diff --git a/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png
new file mode 100644
index 0000000000..3c945c3b8d
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png
new file mode 100644
index 0000000000..23dcbb397e
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-block-file-confirm.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png
index cb58fad705..1f09d12343 100644
Binary files a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine-file.png differ
diff --git a/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png
new file mode 100644
index 0000000000..e1d37a4f65
Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-stop-quarantine.png differ
diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 7f69b9369f..58a8656589 100644
--- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -33,7 +33,7 @@ You can also submit files for deep analysis to run the file in a secure cloud sa
## Stop and quarantine files in your network
You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed.
-The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
+The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.
The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days.
@@ -43,19 +43,19 @@ The action takes effect on machines with the latest Windows 10, version 1703 whe
- **Alerts** - click the corresponding links from the Description or Details in the Alert timeline
- **Search box** - select File from the drop–down menu and enter the file name
-2. Open the **Actions menu** and select **Stop & Quarantine File**.
+2. Open the **Actions menu** and select **Stop and Quarantine File**.
-3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference.
+3. Type a comment and select **Yes, stop and quarantine** to take action on the file.
+ 
The Action center shows the submission information:
- - **Submission time** - Shows when the action was submitted.
- - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
- - **Success** - Shows the number of machines where the file has been stopped and quarantined.
- - **Failed** - Shows the number of machines where the action failed and details about the failure.
+ - **Submission time** - Shows when the action was submitted.
+ - **Success** - Shows the number of machines where the file has been stopped and quarantined.
+ - **Failed** - Shows the number of machines where the action failed and details about the failure.
+ - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@@ -104,14 +104,16 @@ This feature is designed to prevent suspected malware (or potentially malicious
-3. Type a comment (optional) and select **Yes** to take action on the file.
-The Action center shows the submission information:
- 
+3. Type a comment and select **Yes, block file** to take action on the file.
+
+
+ The Action center shows the submission information:
+ 
- **Submission time** - Shows when the action was submitted.
- - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
- - **Status** - Indicates whether the file was added to or removed from the blacklist.
+ - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
+ - **Status** - Indicates whether the file was added to or removed from the blacklist.
When the file is blocked, there will be a new event in the machine timeline.
@@ -130,9 +132,9 @@ For prevalent files in the organization, a warning is shown before an action is
### Remove file from blocked list
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
- - **Alerts** - Click the file links from the Description or Details in the Alert timeline
- - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
- - **Search box** - Select File from the drop–down menu and enter the file name
+ - **Alerts** - Click the file links from the Description or Details in the Alert timeline
+ - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
+ - **Search box** - Select File from the drop–down menu and enter the file name
2. Open the **Actions** menu and select **Remove file from blocked list**.