@@ -186,9 +186,8 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your
186186
187187## BitLocker
188188
189- For more information, [ BitLocker Group Policy settings] ( /windows/security/information-protection/bitlocker/bitlocker-group-policy-settings ) in the Windows documentation.
190-
191- ::: zone pivot="atp-march-2020,atp-april-2020"
189+ ::: zone pivot="atp-march-2020,atp-april-2020"
190+ <!-- GOOD -->
192191
193192- ** Require storage cards to be encrypted (mobile only)**
194193 Baseline default: * Yes*
@@ -197,8 +196,44 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
197196 > [ !NOTE]
198197> Support for [ Windows 10 Mobile] ( https://support.microsoft.com/help/4485197/windows-10-mobile-end-of-support-faq ) and [ Windows Phone 8.1] ( https://support.microsoft.com/help/4036480/windows-phone-8-1-end-of-support-faq ) ended in August of 2020.
199198
200- ::: zone-end
201- ::: zone pivot="atp-sept-2020,atp-december-2020"
199+ - ** Enable full disk encryption for OS and fixed data drives**
200+ Baseline default: * Yes*
201+ [ Learn more] ( /windows/client-management/mdm/bitlocker-csp#requiredeviceencryption )
202+
203+ - ** BitLocker system drive policy**
204+ Baseline default: * Configure*
205+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067025 )
206+
207+ - ** Configure encryption method for Operating System drives**
208+ Baseline default: * Not configured*
209+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
210+
211+ - ** BitLocker fixed drive policy**
212+ Baseline default: * Configure*
213+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067018 )
214+
215+ - ** Block write access to fixed data-drives not protected by BitLocker**
216+ Baseline default: * Yes*
217+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872534 )
218+ This setting is available when * BitLocker fixed drive policy* is set to * Configure* .
219+
220+ - ** Configure encryption method for fixed data-drives**
221+ Baseline default: * AES 128bit XTS*
222+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
223+
224+ - ** BitLocker removable drive policy**
225+ Baseline default: * Configure*
226+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067140 )
227+
228+ - ** Configure encryption method for removable data-drives**
229+ Baseline default: * AES 128bit CBC*
230+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
231+
232+ - ** Block write access to removable data-drives not protected by BitLocker**
233+ Baseline default: * Not configured*
234+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872540 )
235+
236+ ::: zone pivot="atp-sept-2020
202237
203238- ** Standby states when sleeping while on battery**
204239 Baseline default: * Disabled*
@@ -208,18 +243,13 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
208243 Baseline default: * Disabled*
209244 [ Learn more] ( /windows/client-management/mdm/policy-csp-power#power-standbytimeoutpluggedin )
210245
211- ::: zone-end
212- ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"
213-
214246- ** Enable full disk encryption for OS and fixed data drives**
215247 Baseline default: * Yes*
216248 [ Learn more] ( /windows/client-management/mdm/bitlocker-csp#requiredeviceencryption )
217249
218250- ** BitLocker system drive policy**
219251 Baseline default: * Configure*
220252 [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067025 )
221- ::: zone-end
222- ::: zone pivot="atp-sept-2020,atp-december-2020"
223253
224254 - ** Startup authentication required**
225255 Baseline default: * Yes*
@@ -236,13 +266,76 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
236266 - ** Disable BitLocker on devices where TPM is incompatible**
237267 Baseline default: * Yes*
238268 [ Learn more] ( /windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication )
269+
270+
271+ - ** Configure encryption method for Operating System drives**
272+ Baseline default: * Not configured*
273+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
274+
275+ - ** BitLocker fixed drive policy**
276+ Baseline default: * Configure*
277+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067018 )
278+
279+ - ** Block write access to fixed data-drives not protected by BitLocker**
280+ Baseline default: * Yes*
281+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872534 )
282+ This setting is available when * BitLocker fixed drive policy* is set to * Configure* .
283+
284+ - ** Configure encryption method for fixed data-drives**
285+ Baseline default: * AES 128bit XTS*
286+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
287+
288+ - ** BitLocker removable drive policy**
289+ Baseline default: * Configure*
290+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067140 )
291+
292+ - ** Configure encryption method for removable data-drives**
293+ Baseline default: * AES 128bit CBC*
294+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
295+
296+ - ** Block write access to removable data-drives not protected by BitLocker**
297+ Baseline default: * Not configured*
298+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872540 )
299+
239300::: zone-end
240- ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020"
301+ ::: zone pivot="atp-december-2020"
302+
303+ - ** BitLocker system drive policy**
304+ Baseline default: * Configure*
305+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067025 )
306+
307+ - ** Startup authentication required**
308+ Baseline default: * Yes*
309+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872527 )
310+
311+ - ** Compatible TPM startup PIN**
312+ Baseline default: * Allowed*
313+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872527 )
314+
315+ - ** Compatible TPM startup key**
316+ Baseline default: * Required*
317+ [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872527 )
318+
319+ - ** Disable BitLocker on devices where TPM is incompatible**
320+ Baseline default: * Yes*
321+ [ Learn more] ( /windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication )
241322
242323 - ** Configure encryption method for Operating System drives**
243324 Baseline default: * Not configured*
244325 [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=872526 )
245326
327+ - ** Standby states when sleeping while on battery**
328+ Baseline default: * Disabled*
329+ [ Learn more] ( /windows/client-management/mdm/policy-csp-power#power-standbytimeoutonbattery )
330+
331+ - ** Standby states when sleeping while plugged in**
332+ Baseline default: * Disabled*
333+ [ Learn more] ( /windows/client-management/mdm/policy-csp-power#power-standbytimeoutpluggedin )
334+
335+ - ** Enable full disk encryption for OS and fixed data drives**
336+ Baseline default: * Yes*
337+ [ Learn more] ( /windows/client-management/mdm/bitlocker-csp#requiredeviceencryption )
338+
246339- ** BitLocker fixed drive policy**
247340 Baseline default: * Configure*
248341 [ Learn more] ( https://go.microsoft.com/fwlink/?linkid=2067018 )
@@ -585,7 +678,7 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
585678
586679- ** Defender potentially unwanted app action**
587680 Baseline default: * Block*
588- [ Learn more] ( https://docs.microsoft.com /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection)
681+ [ Learn more] ( /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection )
589682
590683- ** Turn on cloud-delivered protection**
591684 Baseline default: * Yes*
@@ -624,7 +717,7 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
624717
625718- ** Defender potentially unwanted app action**
626719 Baseline default: * Block*
627- [ Learn more] ( https://docs.microsoft.com /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection)
720+ [ Learn more] ( /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection )
628721
629722- ** Turn on cloud-delivered protection**
630723 Baseline default: * Yes*
@@ -734,7 +827,7 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
734827
735828- ** Defender potentially unwanted app action**
736829 Baseline default: * Block*
737- [ Learn more] ( https://docs.microsoft.com /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection)
830+ [ Learn more] ( / /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection)
738831
739832- ** Turn on cloud-delivered protection**
740833 Baseline default: * Yes*
@@ -884,7 +977,7 @@ For more information, [BitLocker Group Policy settings](/windows/security/inform
884977
885978- ** Defender potentially unwanted app action**
886979 Baseline default: * Block*
887- [ Learn more] ( https://docs.microsoft.com /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection)
980+ [ Learn more] ( /windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-Microsoft_Intune_Workflows#defender-puaprotection )
888981
889982- ** Turn on cloud-delivered protection**
890983 Baseline default: * Yes*
0 commit comments