional Access](/azure/active-directory/conditional-access/overview). Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
+- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP][WIN-1] is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance policies][INT-1], combining them with [Conditional Access][ENTRA-1]. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:

-    - [Manage BitLocker policy for Windows devices with Intune](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
-    - [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor)
-    - [Use compliance policies to set rules for devices you manage with Intune](/mem/intune/protect/device-compliance-get-started)
+    - [Manage BitLocker policy for Windows devices with Intune][INT-2]
+    - [Monitor device encryption with Intune][INT-3]
+    - [Use compliance policies to set rules for devices you manage with Intune][INT-4]

 - Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management](/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent)
+- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management][MCM-1]

 > [!NOTE]
 > Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
@ -155,11 +155,11 @@ The following table lists the BitLocker policies applicable to all drive types,

 ## BitLocker and policy settings compliance

-If a device isn't compliant with the configured policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
+If a device isn't compliant with the configured policy settings, BitLocker might not be turned on, or BitLocker configuration might be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.

-If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
+If multiple changes are necessary to bring the drive into compliance, BitLocker protection might need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.

-In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker may need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.
+In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker might need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.

 To learn more how to manage BitLocker, review the [BitLocker operations guide](operations-guide.md).

@ -169,7 +169,7 @@ Servers are often deployed, configured, and managed using PowerShell. The recomm

 BitLocker is an optional component in Windows Server. Follow the directions in [Install BitLocker on Windows Server](install-server.md) to add the BitLocker optional component.

-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features). If a server is installed manually, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core][WIN-2] installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images][ARC-1] and [How to update local source media to add roles and features][ARC-2]. If a server is installed manually, then choosing [Server with Desktop Experience][WIN-3] is the easiest path because it avoids performing the steps to add a GUI to Server Core.

 Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [Network Unlock](network-unlock.md).

@ -180,3 +180,17 @@ The Minimal Server Interface is a prerequisite for some of the BitLocker adminis
 >
 >
 > [BitLocker operations guide >](operations-guide.md)
+
+<!--links-->
+
+[ARC-1]: /archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images
+[ARC-2]: /archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features
+[ENTRA-1]: /entra/identity/conditional-access/overview
+[INT-1]: /mem/intune/protect/compliance-policy-create-windows#encryption
+[INT-2]: /mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys
+[INT-3]: /mem/intune/protect/encryption-monitor
+[INT-4]: /mem/intune/protect/device-compliance-get-started
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
+[WIN-1]: /windows/client-management/mdm/bitlocker-csp
+[WIN-2]: /windows-server/get-started/getting-started-with-server-core/
+[WIN-3]: /windows-server/get-started/getting-started-with-server-with-desktop-experience/
--- a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@ -13,7 +13,7 @@ Windows uses hardware solutions and security features that protect BitLocker enc

 Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot:

- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
+- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module][WIN-1]
 - *Unified Extensible Firmware Interface (UEFI)* is a programmable boot environment that initializes devices and starts the operating system's bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md)
 - *Secure Boot* blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key

@ -37,7 +37,7 @@ On devices with a compatible TPM, operating system drives that are BitLocker-pro

 - **TPM-only**: this option doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. The user must then enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor
 - **TPM with startup key**: in addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a *startup key*. Data on the encrypted volume can't be accessed without the startup key
- **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN
+- **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection][WIN-2] that is designed to prevent brute force attacks that attempt to determine the PIN
 - **TPM with startup key and PIN**: in addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the PIN is also required

 Preboot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Preboot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
@ -63,7 +63,7 @@ A physically present attacker might attempt to install a bootkit or rootkit-like
 > [!NOTE]
 > BitLocker protects against this attack by default.

-A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device][WIN-3].

