diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 383ac38442..53aae67283 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -104,10 +104,10 @@
     - name: Windows Defender Application Control operational guide
       href: windows-defender-application-control-operational-guide.md
       items: 
-        - name: Understanding Application Control event IDs
-          href: event-id-explanations.md
         - name: Understanding Application Control event tags
           href: event-tag-explanations.md
+        - name: Understanding Application Control event IDs
+          href: event-id-explanations.md
         - name: Query WDAC events with Advanced hunting
           href: querying-application-control-events-centrally-using-advanced-hunting.md
         - name: Known Issues
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 402cadf606..557e9d9716 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -87,7 +87,29 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
 
 ## Event ID 3099 Options
 
-The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
+The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow.
+
+- Access Event Viewer.
+- Access the Code integrity 3099 event.
+- Access the details pane.
+- Identify the hex code listed in the “Options” field.
+- Convert the hex code to binary
+
+:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 Policy Rule Options":::
+
+For a simple solution for converting hex to binary, follow these steps.
+- Open the Calculator app
+- Click on the menu icon :::image type="content" source="images/calculator-menu-icon.png" alt-text="calculator menu icon example":::
+- Click Programmer mode
+- Click HEX  :::image type="content" source="images/hex-icon.png" alt-text="HEX icon example":::
+- Enter your hex code
+- Click Bit Toggling Keyboard :::image type="content" source="images/bit-toggling-keyboard-icon.png" alt-text="Bit Toggling Keyboard icon example":::
+
+:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary":::
+
+This view will provide the hex code in binary form, with each bit address shown separately.  The bit addresses start at 0 in the bottom right.  Each bit address correlates to a specific event policy-rule option.  If the bit address holds a value of 1, the setting is in the policy.
+
+Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode.
 
 | Bit Address | Policy Rule Option |
 |-------|------|
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png
new file mode 100644
index 0000000000..dac1240786
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/bin-icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/bit-toggling-keyboard-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/bit-toggling-keyboard-icon.png
new file mode 100644
index 0000000000..2c042f00e5
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/bit-toggling-keyboard-icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/calculator-menu-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/calculator-menu-icon.png
new file mode 100644
index 0000000000..268e4880fc
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/calculator-menu-icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/calculator-with-hex-in-binary.png b/windows/security/threat-protection/windows-defender-application-control/images/calculator-with-hex-in-binary.png
new file mode 100644
index 0000000000..67bc15e949
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/calculator-with-hex-in-binary.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/event-3099-options.png b/windows/security/threat-protection/windows-defender-application-control/images/event-3099-options.png
new file mode 100644
index 0000000000..ee3080bdd9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/event-3099-options.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/hex-icon.png b/windows/security/threat-protection/windows-defender-application-control/images/hex-icon.png
new file mode 100644
index 0000000000..034a9d8d5c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/hex-icon.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index d078c538f5..94be9da4e5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -141,6 +141,9 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
 > [!NOTE]
 > For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
 
+> [!NOTE]
+> There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.
+
 ## More information about hashes
 
 ### Why does scan create four hash rules per XML file?
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index 578058661d..f99d35706c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -108,4 +108,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
 9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
 
 > [!NOTE]
-> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. 
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. 
\ No newline at end of file