From 4172c1f5d6b0ae822486c230b648ea4fd36ceb49 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 14:51:40 -0800
Subject: [PATCH 01/32] Create best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
new file mode 100644
index 0000000000..e0b732c7ad
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -0,0 +1,32 @@
+---
+title: Best practices with attack surface reduction rules
+description: Prevent issues from arising with your attack surface reduction rules by following these best practices
+keywords: Microsoft Defender ATP, attack surface reduction, best practices
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+ms.reviewer: jcedola
+audience: ITPro 
+ms.topic: article 
+ms.prod: w10 
+ms.localizationpriority: medium
+ms.custom: 
+- asr
+ms.collection: 
+- m365-security-compliance 
+- m365initiative-defender-endpoint 
+---
+
+# Best practices with attack surface reduction rules
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+*ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports)*
+

From 3525787146823116248e423e6fd9ba753f6ad8f1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 14:53:34 -0800
Subject: [PATCH 02/32] Update TOC.md

---
 windows/security/threat-protection/TOC.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 79487e7cc2..862dcdb459 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -82,6 +82,7 @@
 
 #### [Attack surface reduction controls]()
 ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
+##### [Best practices with attack surface reduction rules](microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md)
 ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
 ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
 ##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)

From e90667baf92ce836c62737bae1f493757e4df046 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 16:00:23 -0800
Subject: [PATCH 03/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 27 ++++++++++++++++---
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index e0b732c7ad..cc67b6f89e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -1,5 +1,5 @@
 ---
-title: Best practices with attack surface reduction rules
+title: Tips and best practices for attack surface reduction rules
 description: Prevent issues from arising with your attack surface reduction rules by following these best practices
 keywords: Microsoft Defender ATP, attack surface reduction, best practices
 search.product: eADQiWindows 10XVcnh
@@ -19,14 +19,33 @@ ms.collection:
 - m365initiative-defender-endpoint 
 ---
 
-# Best practices with attack surface reduction rules
+# Tips and best practices for attack surface reduction rules
 
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 
-
 **Applies to:**
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-*ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports)*
+<!--ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports) and 8.	Policy conflict (details about what happens with conflicting policies, what happens when settings from different policies are merged)
+-->
+
+Whether you're about to enable or have already deployed attack surface reduction rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues.
+
+## Use a phased approach
+
+Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. This approach enables you to see how attack surface reduction rules work in your environment and gives you flexibility in applying exclusions. You can do this with dynamic membership rules.
+
+<!--Siddarth, we need to find the info about how to set up dynamic membership rules and add a procedure here.-->
+
+## Use code signing for applications
+
+## Get the Power BI report template
+
+
+https://github.com/microsoft/MDATP-PowerBI-Templates
+
+## Avoid policy conflicts
+
+## See the demystifying blogs
 

From 9337b5f030d22f55a15554d42a658d2e890cfe65 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 16:14:27 -0800
Subject: [PATCH 04/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index cc67b6f89e..79644b2380 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -40,12 +40,15 @@ Before you roll out attack surface reduction rules in your organization, select
 
 ## Use code signing for applications
 
+As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. 
+
 ## Get the Power BI report template
 
-
-https://github.com/microsoft/MDATP-PowerBI-Templates
+<!--The Power BI report templates are here: https://github.com/microsoft/MDATP-PowerBI-Templates-->
 
 ## Avoid policy conflicts
 
+
+
 ## See the demystifying blogs
 

From bf788b9b594dc9cf544f85ecd184fbdab696e2a9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 16:39:52 -0800
Subject: [PATCH 05/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md       | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 79644b2380..de07f909f2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -52,3 +52,10 @@ As a best practice, use code signing for all the applications and scripts that y
 
 ## See the demystifying blogs
 
+
+|Blog  |Description  |
+|---------|---------|
+|[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)     | Get a quick overview of the Why and the What through eight questions and answers.          |
+|[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565)     | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions.         |
+|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968)     |         |
+|Row4     |         |

From a3a05f747e7eddaac23fde5a5c91141bffc75827 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 17:03:48 -0800
Subject: [PATCH 06/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md        | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index de07f909f2..7f28d0e038 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -52,10 +52,12 @@ As a best practice, use code signing for all the applications and scripts that y
 
 ## See the demystifying blogs
 
+The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog).
 
 |Blog  |Description  |
 |---------|---------|
 |[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)     | Get a quick overview of the Why and the What through eight questions and answers.          |
 |[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565)     | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions.         |
-|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968)     |         |
-|Row4     |         |
+|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968)     | Learn how to view reports and information about attack surface reduction rules and their status, and how to troubleshoot issues with rule impact and operations.         |
+|[Demystifying attack surface reduction rules - Part 4: Migrating](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-4/ba-p/1384425)     | If you're currently using a non-Microsoft host intrusion prevention system (HIPS) and are evaluating or migrating to attack surface reduction capabilities in Microsoft Defender for Endpoint, see this blog. You'll see how custom rules you were using with your HIPS solution can map to attack surface reduction rules in Microsoft Defender for Endpoint.         |
+

From dc962d76e76215e9ada5ee762adb98e44d446061 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 17:13:05 -0800
Subject: [PATCH 07/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 7f28d0e038..487e9cd874 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -42,6 +42,10 @@ Before you roll out attack surface reduction rules in your organization, select
 
 As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. 
 