 ### Brute force attacks against a PIN

@ -144,3 +144,9 @@ For secure administrative workstations, it's recommended to:
 > Learn how to plan for a BitLocker deployment in your organization:
 >
 > [BitLocker planning guide >](planning-guide.md)
+
+<!--links-->
+
+[WIN-1]: /windows/device-security/tpm/trusted-platform-module-overview
+[WIN-2]: /windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering
+[WIN-3]: /windows-hardware/design/device-experiences/oem-highly-secure
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@ -63,7 +63,7 @@ BitLocker has the following requirements:
    > [!NOTE]
    > TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the *secure boot* feature.
    >
-    > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
+    > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`][WIN-1] before changing the BIOS mode, which prepares the OS and the disk to support UEFI.

 - The hard disk must be partitioned with at least two drives:
  - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
@ -76,7 +76,7 @@ BitLocker has the following requirements:
    > [!IMPORTANT]
    > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
    >
-    > If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. `BdeHdCfg.exe` can create the volume. For more information about using the tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
+    > If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. `BdeHdCfg.exe` can create the volume. For more information about using the tool, see [Bdehdcfg][WIN-2] in the Command-Line Reference.

 > [!NOTE]
 > When installing the BitLocker optional component on a server, the *Enhanced Storage* feature must be installed. The feature is used to support hardware encrypted drives.
@ -88,7 +88,7 @@ BitLocker has the following requirements:

 ## Device encryption

-*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby](/windows-hardware/design/device-experiences/modern-standby) or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
+*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.

 > [!IMPORTANT]
 > Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
@ -133,7 +133,7 @@ It's recommended to keep device encryption on for any systems that support it. H
 |-|-|-|-|
 | `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`| `PreventDeviceEncryption`|REG_DWORD|0x1|

-For more information about device encryption, see [BitLocker device encryption hardware requirements](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption).
+For more information about device encryption, see [BitLocker device encryption hardware requirements][WIN-4].

 ## Next steps

@ -142,3 +142,10 @@ For more information about device encryption, see [BitLocker device encryption h
 >
 >
 > [BitLocker countermeasures >](countermeasures.md)
+
+<!--links-->
+
+[WIN-1]: /windows/deployment/mbr-to-gpt
+[WIN-2]: /windows-server/administration/windows-commands/bdehdcfg
+[WIN-3]: /windows-hardware/design/device-experiences/modern-standby
+[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
--- a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@ -22,13 +22,13 @@ This article describes the BitLocker management tools and how to use them, provi

 ## BitLocker PowerShell module

-The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article](/powershell/module/bitlocker).
+The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article][PS-1].

 ## BitLocker drive encryption tools

 The BitLocker drive encryption tools include the two command-line tools:

- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11))
+- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde reference][PREV-1]
 - *Repair Tool* (`repair-bde.exe`) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console

 ## BitLocker Control Panel applet
@ -611,3 +611,8 @@ BitLocker decryption using the Control Panel is done using a wizard. After openi
 Once decryption is complete, the drive updates its status in the Control Panel and becomes available for encryption.

 ---
+
+<!--links-->
+
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)
+[PS-1]: /powershell/module/bitlocker
--- a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@ -11,7 +11,7 @@ A BitLocker deployment strategy includes defining the appropriate policies and c

 ## Audit the environment

-To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software and the organization's security policies. If the organization isn't using disk encryption software, then these policies may not exist. If disk encryption software is in use, then the policies may need to change to use certain BitLocker features.
+To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software and the organization's security policies. If the organization isn't using disk encryption software, then these policies might not exist. If disk encryption software is in use, then the policies might need to change to use certain BitLocker features.

 To help document the organization's current disk encryption security policies, answer the following questions:

@ -28,7 +28,7 @@ To help document the organization's current disk encryption security policies, a

 A trusted platform module (TPM) is a hardware component installed in many Windows devices by the manufacturers. It works with BitLocker to help protect user data and to make sure a device hasn't been tampered with while the system was offline.

-BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN), or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
+BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN), or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer doesn't start or resume from hibernation until the correct PIN or startup key is presented.

 On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.

@ -36,7 +36,7 @@ An effective implementation of information protection, like most security contro

 It's crucial that organizations protect information on their devices regardless of the state of the device or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.

