diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index ef43f3c484..b8ffe15b74 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -136,45 +136,45 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
- Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
- Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
- - %windir%\\system32\\certutil.exe
- - %windir%\\system32\\dxdiag.exe
- - %windir%\\system32\\gpresult.exe
- - %windir%\\system32\\msinfo32.exe
- - %windir%\\system32\\netsh.exe
- - %windir%\\system32\\nltest.exe
- - %windir%\\system32\\ping.exe
- - %windir%\\system32\\powercfg.exe
- - %windir%\\system32\\w32tm.exe
- - %windir%\\system32\\wpr.exe
- - %windir%\\system32\\dsregcmd.exe
- - %windir%\\system32\\dispdiag.exe
- - %windir%\\system32\\ipconfig.exe
- - %windir%\\system32\\logman.exe
- - %windir%\\system32\\tracelog.exe
- - %programfiles%\\windows defender\\mpcmdrun.exe
- - %windir%\\system32\\MdmDiagnosticsTool.exe
- - %windir%\\system32\\pnputil.exe
+ - %windir%\\system32\\certutil.exe
+ - %windir%\\system32\\dxdiag.exe
+ - %windir%\\system32\\gpresult.exe
+ - %windir%\\system32\\msinfo32.exe
+ - %windir%\\system32\\netsh.exe
+ - %windir%\\system32\\nltest.exe
+ - %windir%\\system32\\ping.exe
+ - %windir%\\system32\\powercfg.exe
+ - %windir%\\system32\\w32tm.exe
+ - %windir%\\system32\\wpr.exe
+ - %windir%\\system32\\dsregcmd.exe
+ - %windir%\\system32\\dispdiag.exe
+ - %windir%\\system32\\ipconfig.exe
+ - %windir%\\system32\\logman.exe
+ - %windir%\\system32\\tracelog.exe
+ - %programfiles%\\windows defender\\mpcmdrun.exe
+ - %windir%\\system32\\MdmDiagnosticsTool.exe
+ - %windir%\\system32\\pnputil.exe
- **FoldersFiles**
- Captures log files from a given path (without recursion).
- Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
- Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
- - %PROGRAMFILES%
- - %PROGRAMDATA%
- - %PUBLIC%
- - %WINDIR%
- - %TEMP%
- - %TMP%
+ - %PROGRAMFILES%
+ - %PROGRAMDATA%
+ - %PUBLIC%
+ - %WINDIR%
+ - %TEMP%
+ - %TMP%
- Additionally, only files with the following extensions are captured:
- - .log
- - .txt
- - .dmp
- - .cab
- - .zip
- - .xml
- - .html
- - .evtx
- - .etl
+ - .log
+ - .txt
+ - .dmp
+ - .cab
+ - .zip
+ - .xml
+ - .html
+ - .evtx
+ - .etl
**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index ba163c16c9..02c175e81b 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -50,7 +50,7 @@ On **DC01**:
2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
- New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
+ New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD@contoso.com -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
```
3. Next, run the Set-OuPermissions script to apply permissions to the **MDT\_JD** service account, enabling it to manage computer accounts in the Contoso / Computers OU. Run the following commands from an elevated Windows PowerShell prompt:
@@ -369,9 +369,9 @@ On **MDT01**:
2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- - Name: Set DriverGroup001
- - Task Sequence Variable: DriverGroup001
- - Value: Windows 10 x64\\%Make%\\%Model%
+ 1. Name: Set DriverGroup001
+ 2. Task Sequence Variable: DriverGroup001
+ 3. Value: Windows 10 x64\\%Manufacturer%\\%Model%
2. Configure the **Inject Drivers** action with the following settings:
- Choose a selection profile: Nothing
@@ -842,4 +842,4 @@ The partitions when deploying an UEFI-based machine.
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 475d3b84c6..72bcfc72c9 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -36,7 +36,7 @@ The features described below are no longer being actively developed, and might b
| Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 |
| My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 |
| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 |
-| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information about implementing a remote indirect display driver, ISVs can reach out to [rdsdev@microsoft.com](mailto:rdsdev@microsoft.com). | 1903 |
+| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 |
| Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 |
| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 |
| Windows To Go | Windows To Go is no longer being developed.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
@@ -70,4 +70,4 @@ The features described below are no longer being actively developed, and might b
|TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 |
|TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 |
|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 |
-|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
\ No newline at end of file
+|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.|
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 148b234b8b..434a191b14 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
-author: linque1
-ms.author: robsize
-manager: robsize
+author: tomlayson
+ms.author: tomlayson
+manager: riche
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/1/2020
+ms.date: 5/21/2021
---
# Manage connections from Windows 10 operating system components to Microsoft services
@@ -592,6 +592,48 @@ Alternatively, you can configure the following Registry keys as described:
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](/microsoft-edge/deploy/available-policies).
+### 13.2 Microsoft Edge Enterprise
+
+For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
+
+> [!Important]
+> - The following settings are applicable to Microsoft Edge version 77 or later.
+> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
+> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
+> - Devices must be domain joined for some of the policies to take effect.
+
+| Policy | Group Policy Path | Registry Path |
+|----------------------------------|--------------------|---------------------------------------------|
+| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** |
+| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** |
+| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** |
+| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** |
+| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** |
+| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** |
+| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** |
+| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** |
+| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** |
+| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
+| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** |
+| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs |
+| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** |
+| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** |
+| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** |
+| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
+| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** |
+|||
+
### 14. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 6424a91e8b..bab9c21e3e 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -94,6 +94,9 @@ To find the PCR information, go to the end of the file.
## Use PCPTool to decode Measured Boot logs
+> [!NOTE]
+> PCPTool is a Visual Studio solution, but you need to build the executable before you can start using this tool.
+
PCPTool is part of the [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487). The tool decodes a Measured Boot log file and converts it into an XML file.
To download and install PCPTool, go to the Toolkit page, select **Download**, and follow the instructions.
@@ -111,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
-
\ No newline at end of file
+