+## View reports in the Microsoft 365 security center
+
+In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**.
+
 ## Get the Power BI report template
 
 <!--The Power BI report templates are here: https://github.com/microsoft/MDATP-PowerBI-Templates-->

From f7ebe8a8e67172c8aab6e29c8128f9827c37a4be Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 17:30:59 -0800
Subject: [PATCH 08/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...best-practices-attack-surface-reduction-rules.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 487e9cd874..caf7149e05 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -44,7 +44,7 @@ As a best practice, use code signing for all the applications and scripts that y
 
 ## View reports in the Microsoft 365 security center
 
-In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**.
+In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!)
 
 ## Get the Power BI report template
 
@@ -52,6 +52,17 @@ In the Microsoft 365 security center ([https://security.microsoft.com](https://s
 
 ## Avoid policy conflicts
 
+If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
+
+Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:   
+- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:  
+    - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
+    - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
+    - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.
+- Settings that do not have conflicts are added to a superset of policy for the device.
+- When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
+- Only the configurations for conflicting settings are held back.
+
 
 
 ## See the demystifying blogs

From 0d4c2d4fe938e21f6e1baead860009915e010d70 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Tue, 29 Dec 2020 17:36:15 -0800
Subject: [PATCH 09/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index caf7149e05..96874697de 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -55,12 +55,16 @@ In the Microsoft 365 security center ([https://security.microsoft.com](https://s
 If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
 
 Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:   
+
 - Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:  
     - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
     - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
     - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.
+
 - Settings that do not have conflicts are added to a superset of policy for the device.
+
 - When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
+
 - Only the configurations for conflicting settings are held back.
 
 

From b384eba9eb2b195a196a6cb8a9422e6fbc7a70e6 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Thu, 31 Dec 2020 19:16:42 +0530
Subject: [PATCH 10/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 48 +++++++++++++++++--
 1 file changed, 44 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 96874697de..80da8794b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -42,21 +42,61 @@ Before you roll out attack surface reduction rules in your organization, select
 
 As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. 
 
-## View reports in the Microsoft 365 security center
+## View reports from various sources in Microsoft
+
+### From the Microsoft 365 security center**
 
 In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!)
 
+To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP.
+
+### By Microsoft Defender ATP advanced hunting** 
+
+Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process.
+
+The **advanced hunting** tool enables the users to audit the **Of-the-last-30-days** data collected from various devices by Microsoft Defender ATP Endpoint Detection and Response (EDR). It facilitates proactive logging of any suspicious indicators and entities in the events that you explore. This tool provides flexibility in accessing data (without any restriction in category of data to be accessed). This flexibility enables the user to detect known threats and spot new threats.
+
+The reports for the ASR rules' events are generated by querying the **DeviceEvents** table.
+
+**Template of DeviceEvents table**
+
+DeviceEvents
+| where Timestamp > ago (30d)
+| where ActionType startswith "Asr" 
+| summarize EventCount=count () by ActionType
+
+### By Microsoft Defender ATP machine timeline
+
+Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope.
+
+Reports relating to ASR rule events can be generated for the preceding-6-months period on a specific endpoint or device. 
+
+**Summarized procedure to generate report**
+
+1. Log in to **Microsoft Defender Security Center** and navigate to the **Machines** tab.
+2. Choose a machine for which you want to view the reports of its ASR rule-related events.
+3. Click **Timeline** and choose the time range for which the report is to display data.
+
+
 ## Get the Power BI report template
 
 <!--The Power BI report templates are here: https://github.com/microsoft/MDATP-PowerBI-Templates-->
 
 ## Avoid policy conflicts
 
-If a conflicting policy is applied via Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM will take precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
+If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
 
-Attack surface reduction rules for MEM managed devices now support new behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:   
+Attack surface reduction (ASR) rules for MEM-managed devices now support a new behavior for merger of settings from different policies, to create a superset of policies for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. ASR rule merge behavior is as follows: 
 
-- Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:  
+Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-managed devices support a new behavior in terms of merger of the settings of policies. This behavior is described below:
+
+- If two or more policies have multiple settings configured in each of them, the settings without a conflict are merged into the superset of the policies they are mapped to.
+- If two or more policies encounter a conflict over a single setting from the various settings they are configured with,  only that single setting with a conflict is held back from being merged into the superset of the policies. 
+- The bundle of settings as a whole are not held back from being merged into the superset because of the single conflict-affected setting.
+- The policy as a whole is not flagged as **being in conflict** because of one of its settings being conflict affected.
+  
+
+- ASR rules from the following profiles are evaluated for each device the rules apply to:  
     - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
     - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
     - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.

From ed4b33cf41a447b10d6cd0136f31f6826aec43b8 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Thu, 31 Dec 2020 19:33:23 +0530
Subject: [PATCH 11/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md  | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 80da8794b6..0a09d31840 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -44,13 +44,13 @@ As a best practice, use code signing for all the applications and scripts that y
 
 ## View reports from various sources in Microsoft
 
-### From the Microsoft 365 security center**
+### From the Microsoft 365 security center
 
 In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!)
 
 To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP.
 
-### By Microsoft Defender ATP advanced hunting** 
+### By Microsoft Defender ATP advanced hunting
 
 Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process.
 
@@ -65,6 +65,13 @@ DeviceEvents
 | where ActionType startswith "Asr" 
 | summarize EventCount=count () by ActionType
 
+**Procedure**
+
+1. Navigate to **Advanced hunting** module in the **Microsoft Defender Security Center** portal.
+2. Click **Query**.
+3. Click **+ New** to create a new query.
+4. Click **Run query**. The report based on the query parameters (specified in the **Template of DeviceEvents table** section) is generated.
+
 ### By Microsoft Defender ATP machine timeline
 
 Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope.

