diff --git a/windows/client-management/mdm/images/block-untrusted-processes.png b/windows/client-management/mdm/images/block-untrusted-processes.png
new file mode 100644
index 0000000000..c9d774457e
Binary files /dev/null and b/windows/client-management/mdm/images/block-untrusted-processes.png differ
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index 3f3ff07a6f..db47504bc5 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -64,7 +64,7 @@ However, we recommend enabling real-time protection for improved scanning perfor
 
 Enable EG-ASR “Block untrusted and unsigned processes that run from USB”:End-users might plug in removable devices that are infected with malware. 
 In order to prevent infections, a company can block files from usb devices which are not signed or are untrusted. Alternatively, companies can leverage the audit feature of ASR to monitor the USB activity of untrusted and unsigned processes that execute on a USB device.  This can be done through the EG-ASR “Block untrusted and unsigned processes that run from USB” Rule. 
-With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: Executable files (such as .exe, .dll, or .scr) and Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
+With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files.
 
 These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). 
 
@@ -84,7 +84,7 @@ These settings require [enabling real-time protection](https://docs.microsoft.co
 
 4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. 
 
-5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. 
+5. For **Unsigned and untrusted processes that run from USB**, choose **Audit only**. 
 
    ![Block untrusted processes](images/block-untrusted-processes.png)
 
diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png
index 3080e0d1f0..c5306ac7f4 100644
Binary files a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