-The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker countermeasures](countermeasures.md).
+The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer more security when it comes to key protection. For more information, see [BitLocker countermeasures](countermeasures.md).

 ### BitLocker key protectors

@ -47,9 +47,9 @@ To protect the BitLocker encryption key, BitLocker can use different types of *p
 | **Auto-unlock** | Used to automatically unlock volumes that don't host an operating system. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. |
 | **Password** and **Password for OS drive**| To unlock a drive, the user must supply a password. When used for OS drives, the user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic, therefore it doesn't protect against brute force attacks. |
 | **Startup key** | An encryption key that can be stored on removable media, with a file name format of `<protector_id>.bek`. The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device. |
-| **Smart card certificate** | Used to unlock volumes that do not host an operating system. To unlock a drive, the user must use a smart card. |
+| **Smart card certificate** | Used to unlock volumes that don't host an operating system. To unlock a drive, the user must use a smart card. |
 | **TPM** | A hardware device used to help establish a secure root-of-trust, validating early boot components. The TPM protector can only be used with the OS drive. |
-| **TPM + PIN** | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable. |
+| **TPM + PIN** | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that trigger a lockout is variable. |
 | **TPM + Startup key** | The TPM successfully validates early boot components. The user must insert a USB drive containing the startup key before the OS can boot. |
 | **TPM + Startup key + PIN** | The TPM successfully validates early boot components. The user must enter the correct PIN and insert a USB drive containing the startup key before the OS can boot. |
 | **Recovery password** | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. |
@ -60,7 +60,7 @@ To protect the BitLocker encryption key, BitLocker can use different types of *p

 #### Support for devices without TPM

-Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support devices without TPM, a user must use a USB startup key or a password to boot the system. The startup key requires extra support processes similar to multifactor authentication.
+Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If you decide to support devices without TPM, a user must use a USB startup key or a password to boot the system. The startup key requires extra support processes similar to multifactor authentication.

 #### What areas of the organization need a baseline level of data protection?

@ -91,7 +91,7 @@ For more information about how startup security works and the countermeasures th

 ## TPM hardware configurations

-In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+In the deployment plan, identify what TPM-based hardware platforms are supported. Document the hardware models from an OEM(s) used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.

 ### TPM 1.2 states and initialization

@ -99,15 +99,15 @@ For TPM 1.2, there are multiple possible states. Windows automatically initializ

 ### Endorsement keys

-For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
+For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker forces the TPM to generate one automatically as part of BitLocker setup.

 An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before you can take TPM ownership.

-For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications (<https://go.microsoft.com/fwlink/p/?linkid=69584>).
+For more information about the TPM and the TCG, see the Trusted Computing Group: [Trusted Platform Module (TPM) Specifications][FWD-1].

 ## Non-TPM hardware configurations

-Devices without a TPM can still be protected by drive encryption using a startup key.
+Devices without a TPM can still be protected with drive encryption using a startup key.

 Use the following questions to identify issues that might affect the deployment in a non-TPM configuration:

@ -133,7 +133,7 @@ Windows RE can also be used from boot media other than the local hard disk. If W

 Administrators can enable BitLocker before to operating system deployment from the *Windows Pre-installation Environment* (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, then this step takes only a few seconds, and can be incorporated into existing deployment processes. Preprovisioning requires a TPM.

-To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker Control Panel applet or Windows Explorer. The **Waiting For Activation** status means that the drive was preprovisioned for BitLocker, and there's only a clear protector used to encrypt the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the Control Panel options, PowerShell cmdlets, the `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. The volume status then will be updated.
+To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker Control Panel applet or Windows Explorer. The **Waiting For Activation** status means that the drive was preprovisioned for BitLocker, and there's only a clear protector used to encrypt the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the Control Panel options, PowerShell cmdlets, the `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. The volume status then is updated.

 When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.

@ -143,12 +143,12 @@ The BitLocker Setup wizard provides administrators the ability to choose the *Us

 Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select **Used Disk Space Only** or **Full** drive encryption.