From 4b6d132328c9cf139c94f23508f34b880e329f34 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Mon, 4 Jan 2021 18:37:55 +0530
Subject: [PATCH 12/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 34 ++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 0a09d31840..19653b1a5a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -30,13 +30,40 @@ ms.collection:
 <!--ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports) and 8.	Policy conflict (details about what happens with conflicting policies, what happens when settings from different policies are merged)
 -->
 
-Whether you're about to enable or have already deployed attack surface reduction rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues.
+The instructions to deploy attack surface reduction (ASR) rules in the most optimal way are available in [Demystifying attack surface reduction rules - Part 2](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565).
 
+It is highly recommended to test the ASR rules on a sample-like smaller set of devices. For information on the reasons for this recommendation and on how to deploy the ASR rules on a smaller set of devices, see **Use a phased approach** section, below, in this article.
+
+ > [!NOTE]
+> Whether you're about to enable or have already deployed ASR rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues.
+
+**Results of applying ASR rules**
+
+- The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates.
+
+<!--Denise, could you clarify as to whether the ASR PowerBI template is anything to do with the templates used to generate/retrieve reports as specified in Blog-3? In other words, does the link to PowerBI template have relevance in this section and context?
+-->
+
+- Once applying ASR rules to devices leads to querying for reports, there are a few sources from which reports can be queried. One of such sources is the [Microsoft 365 security center](https://security.microsoft.com)
+ 
+<!-- Denise, could we discuss as to why only the **Microsoft 365 security center** source is being cited here; Just for better understanding, I am putting forward this query
+-->
+- 
 ## Use a phased approach
 
-Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. This approach enables you to see how attack surface reduction rules work in your environment and gives you flexibility in applying exclusions. You can do this with dynamic membership rules.
+Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. 
 
-<!--Siddarth, we need to find the info about how to set up dynamic membership rules and add a procedure here.-->
+The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
+
+- **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
+- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of **applicable-not applicable**  devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
+
+> [!IMPORTANT]
+> You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules.
+
+**How to configure dynamic membership rules**
+
+<!--Denise, we might need Jody's help in acquiring inputs for this procedural section  of setting up dynamic membership rules.-->
 
 ## Use code signing for applications
 
@@ -115,7 +142,6 @@ Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-manage
 - Only the configurations for conflicting settings are held back.
 
 
-
 ## See the demystifying blogs
 
 The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog).

From dc6a1422ef530c0659824db0176aeafda206d904 Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Tue, 5 Jan 2021 17:29:55 +0530
Subject: [PATCH 13/32] Update controlled-folders.md

---
 .../microsoft-defender-atp/controlled-folders.md                 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index d01c44566e..c8e81166ac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -65,6 +65,7 @@ Windows system folders are protected by default, along with several other folder
 - `c:\Users\<username>\Pictures`
 - `c:\Users\Public\Pictures`
 - `c:\Users\Public\Videos`
+- `c:\Users\<username>\Videos`
 - `c:\Users\<username>\Music`
 - `c:\Users\Public\Music`
 - `c:\Users\<username>\Favorites`

From d8afba6ecda828c656854bf29d1f5a1e6baf91fc Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Tue, 5 Jan 2021 19:14:10 +0530
Subject: [PATCH 14/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 23 ++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 19653b1a5a..0a7fe26efc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -48,7 +48,28 @@ It is highly recommended to test the ASR rules on a sample-like smaller set of d
  
 <!-- Denise, could we discuss as to why only the **Microsoft 365 security center** source is being cited here; Just for better understanding, I am putting forward this query
 -->
-- 
+
+**Applicable to rules' states**
+
+This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule.
+
+Prior to describing the best pratices for the ASR rules' states, it is important to know the states which an ASR rule can be set to:
+
+- **Not configured**: This is the state in which the ASR rule has been disabled. The code for this state is 0.
+- **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1.
+- **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed.
+
+**Recommendation**
+
+The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are:
+
+1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule.
+2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see
+<!--To cite here the topic that describes guidance provided for the process of implementing ASR rules' exclusions-->
+<!--To cite here the topic that describes guidance provided for the process of deploying or configuring ASR rules-->
+
+<!--Denise, if we can seek information about the common built-in features across all the 5 configuration mechanisms, we can specify the best practice regarding which is the best configuration mechanism to use to deploy the ASR rules-->
+
 ## Use a phased approach
 
 Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. 

From 0234660baf0f9855f3eacd73ee2d02232433747e Mon Sep 17 00:00:00 2001
From: Siddarth Mandalika <v-smandalika@microsoft.com>
Date: Tue, 5 Jan 2021 19:52:34 +0530
Subject: [PATCH 15/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 0a7fe26efc..ea1d8dbfb2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -154,7 +154,7 @@ Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-manage
 - ASR rules from the following profiles are evaluated for each device the rules apply to:  
     - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
     - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
-    - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Attack Surface Reduction Rules.
+    - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles >  Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules
 
 - Settings that do not have conflicts are added to a superset of policy for the device.
 

