Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into HApubpreview3

2025-05-13 05:47:23 +00:00 · 2017-07-25 15:30:56 -07:00 · 2017-07-25 15:30:56 -07:00 · 54b378e505
commit 54b378e505
parent c858933cbe 8b75c93926
10 changed files with 259 additions and 50 deletions
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@ -12,6 +12,8 @@ ms.date: 06/19/2017
 # DeviceStatus CSP
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@ -113,32 +115,32 @@ Boolean value that indicates compliance with the enterprise encryption policy. T
 Supported operation is Get.
 <a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**  
-Added in , version 1607. Node for the TPM query.
+Added in Windows, version 1607. Node for the TPM query.
 Supported operation is Get.
 <a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**  
-Added in , version 1607. String that specifies the specification version.
+Added in Windows, version 1607. String that specifies the specification version.
 Supported operation is Get.
 <a href="" id="devicestatus-os"></a>**DeviceStatus/OS**  
-Added in , version 1607. Node for the OS query.
+Added in Windows, version 1607. Node for the OS query.
 Supported operation is Get.
 <a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**  
-Added in , version 1607. String that specifies the OS edition.
+Added in Windows, version 1607. String that specifies the OS edition.
 Supported operation is Get.
 <a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**  
-Added in , version 1607. Node for the antivirus query.
+Added in Windows, version 1607. Node for the antivirus query.
 Supported operation is Get.
 <a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antivirus signature.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
 Valid values:
@ -149,7 +151,7 @@ Valid values:
 Supported operation is Get.
 <a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**  
-Added in , version 1607. Integer that specifies the status of the antivirus.
+Added in Windows, version 1607. Integer that specifies the status of the antivirus.
 Valid values:
@ -162,27 +164,27 @@ Valid values:
 Supported operation is Get.
 <a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**  
-Added in , version 1607. Node for the antispyware query.
+Added in Windows, version 1607. Node for the antispyware query.
 Supported operation is Get.
 <a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**  
-Added in , version 1607. Integer that specifies the status of the antispyware signature.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
 Supported operation is Get.
 <a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**  
-Added in , version 1607. Integer that specifies the status of the antispyware.
+Added in Windows, version 1607. Integer that specifies the status of the antispyware.
 Supported operation is Get.
 <a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**  
-Added in , version 1607. Node for the firewall query.
+Added in Windows, version 1607. Node for the firewall query.
 Supported operation is Get.
 <a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**  
-Added in , version 1607. Integer that specifies the status of the firewall.
+Added in Windows, version 1607. Integer that specifies the status of the firewall.
 Valid values:
@ -195,43 +197,84 @@ Valid values:
 Supported operation is Get.
 <a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**  
-Added in , version 1607. Node for the UAC query.
+Added in Windows, version 1607. Node for the UAC query.
 Supported operation is Get.
 <a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**  
-Added in , version 1607. Integer that specifies the status of the UAC.
+Added in Windows, version 1607. Integer that specifies the status of the UAC.
 Supported operation is Get.
 <a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**  
-Added in , version 1607. Node for the battery query.
+Added in Windows, version 1607. Node for the battery query.
 Supported operation is Get.
 <a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**  
-Added in , version 1607. Integer that specifies the status of the battery
+Added in Windows, version 1607. Integer that specifies the status of the battery
 Supported operation is Get.
 <a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**  
-Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 Supported operation is Get.
 <a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**  
-Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
+Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx).
 The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
 Supported operation is Get.
- 
+<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**  
-
+Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any).
 Supported operation is Get.
 <a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**  
 Added in Windows, version 1709. Node for Device Guard query.
 Supported operation is Get.
 <a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**  
 Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
 -	0x0: System meets hardware configuration requirements
 -	0x1: SecureBoot required 
 -	0x2: DMA Protection required
 -	0x4: HyperV not supported for Guest VM
 -	0x8: HyperV feature is not available
 Supported operation is Get.
