Merge pull request #2948 from MicrosoftDocs/master

Publish 3:33 PM 05/29/2020
2025-05-15 23:07:23 +00:00 · 2020-05-29 15:53:25 -07:00 · 2020-05-29 15:53:25 -07:00 · 59b18bd8bf
commit 59b18bd8bf
parent 34e0c64d33 11e1a52263
11 changed files with 142 additions and 95 deletions
--- a/devices/hololens/hololens2-language-support.md
+++ b/devices/hololens/hololens2-language-support.md
@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y
 If the supported language that you're looking for is not in the menu, follow these steps:  
 1. Under **Preferred languages**, select **Add a language**.
-2. Locater and add the language.
+2. Locate and add the language.
 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
 ### To change the keyboard layout
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
 ![Screenshot of folder of admin tools](images/admin-tools-folder.png)
-These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
+These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc
 -   [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
 -   [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
 -   [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
 -   [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
 -   [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry)
 -   [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
 -   [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
 -   [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
-In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/).
+In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/)
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
@ -54,6 +54,7 @@ The following steps demonstrate required settings using the Intune service:
    > [!IMPORTANT]
    > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
    >
    > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
 3. Verify that the device OS version is Windows 10, version 1709 or later.
@ -93,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee
 This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
 Requirements:
- AD-joined PC running Windows 10, version 1709
+- AD-joined PC running Windows 10, version 1709 or later
 - Enterprise has MDM service already configured 
 - Enterprise AD must be registered with Azure AD
@ -109,7 +110,7 @@ Requirements:
    ![MDM policies](images/autoenrollment-mdm-policies.png)
-4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**.
+4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
    ![MDM autoenrollment policy](images/autoenrollment-policy.png)
@ -117,7 +118,7 @@ Requirements:
    > [!NOTE]
    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. 
-The default behavior for older releases is to revert to **User Credential**.
+    > The default behavior for older releases is to revert to **User Credential**.
    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
@ -159,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a
 ## Configure the auto-enrollment for a group of devices
 Requirements:
- AD-joined PC running Windows 10, version 1709
+- AD-joined PC running Windows 10, version 1709 or later
 - Enterprise has MDM service already configured (with Intune or a third party service provider)
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
-> [!IMPORTANT]
+[!IMPORTANT]
-> If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
+If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
->   1. Download:  
+  1. Download:  
->   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
+  1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
->   1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
+  1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
->   1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+  1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
->   2. Install the package on the Domain Controller.
+  2. Install the package on the Domain Controller.
->   3. Navigate, depending on the version to the folder:
+  3. Navigate, depending on the version to the folder:
->   1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
+  1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
->   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
+  1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
->   1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+  1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
->   4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
+  4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
->   5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
+  5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
->   (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
+  (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
->   6. Restart the Domain Controller for the policy to be available.
+  6. Restart the Domain Controller for the policy to be available.
->   This procedure will work for any future version as well.
+
  This procedure will work for any future version as well.
 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
 2. Create a Security Group for the PCs.
@ -187,7 +189,6 @@ Requirements:
 4. Filter using Security Groups.
 ## Troubleshoot auto-enrollment of devices
 Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. 
 To collect Event Viewer logs:
@ -241,10 +242,10 @@ To collect Event Viewer logs:
 - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
 - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
 - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
 - [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
 ### Useful Links
 - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
 - [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
 The **LocURI** for the above GP policy is:
-`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2`
+`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2`
 To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `<Data>` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown.
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@ -25,6 +25,33 @@ ms.topic: reference
 Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
 ## New Group Policy settings in Windows 10, version 1903
 The following Group Policy settings were added in Windows 10, version 1903:
 **System**
 - System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
 - System\Storage Sense\Allow Storage Sense
 - System\Storage Sense\Allow Storage Sense Temporary Files cleanup
 - System\Storage Sense\Configure Storage Sense
 - System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
 - System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
 - System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
 - System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
 **Windows Components**
 - Windows Components\App Privacy\Let Windows apps activate with voice 
 - Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
 - Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
 - Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics 
 - Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
 - Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
 - Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
 - Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
 - Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
 ## New Group Policy settings in Windows 10, version 1809
@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@ -28,13 +28,23 @@ ms.topic: article
 ## About SetupDiag
-<I>Current version of SetupDiag: 1.6.0.42</I>
+<I>Current downloadable version of SetupDiag: 1.6.0.42</I>
 >Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
 SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
 ## SetupDiag in Windows 10, version 2004 and later
 With the release of Windows 10, version 2004, SetupDiag is included with Windows Setup.