From 4e744a03176f3b387f71d98005fe7bd3d25f7319 Mon Sep 17 00:00:00 2001
From: Benny Shilpa <v-bshilpa@microsoft.com>
Date: Fri, 8 Jan 2021 12:48:00 +0530
Subject: [PATCH 16/32] Update symantec-to-microsoft-defender-atp-setup.md

---
 .../symantec-to-microsoft-defender-atp-setup.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
index 72385ecf92..d251f87b7a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
@@ -117,7 +117,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
 |Method  |What to do  |
 |---------|---------|
 |Command Prompt     |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.         |
-|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**.          |
+|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
 
 > [!NOTE]
 > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

From 8910a420b285c848ad75714291673b1f4493b864 Mon Sep 17 00:00:00 2001
From: Benny Shilpa <v-bshilpa@microsoft.com>
Date: Fri, 8 Jan 2021 12:58:17 +0530
Subject: [PATCH 17/32] Update mcafee-to-microsoft-defender-setup.md

---
 .../mcafee-to-microsoft-defender-setup.md                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
index 432aed7160..8b4ea42244 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
@@ -142,7 +142,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen
 |Method  |What to do  |
 |---------|---------|
 |Command Prompt     |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.         |
-|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**.          |
+|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
 
 > [!NOTE]
 > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

From abc9f48f50788ec2ffa57a803e9f745ba3ceb7fe Mon Sep 17 00:00:00 2001
From: Benny Shilpa <v-bshilpa@microsoft.com>
Date: Fri, 8 Jan 2021 13:02:40 +0530
Subject: [PATCH 18/32] Update switch-to-microsoft-defender-setup.md

---
 .../switch-to-microsoft-defender-setup.md                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
index c1ad46027c..cce6dd54eb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
@@ -138,7 +138,7 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection
 |Method  |What to do  |
 |---------|---------|
 |Command Prompt     |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode.         |
-|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**.          |
+|PowerShell     |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.          |
 
 > [!NOTE]
 > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

From 1cce4fea20d4e5be3b494a006c8887283e6f226a Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Tue, 2 Feb 2021 15:56:18 -0800
Subject: [PATCH 19/32] WDAC Intune OMA URI document 350K limit

- Document that files deployed through custom oma-uri must be less than 350K bytes in size
- Change warnings into 'removing policies' sections
- Remove line indicating support for Server 2016
---
 ...plication-control-policies-using-intune.md | 29 ++++++++++++-------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 8eb3de7a42..1f84641636 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -23,11 +23,8 @@ ms.technology: mde
 **Applies to:**
 
 - Windows 10
-- Windows Server 2016
 
-You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC). Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited.
-
-In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies. Custom OMA-URI can also be used on pre-1903 systems to deploy custom policies via the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).
+You can use Microsoft Endpoint Manager (MEM) Intune to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which allows you to configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or to also allow reputable apps as defined by the Intelligent Security Graph (ISG). Using the built-in policies can be a helpful starting point, but many customers may find the available circle-of-trust options to be too limited. In order to deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI.
 
 ## Using Intune's Built-In Policies
 
@@ -50,9 +47,15 @@ Setting "Trust apps with good reputation" to enabled is equivalent to adding [Op
 
 ## Using a Custom OMA-URI Profile
 
+> [!NOTE]
+> Policies deployed through Intune Custom OMA-URI are subject to a 350,000 byte limit. Customers whose devices are running 1903+ builds of Windows are encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which are more streamlined and less than 350K bytes in size.
+
 ### For 1903+ systems
 
-The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
+Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp), which has support for multiple policies and rebootless policies.
+
+#### Deploying policies
+The steps to use Intune's Custom OMA-URI functionality are:
 
 1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@@ -65,11 +68,13 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [Applicat
 
     ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
 
-> [!NOTE]
-> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+#### Removing policies
+
+Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, first replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
 
 ### For pre-1903 systems
 
+#### Deploying policies
 The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
 
 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@@ -79,9 +84,11 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke
     - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
     - **Data type**: Base64
     - **Certificate file**: upload your binary format policy file
-
-> [!NOTE]
-> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
-
+    
 > [!NOTE]
 > Deploying policies via the AppLocker CSP will force a reboot during OOBE.
+
+#### Removing policies
+
+Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.
+

From 1be537b367ca4c82a3954837ea5863b2f1340388 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 12:22:42 -0800
Subject: [PATCH 20/32] Update attack-surface-reduction.md

---
 .../microsoft-defender-atp/attack-surface-reduction.md          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 6bc883ca30..0835bbe05e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -135,7 +135,7 @@ You can review the Windows event log to view events generated by attack surface
 You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access:
 
 |Event ID | Description |
-|---|---|
+|:---|:---|
 |5007 | Event when settings are changed |
 |1121 | Event when rule fires in Block-mode |
 |1122 | Event when rule fires in Audit-mode |

From 2cf9637f14c669ff72412518643b5cceb5edbcb1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 12:24:44 -0800
Subject: [PATCH 21/32] Update controlled-folders.md

---
 .../microsoft-defender-atp/controlled-folders.md              | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 7ded77ec21..8602493f71 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -99,13 +99,9 @@ DeviceEvents
 You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 
 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-
 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
 3. On the left panel, under **Actions**, select **Import custom view...**.
-
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
-
 5. Select **OK**.
 
