edits from Sakib

windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md

@@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: jsuther1974
-ms.date: 05/16/2019
+author: mdsakibMSFT
+ms.date: 05/17/2019
 ---
 
 # Allow COM object registration in a Windows Defender Application Control policy
@@ -32,7 +32,7 @@ Get GUID of application to allow in one of the following ways:
 - Finding block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script) and extracting GUID
 - Creating audit policy (using New-CIPolicy –Audit), potentially with specific provider, and use info from block events to get GUID
 
-### Author setting
+### Author policy setting to allow or deny COM object GUID
 
 Three elements:
 - Provider: platform on which code is running (values are  Powershell, WSH, IE, VBA, MSI, or a wildcard “AllHostIds”)
@@ -46,21 +46,32 @@ One attribute:
 
 ### Examples
 
+Example 1: Allows registration of all COM object GUIDs in any provider
+
 ```xml
-    <Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId">
-      <Value>
-        <Boolean>true</Boolean>
-      </Value>
-    </Setting>
-    <Setting Provider="IE" Key="{00000000-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
-      <Value>
-        <Boolean>false</Boolean>
-      </Value>
-    </Setting>
-    <Setting Provider="PowerShell" Key="{33333333-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
-      <Value>
-        <Boolean>true</Boolean>
-      </Value>
-    </Setting>
+<Setting Provider="AllHostIds" Key="AllKeys" ValueName="EnterpriseDefinedClsId">
+  <Value>
+    <Boolean>true</Boolean>
+  </Value>
+</Setting>
+```
+
+Example 2: Blocks a specific COM object from being registered via Internet Explorer (IE)
+
+```xml
+<Setting Provider="IE" Key="{00000000-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
+  <Value>
+    <Boolean>false</Boolean>
+  </Value>
+</Setting>
+
+Example 3: Allows a specific COM object to register in PowerShell
+
+```xml
+<Setting Provider="PowerShell" Key="{33333333-4444-4444-1616-161616161616}" ValueName="EnterpriseDefinedClsId">
+  <Value>
+    <Boolean>true</Boolean>
+  </Value>
+</Setting>
 ```
 

windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md

@@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: jsuther1974
-ms.date: 05/14/2019
+author: mdsakibMSFT
+ms.date: 05/17/2019
 ---
 
 # Create Windows Defender Application Control path-based rules 

windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md

@@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: jsuther1974
-ms.date: 05/10/2019
+author: mdsakibMSFT
+ms.date: 05/17/2019
 ---
 
 # Deploy multiple Windows Defender Application Control Policies 
@@ -44,19 +44,22 @@ Note that multiple policies will not work on pre-1903 systems.
 ### Allow Multiple Policies
 
 In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
+
 ```powershell
 New-CIPolicy -MultiplePolicyFormat -foo –bar
 ```
 
 Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
+
 ```powershell
 Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies
 ```
 
 For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
-  ```powershell
-  Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]  [<CommonParameters>]
-  ```
+
+```powershell
+Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]  [<CommonParameters>]
+```
 
 ### Supplemental Policy Creation
 

windows/security/threat-protection/windows-defender-application-control/sideloading-win32-apps-on-windows-10-s-mode-devices.md

@@ -6,8 +6,8 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: jsuther1974
-ms.date: 05/06/2018
+author: mdsakibMSFT
+ms.date: 05/17/2018
 ---
 
 # Sideloading Win32 apps on Windows 10 S mode devices 
@@ -51,24 +51,37 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must ‘unlo
 ## Creating and Signing a Supplemental Policy
 
 1.	Create new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps)
+
     ```powershell
     New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
     ```
+
 2.	Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
+
     ```powershell
     Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath <path\SupplementalPolicy.xml>
     ```
-    Note: ‘5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
+
+    >[!NOTE]
+    >‘5951A96A-E0B5-4D3D-8FB8-3E5B61030784' is the S-mode Base Policy ID.
+
 3.	Put policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps)
+
     ```powershell
     Set-RuleOption -FilePath <path\SupplementalPolicy.xml> -Option 3 –Delete
     ```
+
     This deletes the ‘audit mode’ qualifier.
+
 4.	Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
+
     ```powershell
     ConvertFrom-CIPolicy -XmlFilePath <path\SupplementalPolicy.xml> -BinaryFilePath <path\PolicyID>
     ```
-    Note: PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
+
+    >[!NOTE]
+    >PolicyID can be found by inspecting the Supplemental Policy XML. Convert to .bin to sign with DGSS (recommended) or .cip to sign locally.
+
 5.	To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
     To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).
 
@@ -76,14 +89,18 @@ To allow Win32 apps to run on a Windows 10 device in S mode, admins must ‘unlo
 An admin must generate an app catalog for every deployed app:
 1.	Use Package Inspector to [create a catalog](https://docs.microsoft.com/microsoft-store/add-unsigned-app-to-code-integrity-policy#a-href-idcreate-catalog-filesacreate-catalog-files-for-your-unsigned-app)
     - Start Package Inspector to scan the installer:
+
       ```console
       PackageInspector.exe start C: -path <path to installer>
       ```
+
     - Open the app installer.
     - Stop Package Inspector:
+
       ```console
       PackageInspector.exe stop C: -Name <path\app.cat> -cdfpath <path\app.cdf>
       ```
+     
 2.	To sign using the recommended DGSS option through the Microsoft Store for Business, click **Manage** > **Settings** > **Devices** > **Upload** > **Sign**.
     To sign locally using signtool, see [Signing policies with signtool](signing-policies-with-signtool.md).