diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 890986d418..1645594059 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -17,7 +17,8 @@ ms.date: 06/26/2017
 
 The SecurityPolicy configuration service provider is used to configure security policy settings for WAP push, OMA Client Provisioning, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
 
->  **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_SECURITY\_POLICIES capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_SECURITY\_POLICIES capabilities to be accessed from a network configuration application.
 
  
 
@@ -42,7 +43,7 @@ The following security policies are supported.
 |4105<br>Hex: 1009|Message Authentication Retry Policy|This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.<br><br>Default value: 3<br><br>Possible values: 0 through 256.|
 |4108<br>Hex: 100c|Service Loading Policy|This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.<br><br>Default value: 256 (SECROLE_KNOWN_PPG)<br><br>Supported values: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG|
 |4109<br>Hex:100d|Service Indication Policy|This setting indicates whether SI messages are accepted, by specifying the security roles that can accept SI messages. An SI message is sent to the device to notify users of new services, service updates, and provisioning services.<br><br>Default value: 256 (SECROLE_KNOWN_PPG)<br><br>Supported values: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG|
-|4111<br>Hex:100f|OTA Provisioning Policy|This setting determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in 4141, 4142, and 4143 policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client<br>Provisioning messages are accepted by the device, if policy 4143 is set to 4096 (SECROLE_ANY_PUSH_SOURCE) for an carrier-unlocked device, policy 4111 must also have the SECROLE_ANY_PUSH_SOURCE role set.<br><br>Default value: 384 (SECROLE_OPERATOR_TPS | SECROLE_KNOWN_PPG)<br><br>Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS|
+|4111<br>Hex:100f|OTA Provisioning Policy|This setting determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in 4141, 4142, and 4143 policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client<br>Provisioning messages are accepted by the device, if policy 4143 is set to 4096 (SECROLE_ANY_PUSH_SOURCE) for an carrier-unlocked device, policy 4111 must also have the SECROLE_ANY_PUSH_SOURCE role set.<br><br>Default value: 384 (`SECROLE_OPERATOR_TPS | SECROLE_KNOWN_PPG`)<br><br>Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS|
 |4113<br>Hex:1011|WSP Push Policy|This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.<br><br>Default value: 1<br><br>Supported values:<br>0: Routing of WSP notifications is not allowed.<br>1: Routing of WSP notifications is allowed.|
 |4132<br>Hex:1024|Network PIN signed OTA Provision Message User Prompt Policy|This policy specifies whether the device will prompt a UI to get the user confirmation before processing a pure network pin signed OTA Provisioning message. If prompt, the user has the ability to discard the OTA provisioning message.<br><br>Default value: 0<br><br>Supported values:<br>0: The device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin.<br>1: There is no user prompt.|
 |4141<br>Hex:102d|OMA CP NETWPIN Policy|This setting determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.<br><br>Default value: 0<br><br>Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE , SECROLE_OPERATOR_TPS|
@@ -149,13 +150,3 @@ The following table shows the Microsoft custom elements that this Configuration
 
 
 [Configuration service provider reference](configuration-service-provider-reference.md)
-
- 
-
- 
-
-
-
-
-
-