 The following table shows events related to controlled folder access:

From 7bf688acee9507e9c1222636ed3094c17f7119ea Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:04:04 -0800
Subject: [PATCH 22/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index ea1d8dbfb2..94438fbcf3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -27,17 +27,17 @@ ms.collection:
 
 - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 
-<!--ASR guidance for deploying rules (links to Antonio’s blog, recommendations for deploying rules to small set of devices first, code signing, link to ASR Power BI template, and link to M365 security center reports) and 8.	Policy conflict (details about what happens with conflicting policies, what happens when settings from different policies are merged)
--->
+Attack surface reduction rules help reduce vulnerabilities by targeting certain software behaviors. These behaviors include:
 
-The instructions to deploy attack surface reduction (ASR) rules in the most optimal way are available in [Demystifying attack surface reduction rules - Part 2](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565).
+- Launching executable files and scripts that attempt to download or run files;
+- Running obfuscated or otherwise suspicious scripts; and 
+- Performing behaviors that apps don't usually initiate during normal day-to-day work.
 
-It is highly recommended to test the ASR rules on a sample-like smaller set of devices. For information on the reasons for this recommendation and on how to deploy the ASR rules on a smaller set of devices, see **Use a phased approach** section, below, in this article.
+This article includes tips, best practices, and important considerations regarding attack surface reduction rules.
 
- > [!NOTE]
-> Whether you're about to enable or have already deployed ASR rules for your organization, see the information in this article. By using the tips and best practices in this article, you can employ attack surface reduction rules successfully and avoid potential issues.
 
-**Results of applying ASR rules**
+
+## Results of applying ASR rules
 
 - The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates.
 
@@ -49,7 +49,7 @@ It is highly recommended to test the ASR rules on a sample-like smaller set of d
 <!-- Denise, could we discuss as to why only the **Microsoft 365 security center** source is being cited here; Just for better understanding, I am putting forward this query
 -->
 
-**Applicable to rules' states**
+## Applicable to rule states
 
 This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule.
 
@@ -59,7 +59,7 @@ Prior to describing the best pratices for the ASR rules' states, it is important
 - **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1.
 - **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed.
 
-**Recommendation**
+## Recommendation
 
 The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are:
 
@@ -77,7 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select
 The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
 
 - **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
-- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of **applicable-not applicable**  devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
+- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
 
 > [!IMPORTANT]
 > You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules.

From 94c9bd9c9b3b8221838388477ef1555b9ac5e6cc Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:40:53 -0800
Subject: [PATCH 23/32] Update best-practices-attack-surface-reduction-rules.md

---
 ...ractices-attack-surface-reduction-rules.md | 32 +++++++------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index 94438fbcf3..b4bf06284a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -76,7 +76,7 @@ Before you roll out attack surface reduction rules in your organization, select
 
 The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
 
-- **Better prospects for display of ASR rules impact** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
+- **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
 - **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
 
 > [!IMPORTANT]
@@ -139,29 +139,19 @@ Reports relating to ASR rule events can be generated for the preceding-6-months
 
 ## Avoid policy conflicts
 
-If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. See [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
+If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. For more information, see [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
 
-Attack surface reduction (ASR) rules for MEM-managed devices now support a new behavior for merger of settings from different policies, to create a superset of policies for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. ASR rule merge behavior is as follows: 
+You can now create a superset of policies for attack surface reduction rules that apply to [MEM-managed devices](/mem/intune/enrollment/device-management-capabilities). When you do this, only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. Attack surface reduction rule merge behavior works like this:
 
-Attack surface reduction (ASR) rules for MEM (Microsoft Endpoint Manager)-managed devices support a new behavior in terms of merger of the settings of policies. This behavior is described below:
-
-- If two or more policies have multiple settings configured in each of them, the settings without a conflict are merged into the superset of the policies they are mapped to.
-- If two or more policies encounter a conflict over a single setting from the various settings they are configured with,  only that single setting with a conflict is held back from being merged into the superset of the policies. 
-- The bundle of settings as a whole are not held back from being merged into the superset because of the single conflict-affected setting.
-- The policy as a whole is not flagged as **being in conflict** because of one of its settings being conflict affected.
-  
-
-- ASR rules from the following profiles are evaluated for each device the rules apply to:  
-    - Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > [Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction).
-    - Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
-    - Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles >  Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules
-
-- Settings that do not have conflicts are added to a superset of policy for the device.
-
-- When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
-
-- Only the configurations for conflicting settings are held back.
+| Situation | What happens |
+|:---|:---|
+| Two or more policies have multiple settings configured | The settings that do not conflict are merged into the superset of the policies they are mapped to. |
+| Two or more policies have a conflict with a single setting | Only the single setting with a conflict is held back from being merged into the superset of the policies. <p>The bundle of settings as a whole is not held back from being merged into the superset because of a single conflict-affected setting. <p>The policy as a whole is not flagged as **being in conflict**. |
 
+The policy superset can include settings from the following profiles:  
+- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction.
+- Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
+- Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles >  Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules
 
 ## See the demystifying blogs
 

From 89d32f80d3b5400d5a8147d441422d198b58c7f1 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:41:22 -0800
Subject: [PATCH 24/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index b4bf06284a..fa2799337d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -77,7 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select
 The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
 
 - **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
-- **Ease in determining ASR rule exclusion** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
+- **Ease in determining exclusions for attack surface reduction rules** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
 
 > [!IMPORTANT]
 > You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules.

