Update device-management-azure-portal.md

myra-ramdenbourg · web-flow · commit 6c6dbb52f7d6 · 2023-02-27T18:38:29.000-08:00
diff --git a/articles/active-directory/devices/device-management-azure-portal.md b/articles/active-directory/devices/device-management-azure-portal.md
@@ -107,25 +107,6 @@ To view or copy BitLocker keys, you need to be the owner of the device or have o
 - Security Administrator
 - Security Reader
 
-## Block users from viewing their BitLocker keys (preview)
-In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.
-
-To disable/enable self-service BitLocker recovery:
-
-```PowerShell
-Connect-MgGraph -Scopes Policy.ReadWrite.Authorization
-$authPolicyUri = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"
-$body = @{
-    defaultUserRolePermissions = @{
-        allowedToReadBitlockerKeysForOwnedDevice = $false #Set this to $true to allow BitLocker self-service recovery
-    }
-}| ConvertTo-Json
-Invoke-MgGraphRequest -Uri $authPolicyUri -Method PATCH -Body $body
-# Show current policy setting
-$authPolicy = Invoke-MgGraphRequest -Uri $authPolicyUri
-$authPolicy.defaultUserRolePermissions
-```
-
 ## View and filter your devices (preview)
 
 In this preview, you have the ability to infinitely scroll, reorder columns, and select all devices. You can filter the device list by these device attributes:
@@ -170,15 +151,13 @@ You must be assigned one of the following roles to view or manage device setting
 - Global Reader
 - Directory Reader
 
-![Screenshot that shows device settings related to Azure AD.](./media/device-management-azure-portal/device-settings-azure-portal.png)
+![Screenshot that shows device settings related to Azure AD.](./media/device-management-azure-portal/deviceSettings.jpg)
 
 - **Users may join devices to Azure AD**: This setting enables you to select the users who can register their devices as Azure AD joined devices. The default is **All**.
 
    > [!NOTE]
    > The **Users may join devices to Azure AD** setting is applicable only to Azure AD join on Windows 10 or newer. This setting doesn't apply to hybrid Azure AD joined devices, [Azure AD joined VMs in Azure](./howto-vm-sign-in-azure-ad-windows.md#enable-azure-ad-login-for-a-windows-vm-in-azure), or Azure AD joined devices that use [Windows Autopilot self-deployment mode](/mem/autopilot/self-deploying) because these methods work in a userless context.
 
-- **Additional local administrators on Azure AD joined devices**: This setting allows you to select the users who are granted local administrator rights on a device. These users are added to the Device Administrators role in Azure AD. Global Administrators in Azure AD and device owners are granted local administrator rights by default. 
-This option is a premium edition capability available through products like Azure AD Premium and Enterprise Mobility + Security.
 - **Users may register their devices with Azure AD**: You need to configure this setting to allow users to register Windows 10 or newer personal, iOS, Android, and macOS devices with Azure AD. If you select **None**, devices aren't allowed to register with Azure AD. Enrollment with Microsoft Intune or mobile device management for Microsoft 365 requires registration. If you've configured either of these services, **ALL** is selected, and **NONE** is unavailable.
 - **Require Multi-Factor Authentication to register or join devices with Azure AD**: 
    - We recommend organizations use the [Register or join devices user](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions) action in Conditional Access to enforce multifactor authentication. You must configure this toggle to **No** if you use a Conditional Access policy to require multifactor authentication. 
@@ -192,6 +171,11 @@ This option is a premium edition capability available through products like Azur
    > [!NOTE]
    > The **Maximum number of devices** setting applies to devices that are either Azure AD joined or Azure AD registered. This setting doesn't apply to hybrid Azure AD joined devices.
 
+- **Additional local administrators on Azure AD joined devices**: This setting allows you to select the users who are granted local administrator rights on a device. These users are added to the Device Administrators role in Azure AD. Global Administrators in Azure AD and device owners are granted local administrator rights by default. 
+This option is a premium edition capability available through products like Azure AD Premium and Enterprise Mobility + Security.
+
+- **Restrict non-admin users from recovering the BitLocker key(s) for their owned devices (preview)**: In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.
+
 - **Enterprise State Roaming**: For information about this setting, see [the overview article](enterprise-state-roaming-overview.md).
 
 ## Audit logs