-With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new devices and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.
+With Used Disk Space Only, just the portion of the drive that contains data are encrypted. Unused space remains unencrypted. This behavior causes the encryption process to be faster, especially for new devices and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.

-With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use.
+With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and might contain data remnants from their previous use.

 > [!CAUTION]
-> Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
+> Exercise caution when encrypting only used space on an existing volume on which confidential data might have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.

 ## Encrypted hard drive support

@ -177,7 +177,7 @@ Devices configured to operate in FIPS mode can create FIPS-compliant recovery pa

 ## Network Unlock

-Some organizations have location-specific data security requirements, especially in environments with high-value data. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those devices shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the device is connected to the corporate network is necessary.
+Some organizations have location-specific data security requirements, especially in environments with high-value data. The network environment might provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those devices shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing might help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the device is connected to the corporate network is necessary.

 *Network Unlock* enables BitLocker-protected devices to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the device isn't connected to the corporate network, a user must enter a PIN to unlock the drive (if PIN-based unlock is enabled). Network Unlock requires the following infrastructure:

@ -193,7 +193,7 @@ Organizations should carefully plan a BitLocker recovery strategy as part of the

 ## Monitor BitLocker

-Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor) and [View BitLocker reports in Configuration Manager](/mem/configmgr/protect/deploy-use/bitlocker/view-reports).
+Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune][INT-1] and [View BitLocker reports in Configuration Manager][MCM-1].

 ## Next steps

@ -208,3 +208,9 @@ Organizations can use Microsoft Intune or Configuration Manager to monitor devic
 >
 >
 > [Configure BitLocker >](configure.md)
+
+<!--links-->
+
+[FWD-1]: https://go.microsoft.com/fwlink/p/?linkid=69584
+[INT-1]: /mem/intune/protect/encryption-monitor
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/view-reports
--- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
@ -16,7 +16,7 @@ This article outlines the process of obtaining BitLocker recovery information fo

 ## Self-recovery

-The BitLocker recovery password and recovery key for an operating system drive or a fixed data drive can be saved to one or more USB devices, printed, saved to Microsoft Entra ID or AD DS. It's highly recommended for organizations to implement BitLocker self-recovery policies.
+The BitLocker recovery password and recovery key for an operating system drive or a fixed data drive can be saved to one or more USB devices, printed, saved to Microsoft Entra ID or AD DS.

 > [!TIP]
 > Saving BitLocker recovery keys to Microsoft Entra ID or AD DS is a recommended approach. That way, a BitLocker administrator or helpdesk can assist users in attaining their keys.
@ -33,6 +33,9 @@ A recovery key can't be stored in any of the following locations:

 If BitLocker recovery keys are stored in Microsoft Entra ID, users can access them using the following URL: https://myaccount.microsoft.com. From the **Devices** tab, users can select a Windows device that they own, and select the option **View BitLocker Keys**.

+> [!NOTE]
+> By default, users can retrieve their BitLocker reecovery keys from Microsoft Entra ID. This behavior can be modified with the option **Restrict users from recovering the BitLocker key(s) for their owned devices**. For more information, see [Restrict member users' default permissions][ENTRA-1].
+
 ### Self-recovery with USB flash drive

 If users saved the recovery password on a USB drive, they can plug the drive into a locked device and follow the instructions. If the key was saved as a text file on the flash drive, users must use a different device to read the text file.
@ -62,12 +65,11 @@ The following list can be used as a template for creating a recovery process for

 ### Helpdesk recovery in Microsoft Entra ID

-Users with the *Global Administrator* or *Helpdesk Administrator* Microsoft Entra ID role can access BitLocker recovery passwords for all devices in the tenant. The [Helpdesk Administrator](/entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator) role can also be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.
+There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units.

-For more information how to retrieve BitLocker recovery passwords using from Microsoft Entra admin center, see [View or copy BitLocker keys](/entra/identity/devices/manage-device-identities#view-or-copy-bitlocker-keys).
+The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1].

-Another option to access BitLocker recovery passwords is to query the Microsoft Graph. The option is useful for integrated or scripted solutions.\
-In the following example, a PowerShell function uses the `Get-MgInformationProtectionBitlockerRecoveryKey` cmdlet to retrieve recovery passwords from Microsoft Entra ID:
+In the following example, we use Microsoft Graph PowerShell cmdlet [`Get-MgInformationProtectionBitlockerRecoveryKey`][PS-1] to build a PowerShell function that retrieves recovery passwords from Microsoft Entra ID:

 ``` PowerShell
 function Get-EntraBitLockerKeys{
@ -111,11 +113,11 @@ Device name: DESKTOP-53O32QI
 ```

 > [!NOTE]
-> For devices that are managed by Microsoft Intune, BitLocker recovery passwords can be retrieved from the device properties in the Microsoft Intune admin center. For more information, see [View details for recovery keys](/mem/intune/protect/encrypt-devices#view-details-for-recovery-keys).
+> For devices that are managed by Microsoft Intune, BitLocker recovery passwords can be retrieved from the device properties in the Microsoft Intune admin center. For more information, see [View details for recovery keys][INT-1].

 ### Helpdesk recovery in Active Directory Domain Services

-To export a recovery password from AD DS, you must have *read access* to objects stored in AD DS. By default, only *Domain Administrators* have access to BitLocker recovery information, but [access can be delegated](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information) to specific security principals.
+To export a recovery password from AD DS, you must have *read access* to objects stored in AD DS. By default, only *Domain Administrators* have access to BitLocker recovery information, but [access can be delegated][ARC-1] to specific security principals.

 To facilitate the retrieval of BitLocker recovery passwords from AD DS, you can use the *BitLocker Recovery Password Viewer* tool. The tool is included with the *Remote Server Administration Tools (RSAT)*, and it's an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in.

@ -256,8 +258,8 @@ Another option is to initiate the rotation of recovery passwords for individual

 To learn more how to rotate BitLocker recovery passwords using Microsoft Intune or Microsoft Configuration Manager, see:

- [Microsoft Intune documentation](/mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys)
- [Microsoft Configuration Manager documentation](/mem/configmgr/protect/deploy-use/bitlocker/recovery-service#rotate-keys)
+- [Microsoft Intune documentation][INT-1]
+- [Microsoft Configuration Manager documentation][MCM-1]

 ## BitLocker Repair tool

@ -279,7 +281,22 @@ The following limitations exist for Repair-bde:
 - it can't repair a drive that failed *during* the encryption or decryption process
 - it assumes that if the drive has any encryption, then the drive is fully encrypted

-For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
+For a complete list of the `repair-bde.exe` options, see the [Repair-bde reference][PREV-1].

 > [!NOTE]
-> To export a key package from AD DS, you must have *read* access to the BitLocker recovery passwords and key packages that are stored in AD DS. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
+> To export a key package from AD DS, you must have *read* access to the BitLocker recovery passwords and key packages that are stored in AD DS. By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others][ARC-1].
+
+<!--links-->
+
+[ARC-1]: /archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information
+[ENTRA-1]: /entra/fundamentals/users-default-permissions#restrict-member-users-default-permissions
+[ENTRA-2]: /entra/identity/role-based-access-control/permissions-reference#cloud-device-administrator
+[ENTRA-3]: /entra/identity/role-based-access-control/permissions-reference#helpdesk-administrator
+[ENTRA-4]: /entra/identity/devices/manage-device-identities#view-or-copy-bitlocker-keys
+[ENTRA-5]: /entra/identity/role-based-access-control/custom-create
+[ENTRA]: https://entra.microsoft.com
+[GRAPH-1]: /graph/api/bitlockerrecoverykey-get
+[INT-1]: /mem/intune/protect/encrypt-devices#view-details-for-recovery-keys
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/recovery-service#rotate-keys
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)
+[PS-1]: /powershell/module/microsoft.graph.identity.signins/get-mginformationprotectionbitlockerrecoverykey