From 368ea48c52303fe0de9e20010fb96fc97dfbc009 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:50:55 -0800
Subject: [PATCH 25/32] Update best-practices-attack-surface-reduction-rules.md

---
 .../best-practices-attack-surface-reduction-rules.md  | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
index fa2799337d..a4d1e2ca6c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
@@ -61,7 +61,7 @@ Prior to describing the best pratices for the ASR rules' states, it is important
 
 ## Recommendation
 
-The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best pratice are:
+The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best practice are:
 
 1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule.
 2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see
@@ -77,14 +77,7 @@ Before you roll out attack surface reduction rules in your organization, select
 The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
 
 - **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
-- **Ease in determining exclusions for attack surface reduction rules** - Testing ASR rules on a smaller device set gives you scope to implement flexibility in exclusions. The flexibility refers to the devising combinations of applicable/not applicable devices for ASR rules applicability. These combinations vary depending on the results of the ASR rules testing on the smaller device set.
-
-> [!IMPORTANT]
-> You can implement the process of applying ASR rules to a smaller device set by utilizing dynamic membership rules.
-
-**How to configure dynamic membership rules**
-
-<!--Denise, we might need Jody's help in acquiring inputs for this procedural section  of setting up dynamic membership rules.-->
+- **Ease in determining exclusions for attack surface reduction rules** - Testing attack surface reduction rules on a smaller set of devices gives you flexibility in identifying and defining exclusions. You can determine whether any devices are not applicable for attack surface reduction rules. 
 
 ## Use code signing for applications
 

From 4924722b91522b38ecd02482824b7d2734ec7fed Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:53:12 -0800
Subject: [PATCH 26/32] ASR content updates

---
 windows/security/threat-protection/TOC.md     |   1 -
 ...ractices-attack-surface-reduction-rules.md | 159 ------------------
 2 files changed, 160 deletions(-)
 delete mode 100644 windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md

diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index e62fbe4434..805b02475c 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -82,7 +82,6 @@
 
