From c236872fc7c3f3a03ca9dcce0d4db69570ee4622 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 2 Nov 2017 14:47:51 -0700
Subject: [PATCH 1/8] fiddling with svg

---
 .../windows-defender-antivirus-compatibility.md            | 2 +-
 .../windows-defender-exploit-guard/images/svg/check-no.svg | 7 +++++++
 .../images/svg/{check-yes.md => check-yes.svg}             | 0
 .../images/svg/check-yes.txt                               | 7 +++++++
 4 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
 rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.md => check-yes.svg} (100%)
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt

diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index b2d2890d2b..dc473a60bd 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s
 
 State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
 :-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] 
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
new file mode 100644
index 0000000000..89a87afa8b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark no</title>
+    <polygon 
+        fill='#d83b01' 
+        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
+     />
+</svg>
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md
rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt
new file mode 100644
index 0000000000..483ff5fefc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark yes</title>
+    <path
+        fill='#0E8915' 
+        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
+    />
+</svg>
\ No newline at end of file

From 100f50a48374d74fed4367f277393e4c297baf1b Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 2 Nov 2017 15:58:44 -0700
Subject: [PATCH 2/8] svg

---
 .../windows-defender-antivirus-compatibility.md                 | 2 +-
 .../images/svg/{check-yes.svg => check-yes.md}                  | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.svg => check-yes.md} (100%)

diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index dc473a60bd..8abaf116d0 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s
 
 State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
 :-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] 
 Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md

From b829576491a039eba086ceae3360dd07ebf2d8e3 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 12:52:52 -0800
Subject: [PATCH 3/8] updates to ASR exclusions to indicate which rules can't
 use them

---
 .../attack-surface-reduction-exploit-guard.md |  5 ++--
 .../customize-attack-surface-reduction.md     | 30 +++++++++++++++++--
 .../enable-attack-surface-reduction.md        |  6 ++--
 .../images/svg/check-no.svg                   |  7 +++++
 .../images/svg/check-yes.svg                  |  7 +++++
 5 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
 create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg

diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 5173d88d30..7aed2de7ad 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -64,7 +64,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
 
 The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table:
 
-Rule name | GUIDs 
+Rule name | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -93,7 +93,8 @@ This rule blocks the following file types from being run or launched from an ema
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 - Script archive files
 
-
+>[!IMPORTANT]
+>Exclusions do not apply to this rule.
 
 ### Rule: Block Office applications from creating child processes
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index e68c054cde..da4006d74f 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -43,9 +43,35 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by Attack surface reduction rules. 
+You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. 
+
+This could potentially allow unsafe files to run and infect your devices.
+
+>[!WARNING]
+>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+> 
+>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
+
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
+
+Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
+
+>[!IMPORTANT] 
+>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). 
+
+
+Rule description | Rule honors exclusions | GUID 
+-|-
+Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D
+
+See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode).
 
 ### Use Group Policy to exclude files and folders
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index e4853782de..7c56eff7bf 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -50,7 +50,7 @@ Attack surface reduction rules are identified by their unique rule ID.
 
 You can manually add the rules by using the GUIDs in the following table:
 
-Rule description | GUIDs 
+Rule description | GUID
 -|-
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
@@ -62,7 +62,7 @@ Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DD
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
-### Use Group Policy to enable Attack surface reduction rules
+### Use Group Policy to enable or audit Attack surface reduction rules
 
 
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -84,7 +84,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
 
         
 
- ### Use PowerShell to enable Attack surface reduction rules
+ ### Use PowerShell to enable or audit Attack surface reduction rules
 
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
new file mode 100644
index 0000000000..89a87afa8b
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark no</title>
+    <polygon 
+        fill='#d83b01' 
+        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
+     />
+</svg>
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
new file mode 100644
index 0000000000..483ff5fefc
--- /dev/null
+++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg
@@ -0,0 +1,7 @@
+<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
+    <title>Check mark yes</title>
+    <path
+        fill='#0E8915' 
+        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
+    />
+</svg>
\ No newline at end of file

From 9292352705422b4f1af31d889b2a02764d024405 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 13:44:47 -0800
Subject: [PATCH 4/8] update svg

---
 .../customize-attack-surface-reduction.md          | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index da4006d74f..71d5e72d89 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -61,14 +61,14 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
 
 
 Rule description | Rule honors exclusions | GUID 
--|-
+-|-|-
 Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D
+Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 

From 0cb54f4ee924f022cbf79b50d1fbf7f732436311 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 13:53:30 -0800
Subject: [PATCH 5/8] consistency to rule names

---
 .../attack-surface-reduction-exploit-guard.md          |  6 +++++-
 .../customize-attack-surface-reduction.md              | 10 +++++-----
 .../enable-attack-surface-reduction.md                 |  6 +++---
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 7aed2de7ad..9bf3316aeb 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -117,14 +117,18 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code
 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 
 
+>[!IMPORTANT]
+>Exclusions do not apply to this rule.
 
-### Rule: Block JavaScript ok VBScript From launching downloaded executable content
+### Rule: Block JavaScript or VBScript From launching downloaded executable content
 
 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 
 
 This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
 
 
+>[!IMPORTANT]
+>Exclusions do not apply to this rule.
 
