Merge branch 'master' of https://github.com/microsoftdocs/windows-itpro-docs

windows/security/identity-protection/access-control/security-identifiers.md

@@ -215,7 +215,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| 
 | S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| 
 | S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| 
-| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| 
+| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| 
 | S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| 
 | S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
 | S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| 

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -191,7 +191,7 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
 
 >[!WARNING]
->[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
+>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
  
 ### Rule: Block untrusted and unsigned processes that run from USB