 #### [Attack surface reduction controls]()
 ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
-##### [Best practices with attack surface reduction rules](microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md)
 ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
 ##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
 ##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md b/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
deleted file mode 100644
index a4d1e2ca6c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/best-practices-attack-surface-reduction-rules.md
+++ /dev/null
@@ -1,159 +0,0 @@
----
-title: Tips and best practices for attack surface reduction rules
-description: Prevent issues from arising with your attack surface reduction rules by following these best practices
-keywords: Microsoft Defender ATP, attack surface reduction, best practices
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: jcedola
-audience: ITPro 
-ms.topic: article 
-ms.prod: w10 
-ms.localizationpriority: medium
-ms.custom: 
-- asr
-ms.collection: 
-- m365-security-compliance 
-- m365initiative-defender-endpoint 
----
-
-# Tips and best practices for attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-Attack surface reduction rules help reduce vulnerabilities by targeting certain software behaviors. These behaviors include:
-
-- Launching executable files and scripts that attempt to download or run files;
-- Running obfuscated or otherwise suspicious scripts; and 
-- Performing behaviors that apps don't usually initiate during normal day-to-day work.
-
-This article includes tips, best practices, and important considerations regarding attack surface reduction rules.
-
-
-
-## Results of applying ASR rules
-
-- The process of applying ASR rules on devices provides scope to query for reports. These queries can be implemented in the form of templates.
-
-<!--Denise, could you clarify as to whether the ASR PowerBI template is anything to do with the templates used to generate/retrieve reports as specified in Blog-3? In other words, does the link to PowerBI template have relevance in this section and context?
--->
-
-- Once applying ASR rules to devices leads to querying for reports, there are a few sources from which reports can be queried. One of such sources is the [Microsoft 365 security center](https://security.microsoft.com)
- 
-<!-- Denise, could we discuss as to why only the **Microsoft 365 security center** source is being cited here; Just for better understanding, I am putting forward this query
--->
-
-## Applicable to rule states
-
-This section describes the best practices with regard to the states which any ASR rule can be set to, irrespective of the method used to configure or deploy the ASR rule.
-
-Prior to describing the best pratices for the ASR rules' states, it is important to know the states which an ASR rule can be set to:
-
-- **Not configured**: This is the state in which the ASR rule has been disabled. The code for this state is 0.
-- **Block**: This is the state in which the ASR rule is enabled. YThe code for this state is 1.
-- **Audit**: This is the state in which the ASR rule is evaluated about its impactive behavior toward the organization or environment in which it is deployed.
-
-## Recommendation
-
-The recommended practice for a deployed ASR rule is to start it in **audit** mode. The reasons for recommendation of this best practice are:
-
-1. **Access to logs and reviews**: When an ASR rule is set to **audit** mode, you can get access to the logs and reviews pertaining to it. These logs and reviews are data that helps you to analyze the impact of the ASR rule.
-2. **Rule-related decision**: The analysis findings guided by the logs and reviews help you take a decision whether to deploy or exclude the ASR rule or not. For information on ASR rule exclusion see
-<!--To cite here the topic that describes guidance provided for the process of implementing ASR rules' exclusions-->
-<!--To cite here the topic that describes guidance provided for the process of deploying or configuring ASR rules-->
-
-<!--Denise, if we can seek information about the common built-in features across all the 5 configuration mechanisms, we can specify the best practice regarding which is the best configuration mechanism to use to deploy the ASR rules-->
-
-## Use a phased approach
-
-Before you roll out attack surface reduction rules in your organization, select a small set of managed devices to start. 
-
-The reasons for selecting a smaller set of devices as the sample object on which the ASR rules are to be applied are:
-
-- **Better prospects for seeing the impact of attack surface reduction rules** - This approach enables you to see how attack surface reduction rules work in your environment. When lesser number of devices are used, the impact becomes more apparent because the ASR rules can sometimes impact a particular device to a larger extent.
-- **Ease in determining exclusions for attack surface reduction rules** - Testing attack surface reduction rules on a smaller set of devices gives you flexibility in identifying and defining exclusions. You can determine whether any devices are not applicable for attack surface reduction rules. 
-
-## Use code signing for applications
-
-As a best practice, use code signing for all the applications and scripts that your organization is using. This includes internally developed applications. Using code signing helps avoid false positives with attack surface reduction rules. It can also help avoid issues with attack surface reduction rules for developers and other users within your organization. 
-
-## View reports from various sources in Microsoft
-
-### From the Microsoft 365 security center
-
-In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Reports** > **Devices** > **Attack surface reduction**. (MORE TO COME!)
-
-To retrieve and view the reports generated in ([https://security.microsoft.com](https://security.microsoft.com)), ensure that the device for which you seek a report is onboarded on to Microsoft Defender ATP.
-
-### By Microsoft Defender ATP advanced hunting
-
-Advanced hunting is a query-based threat-hunting tool of Microsoft Defender ATP. This tool generates reports based on the findings of the threat-hunting process.
-
-The **advanced hunting** tool enables the users to audit the **Of-the-last-30-days** data collected from various devices by Microsoft Defender ATP Endpoint Detection and Response (EDR). It facilitates proactive logging of any suspicious indicators and entities in the events that you explore. This tool provides flexibility in accessing data (without any restriction in category of data to be accessed). This flexibility enables the user to detect known threats and spot new threats.
-
-The reports for the ASR rules' events are generated by querying the **DeviceEvents** table.
-
-**Template of DeviceEvents table**
-
-DeviceEvents
-| where Timestamp > ago (30d)
-| where ActionType startswith "Asr" 
-| summarize EventCount=count () by ActionType
-
-**Procedure**
-
-1. Navigate to **Advanced hunting** module in the **Microsoft Defender Security Center** portal.
-2. Click **Query**.
-3. Click **+ New** to create a new query.
-4. Click **Run query**. The report based on the query parameters (specified in the **Template of DeviceEvents table** section) is generated.
-
-### By Microsoft Defender ATP machine timeline
-
-Machine timeline is another report-generating source in Microsoft Defender ATP, but with a narrower scope.
-
-Reports relating to ASR rule events can be generated for the preceding-6-months period on a specific endpoint or device. 
-
-**Summarized procedure to generate report**
-
-1. Log in to **Microsoft Defender Security Center** and navigate to the **Machines** tab.
-2. Choose a machine for which you want to view the reports of its ASR rule-related events.
-3. Click **Timeline** and choose the time range for which the report is to display data.
-
-
-## Get the Power BI report template
-
-<!--The Power BI report templates are here: https://github.com/microsoft/MDATP-PowerBI-Templates-->
-
-## Avoid policy conflicts
-
-If a conflicting policy has emerged as a result of a policy being applied from Mobile Device Management (MDM, using Intune) and Group Policy, the setting applied from MDM takes precedence. For more information, see [Attack surface reduction rules](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-rules).
-
-You can now create a superset of policies for attack surface reduction rules that apply to [MEM-managed devices](/mem/intune/enrollment/device-management-capabilities). When you do this, only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either of the profiles would be deployed. Attack surface reduction rule merge behavior works like this:
-
-| Situation | What happens |
-|:---|:---|
-| Two or more policies have multiple settings configured | The settings that do not conflict are merged into the superset of the policies they are mapped to. |
-| Two or more policies have a conflict with a single setting | Only the single setting with a conflict is held back from being merged into the superset of the policies. <p>The bundle of settings as a whole is not held back from being merged into the superset because of a single conflict-affected setting. <p>The policy as a whole is not flagged as **being in conflict**. |
-
-The policy superset can include settings from the following profiles:  
-- Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction.
-- Endpoint security > Attack surface reduction policy > Attack surface reduction rules.
-- Endpoint security > Security baselines > Microsoft Defender ATP Baseline > Profiles >  Profile Name > Properties > Configuration settings > Attack Surface Reduction Rules
-
-## See the demystifying blogs
-
-The following table lists several blog posts that you might find helpful. All of these blogs are hosted on the [Microsoft Tech Community site](https://techcommunity.microsoft.com), under [Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog).
-
-|Blog  |Description  |
-|---------|---------|
-|[Demystifying attack surface reduction rules - Part 1: Why and What](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420)     | Get a quick overview of the Why and the What through eight questions and answers.          |
-|[Demystifying attack surface reduction rules - Part 2: How](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-2/ba-p/1326565)     | See how to configure attack surface reduction rules, how exclusions work, and how to define exclusions.         |
-|[Demystifying attack surface reduction rules - Part 3: Reports and Troubleshooting](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-3/ba-p/1360968)     | Learn how to view reports and information about attack surface reduction rules and their status, and how to troubleshoot issues with rule impact and operations.         |
-|[Demystifying attack surface reduction rules - Part 4: Migrating](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-4/ba-p/1384425)     | If you're currently using a non-Microsoft host intrusion prevention system (HIPS) and are evaluating or migrating to attack surface reduction capabilities in Microsoft Defender for Endpoint, see this blog. You'll see how custom rules you were using with your HIPS solution can map to attack surface reduction rules in Microsoft Defender for Endpoint.         |
-

From 70580c16ad5f361a79660284ce0d5bbcd47d1c76 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 13:58:12 -0800
Subject: [PATCH 27/32] Update controlled-folders.md

---
 .../microsoft-defender-atp/controlled-folders.md            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 8602493f71..b6ab784185 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -42,7 +42,7 @@ Controlled folder access works best with [Microsoft Defender for Endpoint](../mi
 
 Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. 
 
-Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. 
+Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders. 
 
 Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically.
 
@@ -52,7 +52,7 @@ Apps can also be added manually to the trusted list by using Configuration Manag
 
 Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
-The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
 You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 
@@ -131,4 +131,4 @@ You can use the Windows Security app to view the list of folders that are protec
 
 - [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
 - [Customize controlled folder access](customize-controlled-folders.md)
-- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders)
+- [Protect more folders](customize-controlled-folders.md#protect-additional-folders)

From b3579aab3320bead1ea7ef70196acda23e07aa43 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 14:00:38 -0800
Subject: [PATCH 28/32] Update attack-surface-reduction.md

---
 .../microsoft-defender-atp/attack-surface-reduction.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 0835bbe05e..bce0f8e035 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -43,11 +43,11 @@ For more information about configuring attack surface reduction rules, see [Enab
 
 ## Assess rule impact before deployment  
 
-You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). 
+You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). 
 
 :::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
 
-In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.
+In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity.
 
 ## Audit mode for evaluation
 

From 49b748a730aa40bc625bc3b57a406143667092bf Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Wed, 3 Feb 2021 14:04:00 -0800
Subject: [PATCH 29/32] Update attack-surface-reduction.md

---
 .../attack-surface-reduction.md                  | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index bce0f8e035..846bc4dbca 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -51,7 +51,7 @@ In the recommendation details pane, check for user impact to determine what perc
 
 ## Audit mode for evaluation
 
-Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.
 
 ## Warn mode for users
 
@@ -95,13 +95,13 @@ Notifications and any alerts that are generated can be viewed in the Microsoft D
 
 You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour.
 
-For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. 
+For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM. 
 
 For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).
 
 ## Attack surface reduction features across Windows versions
 
-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows:
 - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@@ -169,9 +169,9 @@ If you are configuring attack surface reduction rules by using Group Policy or P
 
 ### Block Adobe Reader from creating child processes
 
-This rule prevents attacks by blocking Adobe Reader from creating additional processes.
+This rule prevents attacks by blocking Adobe Reader from creating processes.
 
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
+Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
 
 This rule was introduced in: 
 - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
@@ -188,7 +188,7 @@ GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
 
 This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
 
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
 
 This rule was introduced in: 
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
@@ -353,7 +353,7 @@ GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
 
 This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
 
-This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
 
 > [!NOTE]
 > This rule applies to Outlook and Outlook.com only.
@@ -426,7 +426,7 @@ GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
 
 This rule prevents VBA macros from calling Win32 APIs.
 
-Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
+Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
 
 This rule was introduced in:
 - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)

From 7ca558ba2347ccad48dd3db0e644a6c10f5b306f Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Wed, 3 Feb 2021 16:02:31 -0800
Subject: [PATCH 30/32] Added automatic image border, indented note in list
 item

---
 ...er-application-control-policies-using-intune.md | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 1f84641636..d44af33f24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -58,15 +58,20 @@ Beginning in 1903, Custom OMA-URI policy deployment leverages the [ApplicationCo
 The steps to use Intune's Custom OMA-URI functionality are:
 
 1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
+
 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+
 3. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+
 4. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+
 5. Add a row, then give your policy a name and use the following settings:
     - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy
     - **Data type**: Base64
     - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
 
-    ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
+    > [!div class="mx-imgBorder"]
+    > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
 
 #### Removing policies
 
@@ -78,15 +83,18 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
 The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
 
 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
+
 2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
+
 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Custom** as the **Profile type**.
+
 4. Add a row, then give your policy a name and use the following settings:
     - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
     - **Data type**: Base64
     - **Certificate file**: upload your binary format policy file
     
-> [!NOTE]
-> Deploying policies via the AppLocker CSP will force a reboot during OOBE.
+   > [!NOTE]
+   > Deploying policies via the AppLocker CSP will force a reboot during OOBE.
 
 #### Removing policies
 

From b7ff50c0ecc9ad5290c8b2f796714d4b0a315b5f Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Wed, 3 Feb 2021 16:31:28 -0800
Subject: [PATCH 31/32] Default update for AutomaticMaintenanceWakeUp

---
 windows/client-management/mdm/policy-csp-update.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index df70a21a7c..ac89864af8 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1113,8 +1113,8 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:  
--   0  - Disable (Default)
--   1  - Enable
+-   0  - Disable
+-   1  - Enable (Default)
 <!--/SupportedValues-->
 <!--Example-->
 

From 650ec848bbef230bfad7b9992a99daecc0c44bbe Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Wed, 3 Feb 2021 16:55:50 -0800
Subject: [PATCH 32/32] Fixed list of categories that was displayed as a
 paragraph

---
 .../mdm/policy-csp-update.md                  | 21 ++++++++++---------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index ac89864af8..8698b88092 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1733,18 +1733,19 @@ OS upgrade:
 Update:
 - Maximum deferral: 1 month
 - Deferral increment: 1 week
-- Update type/notes:
-  If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
-      - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
-      - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
-      - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
-      - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
-      - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
-      - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
-      - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
-      - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
+- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:
+  
+  - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
+  - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
+  - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
+  - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
+  - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
+  - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
+  - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
+  - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
 
 Other/cannot defer:
+
 - Maximum deferral: No deferral
 - Deferral increment: No deferral
 - Update type/notes: