Merge pull request #8286 from MicrosoftDocs/main

Publish 05/15/2023 3:30 PM PDT

includes/licensing/_edition-requirements.md

@@ -13,7 +13,8 @@ ms.topic: include
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|
-|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|
 |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|

includes/licensing/_licensing-requirements.md

@@ -13,7 +13,8 @@ ms.topic: include
 |**[Assigned Access (kiosk mode)](/windows/configuration/kiosk-methods)**|Yes|Yes|Yes|Yes|Yes|
 |**[Attack surface reduction (ASR)](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**|Yes|Yes|Yes|Yes|Yes|
 |**[Azure AD join, Active Directory domain join, and Hybrid Azure AD join with single sign-on (SSO)](/azure/active-directory/devices/concept-azure-ad-join)**|Yes|Yes|Yes|Yes|Yes|
-|**[BitLocker](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker enablement](/windows/security/information-protection/bitlocker/bitlocker-overview)**|Yes|Yes|Yes|Yes|Yes|
+|**[BitLocker management](/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises)**|❌|Yes|Yes|Yes|Yes|
 |**Bluetooth pairing and connection protection**|Yes|Yes|Yes|Yes|Yes|
 |**[Common Criteria certifications](/windows/security/threat-protection/windows-platform-common-criteria)**|Yes|Yes|Yes|Yes|Yes|
 |**[Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders)**|Yes|Yes|Yes|Yes|Yes|

includes/licensing/bitlocker.md → includes/licensing/bitlocker-enablement.md

@@ -7,13 +7,13 @@ ms.topic: include
 
 ## Windows edition and licensing requirements
 
-The following table lists the Windows editions that support BitLocker:
+The following table lists the Windows editions that support BitLocker enablement:
 
 |Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
 |:---:|:---:|:---:|:---:|
 |Yes|Yes|Yes|Yes|
 
-BitLocker license entitlements are granted by the following licenses:
+BitLocker enablement license entitlements are granted by the following licenses:
 
 |Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
 |:---:|:---:|:---:|:---:|:---:|

includes/licensing/bitlocker-management.md

@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 05/04/2023
+ms.topic: include
+---
+
+## Windows edition and licensing requirements
+
+The following table lists the Windows editions that support BitLocker management:
+
+|Windows Pro|Windows Enterprise|Windows Pro Education/SE|Windows Education|
+|:---:|:---:|:---:|:---:|
+|Yes|Yes|Yes|Yes|
+
+BitLocker management license entitlements are granted by the following licenses:
+
+|Windows Pro/Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
+|:---:|:---:|:---:|:---:|:---:|
+|No|Yes|Yes|Yes|Yes|
+
+For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).

windows/deployment/do/delivery-optimization-workflow.md

@@ -39,4 +39,4 @@ This workflow allows Delivery Optimization to securely and efficiently deliver r
 | cp\*.prod.do.dsp.mp.microsoft.com <br> | 443 | Content Policy | Provides content specific policies and as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentId**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **countryCode**: The country the client is connected from <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID <br> **CacheHost**: Cache host ID |
 | disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupID and external IP. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **partitionID**: Client partitioning hint <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **eID**: Client grouping ID |
 | array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox) <br> **ContentID**: The content identifier <br> **doClientVersion**: The version of the DoSvc client <br> **altCatalogID**: If ContentID isn't available, use the download URL instead <br> **PeerID**:  Identity of the device running DO client <br> **ReportedIp**: The internal / private IP Address <br> **IsBackground**: Is the download interactive or background <br> **Uploaded**: Total bytes uploaded to peers <br> **Downloaded**: Total bytes downloaded from peers <br> **DownloadedCdn**: Total bytes downloaded from CDN <br> **Left**: Bytes left to download <br> **Peers Wanted**: Total number of peers wanted <br> **Group ID**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies) <br> **Scope**: The Download mode <br> **UploadedBPS**: The upload speed in bytes per second <br> **DownloadBPS**: The download speed in Bytes per second <br> **eID**: Client grouping ID |
-| dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |  
+| dl.delivery.mp.microsoft.com <br> emdl.ws.microsoft.com <br> download.windowsupdate.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |  

windows/deployment/do/waas-delivery-optimization-faq.yml

@@ -81,6 +81,7 @@ sections:
           Delivery Optimization metadata:
           
           - `http://emdl.ws.microsoft.com`
+          - `http://download.windowsupdate.com`
           - `http://*.dl.delivery.mp.microsoft.com`
 
           Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads

windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md

@@ -1,6 +1,6 @@
 ---
-title: BitLocker Management Recommendations for Enterprises (Windows 10)
-description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
+title: BitLocker management
+description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
 ms.prod: windows-client
 ms.localizationpriority: medium
 author: frankroj
@@ -12,12 +12,14 @@ ms.custom: bitlocker
 ms.technology: itpro-security
 ---
 
-# BitLocker management for enterprises
+# BitLocker management
 
 The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
 
 Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
 
+[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)]
+
 ## Managing domain-joined computers and moving to cloud  
 
 Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](./bitlocker-group-policy-settings.md).
@@ -35,11 +37,6 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
 
 For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
 
-> [!NOTE]
-> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users:
-> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
-> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
-
 ## Managing workplace-joined PCs and phones
 
 For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.

windows/security/information-protection/bitlocker/bitlocker-overview.md

@@ -48,11 +48,7 @@ There are two additional tools in the Remote Server Administration Tools that ca
 - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the
 BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console.
 
-## New and changed functionality
-
-To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see [What's new in Windows 10, versions 1507 and 1511 for IT Pros: BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker).
-
-[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker.md)]
+[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)]
 
 ## System requirements
 

windows/security/operating-system-security/data-protection/toc.yml

@@ -35,7 +35,7 @@ items:
     href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md
   - name: Deploy BitLocker on Windows Server 2012 and later
     href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
-  - name: BitLocker management for enterprises
+  - name: BitLocker management
     href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md
   - name: Enable Network Unlock with BitLocker
     href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md

windows/whats-new/windows-licensing.md

@@ -199,7 +199,7 @@ To learn more about Windows 11 Enterprise E3 and E5 licensing, download the [Win
 [MEM-3]: /mem/intune/protect/windows-update-compatibility-reports
 [UP-1]: /universal-print/
 [WIN-1]: /windows/security/identity-protection/credential-guard/credential-guard
-[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-overview
+[WIN-2]: /windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises
 [WIN-3]: /windows/security/information-protection/personal-data-encryption/overview-pde
 [WIN-4]: /windows/client-management/mdm/policy-csp-experience
 [WIN-5]: /windows/deployment/windows-10-subscription-activation