 ### Rule: Block execution of potentially obfuscated scripts
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 71d5e72d89..8623e252d7 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -62,13 +62,13 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
 
 Rule description | Rule honors exclusions | GUID 
 -|-|-
-Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
+Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
+Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 7c56eff7bf..c147b811c2 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -55,10 +55,10 @@ Rule description | GUID
 Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
 Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 

From 0cf0214497e8c8f23254dfaf93f1ce9c94267194 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 13:58:21 -0800
Subject: [PATCH 6/8] update imp note about rules that don't allow exclusions

---
 .../attack-surface-reduction-exploit-guard.md               | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 9bf3316aeb..79d18a0881 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -94,7 +94,7 @@ This rule blocks the following file types from being run or launched from an ema
 - Script archive files
 
 >[!IMPORTANT]
->Exclusions do not apply to this rule.
+>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
 
 ### Rule: Block Office applications from creating child processes
 
@@ -118,7 +118,7 @@ This is typically used by malware to run malicious code in an attempt to hide th
 
 
 >[!IMPORTANT]
->Exclusions do not apply to this rule.
+>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
 
 ### Rule: Block JavaScript or VBScript From launching downloaded executable content
 
@@ -128,7 +128,7 @@ This rule prevents these scripts from being allowed to launch apps, thus prevent
 
 
 >[!IMPORTANT]
->Exclusions do not apply to this rule.
+>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
 
 ### Rule: Block execution of potentially obfuscated scripts
 

From 2b2fb10044869a0c20965dc4853a7ae184de79b1 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Thu, 9 Nov 2017 14:16:12 -0800
Subject: [PATCH 7/8] update svg files

---
 .../images/svg/check-no.md                    |  7 ---
 .../images/svg/check-no.svg}                  |  0
 .../images/svg/check-yes.md                   |  7 ---
 .../images/svg/check-yes.svg}                 |  0
 ...indows-defender-antivirus-compatibility.md |  6 +--
 .../customize-attack-surface-reduction.md     |  2 +-
 .../customize-exploit-protection.md           | 52 +++++++++----------
 .../images/svg/check-yes.txt                  |  7 ---
 8 files changed, 30 insertions(+), 51 deletions(-)
 delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
 rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-no.md => windows-defender-antivirus/images/svg/check-no.svg} (100%)
 delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
 rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-yes.md => windows-defender-antivirus/images/svg/check-yes.svg} (100%)
 delete mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt

diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
deleted file mode 100644
index afa7a3d27d..0000000000
--- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark no</title>
-    <polygon 
-        fill='#d83b01' 
-        points='95.2 12.2 83 0 47.6 35.4 12.2 0 0 12.2 35.4 47.6 0 83 12.2 95.2 47.6 59.9 83 95.2 95.2 83 59.9 47.6 95.2 12.2'
-     />
-</svg>
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md
rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg
diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
deleted file mode 100644
index 4dd10553c4..0000000000
--- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="1rem" height="1rem" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark yes</title>
-    <path
-        fill='#0E8915' 
-        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
-    />
-</svg>
\ No newline at end of file
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
similarity index 100%
rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md
rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg
diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 8abaf116d0..ac10f8950b 100644
--- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -67,9 +67,9 @@ This table indicates the functionality and features that are available in each s
 
 State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
 :-|:-|:-:|:-:|:-:|:-:|:-:
-Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
-Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] 
-Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)]
+Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service.  | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
+Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] 
+Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
 
 Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 8623e252d7..421eef2058 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -61,7 +61,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the
 
 
 Rule description | Rule honors exclusions | GUID 
--|-|-
+-|:-:|-
 Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
 Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
 Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 40aebba1d3..6b1389f6dd 100644
--- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -63,28 +63,28 @@ The **Use default** configuration for each of the mitigation settings indicates
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
 
 Mitigation | Description | Can be applied to | Audit mode available
-- | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
-Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)]
-Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
-Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
+- | - | - | :-:
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](images/svg/check-no.svg)]
+Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
+Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
 
 >[!IMPORTANT]
 >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@@ -92,10 +92,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 >
 >Enabled in **Program settings** | Enabled in **System settings** | Behavior
 >:-: | :-: | :-:
->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings**
->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings**
->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings**
->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option
+>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings**
+>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings**
+>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings**
+>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option
 >
 >
 >  
diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt
deleted file mode 100644
index 483ff5fefc..0000000000
--- a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-<svg width="15px" height="15px" xmlns='http://www.w3.org/2000/svg' viewBox='0 0 140 140'>
-    <title>Check mark yes</title>
-    <path
-        fill='#0E8915' 
-        d='M129 20L55 94 21 60 10 71l45 45 85-85z'
-    />
-</svg>
\ No newline at end of file

From 89d2753d20867bf12dcf0dd2d0c5ae9c0a9f49b5 Mon Sep 17 00:00:00 2001
From: Iaan D'Souza-Wiltshire <iaan.wiltshire@microsoft.com>
Date: Fri, 10 Nov 2017 15:12:44 -0800
Subject: [PATCH 8/8] toc typo

---
 windows/threat-protection/TOC.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md
index 85aa64621b..986357c45a 100644
--- a/windows/threat-protection/TOC.md
+++ b/windows/threat-protection/TOC.md
@@ -165,7 +165,7 @@
 #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
 ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
 #### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
-##### [Troublehsoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
+##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
 #### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
 ##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
 ##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)