 During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, SetupDiag.exe is also installed to this directory. If there is an issue with the upgrade, SetupDiag will automatically run to determine the cause of the failure.
 If the upgrade process proceeds normally, this directory is moved under **%SystemDrive%\Windows.Old** for cleanup. If this directory is deleted, SetupDiag.exe will also be removed.
 ## Using SetupDiag
 To quickly use SetupDiag on your current computer:
 1. Verify that your system meets the [requirements](#requirements) described below. If needed, install the [.NET framework 4.6](https://www.microsoft.com/download/details.aspx?id=48137).
 2. [Download SetupDiag](https://go.microsoft.com/fwlink/?linkid=870142).
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
 ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
 > [!NOTE]
 > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
 ## Configure Windows Hello for Business Device Enrollment
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
 Sign-in the AD FS server with *Domain Admin* equivalent credentials. 
 1. Open a **Windows PowerShell** prompt.
-2. Type the following command   
+2. Enter the following command:
    ```PowerShell
    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
    ```
    >[!NOTE]
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
+    > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
 ### Group Memberships for the AD FS Service Account
@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 ### Section Review
 > [!div class="checklist"]
-> * Configure the registration authority
+> * Configure the registration authority.
-> * Update group memberships for the AD FS service account
+> * Update group memberships for the AD FS service account.
 > 
 > 
 > [!div class="step-by-step"]
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@ -16,6 +16,7 @@ localizationpriority: medium
 ms.date: 10/23/2017
 ms.reviewer: 
 ---
 # Configure Hybrid Windows Hello for Business: Directory Synchronization
 **Applies to**
@ -62,7 +63,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 6. Click **OK** to return to **Active Directory Users and Computers**.
 > [!NOTE]
-> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
+> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
 ### Section Review
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@ -12,14 +12,14 @@ ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
-ms.date: 05/20/2020
+ms.date: 05/29/2020
 ms.reviewer: 
 manager: dansimp
 ---
 # Enable attack surface reduction rules
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
 - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@ -27,22 +27,22 @@ manager: dansimp
 Each ASR rule contains one of three settings:
-* Not configured: Disable the ASR rule
+- Not configured: Disable the ASR rule
-* Block: Enable the ASR rule
+- Block: Enable the ASR rule
-* Audit: Evaluate how the ASR rule would impact your organization if enabled
+- Audit: Evaluate how the ASR rule would impact your organization if enabled
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 > [!TIP]
 > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
 You can enable attack surface reduction rules by using any of these methods:
-* [Microsoft Intune](#intune)
+- [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+- [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
+- [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [PowerShell](#powershell)
 Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
 You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
 > [!IMPORTANT]
 > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
 > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to
 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
-   *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+   `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
 The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
 The values to enable, disable, or enable in audit mode are:
-* Disable = 0
+- Disable = 0
-* Block (enable ASR rule) = 1
+- Block (enable ASR rule) = 1
-* Audit = 2
+- Audit = 2
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
 Example:
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-Value: c:\path|e:\path|c:\Whitelisted.exe
+`Value: c:\path|e:\path|c:\Whitelisted.exe`
 > [!NOTE]
 > Be sure to enter OMA-URI values without spaces.
@ -103,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 ## Microsoft Endpoint Configuration Manager
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
+
-1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+2. Click **Home** > **Create Exploit Guard Policy**.
-1. Choose which rules will block or audit actions and click **Next**.
+
-1. Review the settings and click **Next** to create the policy.
+3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
-1. After the policy is created, click **Close**.
+
 4. Choose which rules will block or audit actions and click **Next**.
 5. Review the settings and click **Next** to create the policy.
 6. After the policy is created, click **Close**.
 ## Group Policy
@ -120,13 +127,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
+4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
-   * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+   Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
-       * Disable = 0
+   - Disable = 0
-       * Block (enable ASR rule) = 1
+   - Block (enable ASR rule) = 1
-       * Audit = 2
+   - Audit = 2
   ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
@ -169,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
    > Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
    > ```
-    You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+    You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
    > [!WARNING]
    > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
-    > You can obtain a list of rules and their current state by using `Get-MpPreference`
+    > You can obtain a list of rules and their current state by using `Get-MpPreference`.
 3. To exclude files and folders from ASR rules, use the following cmdlet:
@ -186,9 +193,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
    > [!IMPORTANT]
    > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
-## Related topics
+## Related articles
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+
 - [Attack surface reduction FAQ](attack-surface-reduction.md)
 - [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)