diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 86c947101d..0567af3379 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -50,7 +50,54 @@ It also describes how to enable or configure the mitigations using Windows Defen
 
 All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
 
-You can set each of the mitigations to on, off, or to their default value as indicated in the following table. Some mitigations have additional options, these are indicated in the description in the table.
+
+You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
+
+>[!IMPORTANT]
+>If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
+>
+>
+>Enabled in **Program settings** | Enabled in **System settings** | Behavior
+>:-: | :-: | :-:
+><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | As defined in **Program settings**
+><svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **Program settings**
+><svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | <svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg> | As defined in **System settings**
+><svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | <svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg> | Default as defined in **Use default** option
+>![](images/check-no.png)|XX|XX
+>
+>
+>  
+>- **Example 1**  
+>    
+>    You configure **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+>    
+>    You then add the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)** you enable the **Override system settings** option and set the switch to **On**. You don't have any other apps listed in the **Program settings** section.
+>    
+>The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
+>  
+>  
+>- **Example 2**
+>  
+>    You configure **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
+>
+>    You then add the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)** you enable the **Override system settings** option and set the switch to **On**. 
+>
+>    You also add the app *miles.exe* to the **Program settings** section and configure **Control flow guard (CFG)** to **On**. You don't enable the **Override system settings** option for DEP or any other mitigation for that app.
+>
+>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
+
+Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
+
+
+
+<svg width="1rem" height="1rem" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg"><polygon fill='#d83b01' points="95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2"/></svg>
+
+<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'><path fill='#0E8915' d='M129 20L55 94 21 60 10 71l45 45 85-85z'/></svg>
+
+
+![](images/ep-default.png)
+
+The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
 
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
 
@@ -89,10 +136,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 
     ![](images/wdsc-exp-prot.png)
         
-3.	Under the **System settings** section, find the mitigation you want to configure and select either:
-    - **On by default**
-    - **Off by default**
-    -**Use default**
+3.	Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
+    - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
+    - **Use default** - The mitigation is either enabled or disabled, depending on the default configuration for Windows 10; the default value (**On** or **Off**) is always specified next to the **Use default** label for each of the mitigations
 
     >[!NOTE]
     >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting.
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png b/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png
new file mode 100644
index 0000000000..040c7d2f63
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/check-no.png differ
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png b/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png
new file mode 100644
index 0000000000..eafac1db7a
Binary files /dev/null and b/windows/threat-protection/windows-defender-exploit-guard/images/ep-default.png differ