 <a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**  
 Added in Windows, version 1709. Virtualization-based security status.  Value is one of the following:
 -	0 - Running
 -	1 - Reboot required 
 -	2 - 64 bit architecture required 
 -	3 - not licensed 
 -	4 - not configured 
 -	5 - System doesn't meet hardware requirements 
 -	42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
 Supported operation is Get.
 <a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**  
 Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
 -	0 - Running
 -	1 - Reboot required
 -	2 - Not licensed for Credential Guard
 -	3 - Not configured
 -	4 - VBS not running 
 Supported operation is Get.
--- a/windows/client-management/mdm/devicestatus-ddf.md
+++ b/windows/client-management/mdm/devicestatus-ddf.md
@ -7,11 +7,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 07/24/2017
 ---
 # DeviceStatus DDF
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -20,7 +22,7 @@ You can download the DDF files from the links below:
 - [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
 - [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1709.
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
@ -46,7 +48,7 @@ The XML below is the current version for this CSP.
            <Permanent />
          </Scope>
          <DFType>
-              <MIME>com.microsoft/1.2/MDM/DeviceStatus</MIME>
+            <MIME>com.microsoft/1.4/MDM/DeviceStatus</MIME>
          </DFType>
        </DFProperties>
        <Node>
@ -761,16 +763,108 @@ The XML below is the current version for this CSP.
            </DFProperties>
          </Node>
        </Node>
        <Node>
          <NodeName>DomainName</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <Description>Returns the fully qualified domain name of the device(if any).</Description>
            <DFFormat>
              <chr />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFTitle>DomainName</DFTitle>
            <DFType>
              <MIME>text/plain</MIME>
            </DFType>
          </DFProperties>
        </Node>
        <Node>
          <NodeName>DeviceGuard</NodeName>
          <DFProperties>
            <AccessType>
              <Get />
            </AccessType>
            <DFFormat>
              <node />
            </DFFormat>
            <Occurrence>
              <One />
            </Occurrence>
            <Scope>
              <Permanent />
            </Scope>
            <DFType>
              <DDFName></DDFName>
            </DFType>
          </DFProperties>
          <Node>
            <NodeName>VirtualizationBasedSecurityHwReq</NodeName>
            <DFProperties>
              <AccessType>
                <Get />
              </AccessType>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <One />
              </Occurrence>
              <Scope>
                <Permanent />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>VirtualizationBasedSecurityStatus</NodeName>
            <DFProperties>
              <AccessType>
                <Get />
              </AccessType>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <One />
              </Occurrence>
              <Scope>
                <Permanent />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
            </DFProperties>
          </Node>
          <Node>
            <NodeName>LsaCfgCredGuardStatus</NodeName>
            <DFProperties>
              <AccessType>
                <Get />
              </AccessType>
              <DFFormat>
                <int />
              </DFFormat>
              <Occurrence>
                <One />
              </Occurrence>
              <Scope>
                <Permanent />
              </Scope>
              <DFType>
                <MIME>text/plain</MIME>
              </DFType>
            </DFProperties>
          </Node>
        </Node>
      </Node>
 </MgmtTree>
 ```
--- a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
+++ b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -949,6 +949,15 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <td style="vertical-align:top"><p>Added DeviceTunnel profile in Windows 10, version 1709.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
 <td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
 <ul>
 <li>DeviceStatus/DomainName</li>
 <li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
 <li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
 <li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p> 
 <ul>
@ -1305,6 +1314,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>WindowsDefenderSecurityCenter/Phone</li>
 <li>WindowsDefenderSecurityCenter/URL</li>
 </ul>
 <p>Experience/AllowFindMyDevice - updated the description to include active digitizers.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)</td>
@ -1321,6 +1331,15 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.</li>
 </ul>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[DeviceStatus CSP](devicestatus-csp.md)</td>
 <td style="vertical-align:top"><p>Added the following settings in Windows 10, version 1709:</p>
 <ul>
 <li>DeviceStatus/DomainName</li>
 <li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq</li>
 <li>DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus</li>
 <li>DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus</li>
 </td></tr>
 </tbody>
 </table>
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -77,7 +77,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 <a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md).
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
 > [!NOTE]
 > The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx).
@ -87,12 +87,12 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 <a href="" id="policy-configoperations-admxinstall-appname"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file. 
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. 
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
 <a href="" id="policy-configoperations-admxinstall-appname-policy"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
@ -102,7 +102,7 @@ The following diagram shows the Policy configuration service provider in tree fo
 <p style="margin-left: 20px">Supported operations are Add and Get. Does not support Delete.
 <a href="" id="policy-configoperations-admxinstall-appname-preference"></a>**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference**  
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
 <p style="margin-left: 20px">Supported operations are Add, Get, and Delete.
@ -914,6 +914,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-experience.md#experience-allowdevicediscovery" id="experience-allowdevicediscovery">Experience/AllowDeviceDiscovery</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-allowfindmydevice" id="experience-allowfindmydevice">Experience/AllowFindMyDevice</a>
  </dd>
  <dd>
    <a href="./policy-csp-experience.md#experience-allowmanualmdmunenrollment" id="experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@ -46,7 +46,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens.  This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is a string.
@ -81,7 +81,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is a string.
@ -116,7 +116,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is a string. 
@ -151,7 +151,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is a string.
@ -186,7 +186,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is an integer. 
@ -221,7 +221,7 @@ ms.date: 07/14/2017
 <!--EndSKU-->
 <!--StartDescription-->
-<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication.
+<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.
 <p style="margin-left: 20px">The datatype is a string.
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@ -144,6 +144,46 @@ ms.date: 07/14/2017
 <p style="margin-left: 20px">Most restricted value is 0.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
 <a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**  
 <!--StartSKU-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 </tr>
 </table>
 <!--EndSKU-->
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy turns on Find My Device.
 <p style="margin-left: 20px">When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer.
 <p style="margin-left: 20px">When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. In Windows 10, version 1709 the user will not be able to view the location of the last use of their active digitizer on their device.
 <p style="margin-left: 20px">The following list shows the supported values:
 -   0 – Not allowed.
 -   1 (default) – Allowed.
 <!--EndDescription-->
 <!--EndPolicy-->
 <!--StartPolicy-->
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@ -18,7 +18,8 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md)
 | New or changed topic | Description |
 | --- | --- |
 | [Add image for secondary tiles](start-secondary-tiles.md) | Added XML example for Edge secondary tiles and **ImportEdgeAssets** |
-|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech.
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added explanation for tile behavior when the app is not installed |
 |[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. |
 ## June 2017
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@ -40,7 +40,9 @@ You can deploy the resulting .xml file to devices using one of the following met
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-## <a href="" id="bkmkcustomizestartscreen"></a>Customize the Start screen on your test computer
+
 <span id="bkmkcustomizestartscreen" />
 ## Customize the Start screen on your test computer
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@ -70,6 +72,11 @@ To prepare a Start layout for export, you simply customize the Start layout on a
    -   **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group.
 >[!IMPORTANT]
 >In Windows 10, version 1703, if the Start layout includes tiles for apps that are not installed on the device that the layout is later applied to, the tiles for those apps will be blank. The blank tiles will persist until the next time the user signs in, at which time the blank tiles are removed. Some system events may cause the blank tiles to be removed before the next sign-in.
 >
 >In earlier versions of Windows 10, no tile would be pinned.
 <span id="bmk-exportstartscreenlayout" />
 ## Export the Start layout
--- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
+++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
@ -33,7 +33,7 @@ Members of the security community<sup>\*</sup> continuously collaborate with Mic
 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
 - bash.exe
- bginfo.exe 
+- bginfo.exe<sup>[1]</sup> 
 - cdb.exe
 - csi.exe
 - dnx.exe
@ -42,14 +42,16 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 - kd.exe
 - ntkd.exe
 - lxssmanager.dll
- msbuild.exe<sup>[1]</sup>
+- msbuild.exe<sup>[2]</sup>
 - mshta.exe
 - ntsd.exe
 - rcsi.exe
 - system.management.automation.dll
 - windbg.exe
-<sup>[1]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+<sup>[1]</sup>A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
 <sup>[2]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
 <sup>*</sup>Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: