Corrected note styles, adjusted layout, added punctuation, minor fixes

windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md

@@ -50,17 +50,17 @@ Destructive and non-destructive PIN reset use the same entry points for initiati
 For Azure AD joined devices:
 
 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Click **I forgot my PIN** from the PIN credential provider
-1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e. Password, PIN, Security key)
-1. Follow the instructions provided by the provisioning process
+1. Click **I forgot my PIN** from the PIN credential provider.
+1. Select an authentication option from the list of presented options. This list will be based on the different authentication methods enabled in your tenant (i.e., Password, PIN, Security key).
+1. Follow the instructions provided by the provisioning process.
 1. When finished, unlock your desktop using your newly created PIN.
 
 For Hybrid Azure AD joined devices:
 
 1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
-1. Click **I forgot my PIN** from the PIN credential provider
+1. Click **I forgot my PIN** from the PIN credential provider.
 1. Enter your password and press enter.
-1. Follow the instructions provided by the provisioning process
+1. Follow the instructions provided by the provisioning process.
 1. When finished, unlock your desktop using your newly created PIN.
 
 > [!NOTE]
@@ -94,13 +94,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 ### Connect Azure Active Directory with the PIN reset service
 
 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
+
    ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
+
 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
- ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
-    > [!NOTE]
-    > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+
+   ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
+
+   > [!NOTE]
+   > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
+
 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
 
    > [!div class="mx-imgBorder"]
@@ -122,7 +129,7 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput
 1. Set **Enable PIN recovery** to **Yes**.
 
 > [!NOTE]
-> You can also setup PIN recovery using configuration profiles.
+> You can also set up PIN recovery using configuration profiles.
 >
 > 1. Sign in to Endpoint Manager.
 > 1. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
@@ -141,7 +148,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
 
 #### Sample User state Output for Destructive PIN Reset
 
-```
+```console
 +----------------------------------------------------------------------+
 | User State                                                           |
 +----------------------------------------------------------------------+
@@ -160,7 +167,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
 
 #### Sample User state Output for Non-Destructive PIN Reset
 
-```
+```console
 +----------------------------------------------------------------------+
 | User State                                                           |
 +----------------------------------------------------------------------+
@@ -189,21 +196,29 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
 ### Configuring Policy Using Intune
 
 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
+
 1. Click **Devices**. Click **Configuration profiles**. Click **Create profile**.
+
 1. For Platform select **Windows 10 and later** and for Profile type select **Templates**. In the list of templates that is loaded, select **Custom** and click Create.
+
 1. In the **Name** field type **Web Sign In Allowed URLs** and optionally provide a description for the configuration. Click Next.
+
 1. On the Configuration settings page, click **Add** to add a custom OMA-URI setting. Provide the following information for the custom settings
+
     - **Name:** Web Sign In Allowed URLs
     - **Description:** (Optional) List of domains that are allowed during PIN reset flows.
     - **OMA-URI:** ./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
     - **Data type:** String
-    - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be signin.contoso.com;portal.contoso.com (no double quotes)
+    - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
 
-   ![Custom Configuration for ConfigureWebSignInAllowedUrls policy](images/pinreset/allowlist.png)
+    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
 
 1. Click the Save button to save the custom configuration.
+
 1. On the Assignments page, use the Included groups and Excluded groups sections to define the groups of users or devices that should receive this policy. Once you have completed configuring groups click the Next button.
+
 1. On the Applicability rules page, click Next.
+
 1. Review the configuration that is shown on the Review + create page to make sure that it is accurate. Click create to save the profile and apply it to the configured groups.
 
 > [!NOTE]

windows/security/threat-protection/auditing/event-4627.md

@@ -33,12 +33,14 @@ You must also enable the Success audit for [Audit Logon](audit-logon.md) subcate
 
 Multiple events are generated if the group membership information cannot fit in a single security audit event.
 
-> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
 
 <br clear="all">
 
 ***Event XML:***
-```
+
+```xml
 - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 - <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
@@ -86,7 +88,8 @@ Multiple events are generated if the group membership information cannot fit in
 
 -   **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+> [!NOTE]
+> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
 
@@ -122,7 +125,8 @@ Multiple events are generated if the group membership information cannot fit in
 
 -   **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
 
-> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
+> [!NOTE]
+> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
 
 -   **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
 
@@ -148,7 +152,8 @@ Multiple events are generated if the group membership information cannot fit in
 
 For 4627(S): Group membership information.
 
-> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
+> [!IMPORTANT]
+> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
 
 -   Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.