Corrected capitalization, changed ASR to ASR rules

2025-05-14 06:17:22 +00:00 · 2018-09-18 11:53:06 -07:00 · 2018-09-18 11:53:06 -07:00 · 630a97cbbc
commit 630a97cbbc
parent fc41f21c1c
28 changed files with 274 additions and 633 deletions
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@ -1,5 +1,5 @@
 ---
-title: Use Attack surface reduction rules to prevent malware infection
+title: Use attack surface reduction rules to prevent malware infection
 description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
 search.product: eADQiWindows 10XVcnh
@ -16,17 +16,17 @@ ms.date: 08/08/2018
-# Reduce attack surfaces with Windows Defender Exploit Guard  
+# Reduce attack surfaces with attack surface reduction rules 
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-Attack surface reduction has a number of [rules](#attack-surface-reduction-rules), each of which targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
+Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
 - Executable files and scripts used in Office apps or web mail that attempt to download or run files
 - Scripts that are obfuscated or otherwise suspicious
@ -34,11 +34,11 @@ Attack surface reduction has a number of [rules](#attack-surface-reduction-rules
 When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
 ## Requirements
-Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 ## Attack surface reduction rules
@ -180,9 +180,9 @@ This is a typical malware behavior, especially for macro-based attacks that atte
 This rule blocks Adobe Reader from creating child processes.
-## Review Attack surface reduction events in Windows Event Viewer
+## Review attack surface reduction rule events in Windows Event Viewer
-You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
+You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
@ -196,7 +196,7 @@ You can review the Windows event log to see events that are created when an Atta
 4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
+5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
 Event ID | Description
 -|-
@ -218,7 +218,7 @@ You can review the Windows event log to see events that are created when an Atta
 Topic | Description 
 ---|---
-[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
+[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
-[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
+[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
-[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. 
+[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@ -21,18 +21,13 @@ ms.date: 08/08/2018
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
+You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
 You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
 You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
 While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
-You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. 
@ -45,10 +40,10 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
 Audit options | How to enable audit mode | How to view events
 - | - | -
-Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
-Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
 You can also use the a custom PowerShell script that enables the features in audit mode automatically:
@ -69,14 +64,9 @@ You can also use the a custom PowerShell script that enables the features in aud
      A message should appear to indicate that audit mode was enabled.
 ## Related topics
 - [Protect devices from exploits](exploit-protection-exploit-guard.md) 
- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md) 
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
 - [Protect your network](network-protection-exploit-guard.md) 
 - [Protect important folders](controlled-folders-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
@ -20,17 +20,13 @@ ms.date: 08/08/2018
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access. 
-
+In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [network protection](network-protection-exploit-guard.md).
 - IT administrators
 This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. 
 In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md).
 Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics:
- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) 
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) 
- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) 
+- [Troubleshoot network protection](troubleshoot-np.md) 
@ -63,7 +59,7 @@ Before attempting this process, ensure you have met all required pre-requisites
 ## Related topics
- [Troubleshoot ASR rules](troubleshoot-asr.md) 
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) 
- [Troubleshoot Network protection](troubleshoot-np.md) 
+- [Troubleshoot network protection](troubleshoot-np.md) 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@ -14,18 +14,14 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # Protect important folders with controlled folder access
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. 
-Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
@ -35,17 +31,16 @@ A notification will appear on the computer where the app attempted to make chang
 The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 ## Requirements
-Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
 ## Review controlled folder access events in Windows Event Viewer
-## Review Controlled folder access events in Windows Event Viewer
+You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
 You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app:
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
@ -59,19 +54,19 @@ You can review the Windows event log to see events that are created when Control
 4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Controlled folder access:
+5. This will create a custom view that filters to only show the following events related to controlled folder access:
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
+1124 | Audited controlled folder access event
-1123 | Blocked Controlled folder access event
+1123 | Blocked controlled folder access event
 ## In this section
 Topic | Description 
 ---|---
-[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created.
+[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network
+[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
-[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@ -1,5 +1,5 @@
 ---
-title: Configure how ASR works to finetune protection in your network
+title: Configure how attack surface reduction rules work to finetune protection in your network
 description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
 search.product: eADQiWindows 10XVcnh
@ -14,27 +14,26 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
-# Customize attack surface reduction
+# Customize attack surface reduction rules
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
 This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
 You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 ## Exclude files and folders
-You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
 This could potentially allow unsafe files to run and infect your devices.
 >[!WARNING]
->Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+>Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 > 
 >If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
@ -65,19 +64,17 @@ Block untrusted and unsigned processes that run from USB | [!include[Check mark
 Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
 Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-
+See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
 ### Use Group Policy to exclude files and folders
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3.  Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
 ### Use PowerShell to exclude files and folderss
@ -90,7 +87,6 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
 Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. 
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
@ -98,17 +94,13 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
 ## Customize the notification
 See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 ## Related topics
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@ -14,19 +14,15 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # Customize controlled folder access
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. 
-This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This topic describes how to customize the following settings of the controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
 - [Add additional folders to be protected](#protect-additional-folders)
 - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
@ -36,14 +32,13 @@ This topic describes how to customize the following settings of the Controlled f
 >
 >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
 ## Protect additional folders
 Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
 You can add additional folders to be protected, but you cannot remove the default folders in the default list.
-Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
 You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). 
@ -62,16 +57,15 @@ You can use the Windows Defender Security Center app or Group Policy to add and
   ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
 ### Use Group Policy to protect additional folders
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3.  In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-5.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
 ### Use PowerShell to protect additional folders
@ -82,13 +76,10 @@ You can use the Windows Defender Security Center app or Group Policy to add and
    Add-MpPreference -ControlledFolderAccessProtectedFolders "<the folder to be protected>"
    ```
 Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
 ![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
@ -96,20 +87,17 @@ Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to ad
 Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
 ## Allow specific apps to make changes to controlled folders
-
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
 ## Allow specific apps to make changes to controlled folders
 You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature. 
 >[!IMPORTANT]
 >By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
 >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
 ### Use the Windows Defender Security app to allow specific apps
@ -127,13 +115,11 @@ When you add an app, you have to specify the app's location. Only the app in tha
 1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
 5.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
 3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
 4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
 ### Use PowerShell to allow specific apps
@ -149,18 +135,13 @@ When you add an app, you have to specify the app's location. Only the app in tha
    ```PowerShell
    Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
    ```
 Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
 ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
 >[!IMPORTANT]
 >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. 
 ### Use MDM CSPs to allow specific apps
 Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. 
@ -170,6 +151,6 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications]
 See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
 ## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) 
+- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) 
- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md)
+- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@ -14,31 +14,17 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
-# Customize Exploit protection
+# Customize exploit protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
 You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
- This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+ This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
 It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
@ -49,10 +35,8 @@ It also describes how to enable or configure the mitigations using Windows Defen
 All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
 You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
 Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
 ![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png)
@ -118,8 +102,6 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. 
 >CFG will be enabled for *miles.exe*.
 ### Configure system-level mitigations with the Windows Defender Security Center app
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -144,7 +126,6 @@ You can now [export these settings as an XML file](import-export-exploit-protect
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
 ### Configure app-specific mitigations with the Windows Defender Security Center app
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -160,7 +141,6 @@ Exporting the configuration as an XML file allows you to copy the configuration
        ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png)
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@ -171,8 +151,7 @@ You can now [export these settings as an XML file](import-export-exploit-protect
 Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
-
+## PowerShell reference
 ## PowerShell reference
 You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
@ -181,7 +160,6 @@ Exporting the configuration as an XML file allows you to copy the configuration
 >[!IMPORTANT]
 >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
 You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
 ```PowerShell
@ -202,8 +180,6 @@ Use `Set` to configure each mitigation in the following format:
 ```PowerShell
 Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options>,<mitigation or options>,<mitigation or options>
 ```
 Where:
 - \<Scope>:
@ -215,7 +191,6 @@ Where:
 - \<Mitigation>:
    - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
 For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
 ```PowerShell
@ -298,6 +273,6 @@ See the [Windows Defender Security Center](../windows-defender-security-center/w
 - [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@ -14,22 +14,18 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 >[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. 
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. 
 >  
 >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. 
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. 
 Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
@ -40,9 +36,7 @@ After July 31, 2018, it will not be supported.
 For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
 - [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
 ## Feature comparison
@ -68,17 +62,13 @@ Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[U
 Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited Windows event log monitoring
 Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
 <span id="fn1"></span>([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
 <span id="fn2"></span>([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
 ## Mitigation comparison
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
 The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.  
@ -109,10 +99,6 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] |
 Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 >[!NOTE] 
 >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
 > 
@ -122,9 +108,9 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 ## Related topics
 - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@ -14,32 +14,15 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
-
+# Enable attack surface reduction rules
 # Enable Attack surface reduction 
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-
+## Enable and audit attack surface reduction rules
 Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 ## Enable and audit Attack surface reduction rules
 You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
@ -68,27 +51,23 @@ Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
-### Use Group Policy to enable or audit Attack surface reduction rules
+### Use Group Policy to enable or audit attack surface reduction rules
 1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-5.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
+4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
 6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
    - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
        -  Block mode = 1
        -  Disabled = 0
        -  Audit mode = 2
-![Group policy setting showing a blank ASR rule ID and value of 1](images/asr-rules-gp.png)
+![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png)
-
+### Use PowerShell to enable or audit attack surface reduction rules
 ### Use PowerShell to enable or audit Attack surface reduction rules
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@ -97,14 +76,11 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    ```
 You can enable the feature in audit mode using the following cmdlet:
 ```PowerShell
 Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode
 ```
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 >[!IMPORTANT>
@ -124,15 +100,12 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis
 >You can obtain a list of rules and their current state by using `Get-MpPreference`
-### Use MDM CSPs to enable Attack surface reduction rules
+### Use MDM CSPs to enable attack surface reduction rules
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
 ## Related topics
- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
+- [Customize attack surface reduction](customize-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@ -14,8 +14,6 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # Enable controlled folder access
@ -23,29 +21,26 @@ ms.date: 08/08/2018
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). 
 ## Enable and audit controlled folder access
 You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 >[!NOTE]
 >The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**.
 >If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device.
 >If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**.
 >See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
 ><p>
->Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include:
+>Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
 >- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
 >- System Center Endpoint Protection **Allow users to add exclusions and overrides**
 >For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
-### Use the Windows Defender Security app to enable Controlled folder access
+### Use the Windows Defender Security app to enable controlled folder access
 1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -70,28 +65,29 @@ You can enable controlled folder access with the Security Center app, Group Poli
    ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png)
 >[!IMPORTANT]
->To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+>To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
-### Use PowerShell to enable Controlled folder access
+### Use PowerShell to enable controlled folder access
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
    ```PowerShell
    Set-MpPreference -EnableControlledFolderAccess Enabled
    ```
-You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
 Use `Disabled` to turn the feature off.
-### Use MDM CSPs to enable Controlled folder access
+### Use MDM CSPs to enable controlled folder access
 Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. 
 ## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) 
+- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) 
 - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@ -1,5 +1,5 @@
 ---
-title: Turn on Exploit protection to help mitigate against attacks
+title: Turn on exploit protection to help mitigate against attacks
 keywords: exploit, mitigation, attacks, vulnerability
 description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
 search.product: eADQiWindows 10XVcnh
@ -14,11 +14,8 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # Enable exploit protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -45,7 +42,6 @@ See the following topics for instructions on configuring exploit protection miti
 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
 ## Related topics
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@ -1,5 +1,5 @@
 ---
-title: Turn Network protection on
+title: Turn network protection on
 description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
 keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
 search.product: eADQiWindows 10XVcnh
@ -14,59 +14,40 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
-
+# Enable network protection
 # Enable Network protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
 ## Enable and audit network protection
-
+You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
 Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
 ## Enable and audit Network protection
 You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
 For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 ### Use Group Policy to enable or audit network protection
-### Use Group Policy to enable or audit Network protection
+1.  On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
 2.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1.  On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+3.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-3.  In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
 5.  Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
 6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
    - **Block** - Users will not be able to access malicious IP addresses and domains
    - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
    - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
 >[!IMPORTANT]
->To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+>To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
-
+ ### Use PowerShell to enable or audit network protection
 ### Use PowerShell to enable or audit Network protection
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@ -75,7 +56,7 @@ For background information on how audit mode works, and when you might want to u
    Set-MpPreference -EnableNetworkProtection Enabled
    ```
-You can enable the feauting in audit mode using the following cmdlet:
+You can enable the feature in audit mode using the following cmdlet:
 ```
 Set-MpPreference -EnableNetworkProtection AuditMode
@ -84,14 +65,12 @@ Set-MpPreference -EnableNetworkProtection AuditMode
 Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
 ### Use MDM CSPs to enable or audit network protection
-### Use MDM CSPs to enable or audit Network protection
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection.
 Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
 ## Related topics
 - [Protect your network](network-protection-exploit-guard.md)
- [Evaluate Network protection](evaluate-network-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@ -17,7 +17,7 @@ ms.date: 08/08/2018
 This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. 
 Some applications, including device drivers, may be incompatible with HVCI. 
-This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
 If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
 ## How to turn on HVCI in Windows 10 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@ -1,5 +1,5 @@
 ---
-title: Use a demo to see how ASR can help protect your devices
+title: Use a demo to see how ASR rules can help protect your devices
 description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
 keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
 search.product: eADQiWindows 10XVcnh
@ -14,31 +14,15 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
-
+# Evaluate attack surface reduction rules
 # Evaluate Attack surface reduction rules
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
-
+This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 >[!NOTE]
 >This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. 
@ -47,10 +31,9 @@ This topic helps you evaluate Attack surface reduction. It explains how to demo
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 ## Use the demo tool to see how attack surface reduction rules work
-## Use the demo tool to see how Attack surface reduction works
+Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
 Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
 The tool is part of the Windows Defender Exploit Guard evaluation package:
 - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
@ -95,9 +78,9 @@ Choosing the **Mode** will change how the rule functions:
 Mode option | Description
 -|-
-Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all.
+Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
-Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction.
+Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
-Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine.
+Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
 Block mode will cause a notification to appear on the user's desktop:
@ -111,7 +94,6 @@ The following sections describe what each rule does and what the scenarios entai
 ### Rule: Block executable content from email client and webmail
 This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
 The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
@ -145,18 +127,13 @@ The following scenarios can be individually chosen:
 - Extension Block
    - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
 ### Rule: Block Office applications from injecting into other processes
 >[!NOTE]
 >There is only one scenario to test for this rule.
 Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 ### Rule: Impede JavaScript and VBScript to launch executables
 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
@ -168,13 +145,10 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
 - VBScript
    - VBScript will not be allowed to launch executable files
 ### Rule: Block execution of potentially obfuscated scripts
 Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
 - Random
    - A scenario will be randomly chosen from this list
 - AntiMalwareScanInterface
@ -203,7 +177,6 @@ Event ID | Description
 1122 | Event when rule fires in Audit-mode 
 1121 | Event when rule fires in Block-mode 
 ## Use audit mode to measure impact
 You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
@ -222,17 +195,14 @@ This enables all Attack surface reduction rules in audit mode.
 >If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
-
+## Customize attack surface reduction rules
 ## Customize Attack surface reduction
 During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
 See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
 ## Related topics
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
 - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
 - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@ -1,5 +1,5 @@
 ---
-title: See how CFA can help protect files from being changed by malicious apps
+title: See how controlled folder access can help protect files from being changed by malicious apps
 description: Use a custom tool to see how Controlled folder access works in Windows 10.
 keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
 search.product: eADQiWindows 10XVcnh
@ -14,29 +14,17 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
-
+# Evaluate controlled folder access
 # Evaluate Controlled folder access
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 [Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. 
 It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
+This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 >[!NOTE]
 >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
@ -45,18 +33,16 @@ This topic helps you evaluate Controlled folder access. It explains how to demo
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Use the demo tool to see how Controlled folder access works
+## Use the demo tool to see how controlled folder access works
-Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders. 
+Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders. 
 The tool is part of the Windows Defender Exploit Guard evaluation package:
 - [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
+This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
 You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
 You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
 1. Type **powershell** in the Start menu.
@ -79,7 +65,7 @@ You can enable Controlled folder access, run the tool, and see what the experien
    ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png)
-## Review Controlled folder access events in Windows Event Viewer
+## Review controlled folder access events in Windows Event Viewer
 You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@ -96,15 +82,15 @@ You can also review the Windows event log to see the events there were created w
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
+1124 | Audited controlled folder access event
-1123 | Blocked Controlled folder access event
+1123 | Blocked controlled folder access event
-1127 | Blocked Controlled folder access sector write block event
+1127 | Blocked controlled folder access sector write block event
-1128 | Audited Controlled folder access sector write block event
+1128 | Audited controlled folder access sector write block event
 ## Use audit mode to measure impact
-As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@ -115,21 +101,18 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
 ```
 >[!TIP]
->If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+>If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main  [Controlled folder access topic](controlled-folders-exploit-guard.md).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
 For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 ## Customize protected folders and apps
 During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. 
-See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
 ## Related topics
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
 - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
 - [Use audit mode](audit-windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@ -14,20 +14,17 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
 # Evaluate exploit protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection. 
-This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md) .
+This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
 >[!NOTE]
 >This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. 
@ -50,13 +47,13 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
    Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
    ```
-1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
+3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
 Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
@ -78,7 +75,6 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
 5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
 ## Review exploit protection events in Windows Event Viewer
 You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@ -99,7 +95,6 @@ You can now review the events that exploit protection sent to the Windows Event
    Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. 
 ## Use audit mode to measure impact
 You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
@ -112,8 +107,6 @@ See the [**PowerShell reference** section in customize exploit protection](custo
 For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
 ## Related topics
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
 - [Enable exploit protection](enable-exploit-protection.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@ -1,5 +1,5 @@
 ---
-title: Conduct a demo to see how Network protection works
+title: Conduct a demo to see how network protection works
 description: Quickly see how Network protection works by performing common scenarios that it protects against
 keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
 search.product: eADQiWindows 10XVcnh
@ -14,30 +14,13 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
-# Evaluate Network protection
+# Evaluate network protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
+Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
 It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site.
@ -47,7 +30,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Enable Network protection
+## Enable network protection
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
@ -68,8 +51,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
 ![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png)
- 
+## Review network protection events in Windows Event Viewer
 ## Review Network protection events in Windows Event Viewer
 You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@ -81,18 +63,18 @@ You can also review the Windows event log to see the events there were created w
 4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1125 | Event when rule fires in Audit-mode 
+1125 | Event when rule fires in audit mode 
-1126 | Event when rule fires in Block-mode 
+1126 | Event when rule fires in block mode 
 ## Use audit mode to measure impact
-You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled.
 You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
@ -101,17 +83,12 @@ To enable audit mode, use the following PowerShell cmdlet:
 ```PowerShell
 Set-MpPreference -EnableNetworkProtection AuditMode
 ```
 >[!TIP]
->If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+>If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
 You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).
 ## Related topics
-
+- [Protect your network](network-protection-exploit-guard.md)
 ## Related topics
 - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
 - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
 - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@ -14,48 +14,36 @@ ms.author: v-anbic
 ms.date: 05/30/2018
 ---
 # Evaluate Windows Defender Exploit Guard
 **Applies to:**
 - Windows 10, version 1709 and later
 - Windows Server 2016
-
+Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
 Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
 Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
 Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
-
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
 - [Evaluate Network protection](evaluate-network-protection.md)
 You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
 - [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
 ## Related topics
 Topic | Description 
 ---|---
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) 
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) 
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) 
+- [Protect your network](network-protection-exploit-guard.md) 
- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@ -15,19 +15,12 @@ ms.author: v-anbic
 ms.date: 08/08/2018
 ---
 # View attack surface reduction events
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
 Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
@ -42,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s
 The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
-You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
+You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
 ### Import an existing XML custom view
@ -82,11 +75,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
-
+### XML for attack surface reduction rule events
 ### XML for Attack surface reduction events
 ```xml
 <QueryList>
@ -97,7 +86,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 </QueryList>
 ```
-### XML for Controlled folder access events
+### XML for controlled folder access events
 ```xml
 <QueryList>
@ -108,7 +97,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 </QueryList>
 ```
-### XML for Exploit protection events
+### XML for exploit protection events
 ```xml
 <QueryList>
@ -128,7 +117,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 </QueryList>
 ```
-### XML for Network protection events
+### XML for network protection events
 ```xml
 <QueryList>
@ -140,8 +129,6 @@ You can also manually navigate to the event area that corresponds to the Windows
 ```
 ## List of attack surface reduction events
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@ -14,10 +14,7 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
-
+# Protect devices from exploits
 # Protect devices from exploits with with Windows Defender Exploit Guard
 **Applies to:**
@ -30,32 +27,25 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
 You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
 When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
+  You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled.
- Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10. 
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. 
 >[!IMPORTANT]
- >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+ >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
 >[!WARNING] 
->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
-## Requirements
+ ## Review exploit protection events in Windows Event Viewer
-Windows 10 version | Windows Defender Advanced Threat Protection
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
 -|-
 Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
 ## Review Exploit protection events in Windows Event Viewer
 You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@ -103,11 +93,11 @@ Win32K | 260 | Untrusted Font
 ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
 >[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. 
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. 
 >  
->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+>You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. 
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. 
 Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
@ -120,10 +110,7 @@ For more information about the individual features and mitigations available in
 - [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-
+## Feature comparison
 ## Feature comparison
 The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
@ -146,19 +133,15 @@ Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[U
 Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] <br />With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) <br />[Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] <br />Limited Windows event log monitoring
 Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] <br />[Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]<br />Limited to EAF, EAF+, and anti-ROP mitigations
 <span id="fn1"></span>([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-<span id="fn2"></span>([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
+<span id="fn2"></span>([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
 ## Mitigation comparison
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.  
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.  
 Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
 -|:-:|:-:
@ -186,11 +169,6 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [
 Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
 >[!NOTE] 
 >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
 > 
@ -199,10 +177,10 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
 ## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@ -1,5 +1,5 @@
 ---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
 keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
 description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
 search.product: eADQiWindows 10XVcnh
@ -14,62 +14,36 @@ ms.author: v-anbic
 ms.date: 04/30/2018
 ---
-
+# Import, export, and deploy exploit protection configurations
 # Import, export, and deploy Exploit protection configurations
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection. 
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in exploit protection. 
 You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
-You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML.
+You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
 This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
 ## Create and export a configuration file
 Before you export a configuration file, you need to ensure you have the correct settings.
-You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instructions for configuring mitigations.
+You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
 When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
 When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
 ### Use the Windows Defender Security Center app to export a configuration file
 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
@ -83,7 +57,6 @@ When you have configured Exploit protection to your desired state (including bot
 >[!NOTE]
 >When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
 ### Use PowerShell to export a configuration file
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
@ -98,10 +71,9 @@ Change `filename` to any name or location of your choosing.
 > [!IMPORTANT]
 > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. 
 ## Import a configuration file
-You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+You can import an exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
 After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
@ -115,16 +87,16 @@ After importing, the settings will be instantly applied and can be reviewed in t
    Set-ProcessMitigation -PolicyFilePath filename.xml 
    ```
-Change `filename` to the location and name of the Exploit protection XML file.
+Change `filename` to the location and name of the exploit protection XML file.
 >[!IMPORTANT]
 >
->Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
+>Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-## Convert an EMET configuration file to an Exploit protection configuration file
+## Convert an EMET configuration file to an exploit protection configuration file
-You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10.
+You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
 You can only do this conversion in PowerShell.
@ -185,6 +157,6 @@ You can use Group Policy to deploy the configuration you've created to multiple
 - [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
@ -14,11 +14,8 @@ ms.author: iawilt
 ms.date: 08/09/2018
 ---
 # Memory integrity
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@ -1,5 +1,5 @@
 ---
-title: Use Network protection to help prevent connections to bad sites
+title: Use network protection to help prevent connections to bad sites
 description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
 keywords: Network protection, exploits, malicious website, ip, domain, domains
 search.product: eADQiWindows 10XVcnh
@ -14,9 +14,7 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
-
+# Protect your network
 # Protect your network with Windows Defender Exploit Guard
 **Applies to:**
@ -26,15 +24,12 @@ Network protection helps reduce the attack surface of your devices from Internet
 It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 >[!TIP]
 >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
 Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
@ -47,10 +42,9 @@ Windows 10 version | Windows Defender Antivirus
 Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
-## Review Network protection events in Windows Event Viewer
+## Review network protection events in Windows Event Viewer
-
+You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain:
 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
@ -64,20 +58,17 @@ You can review the Windows event log to see events that are created when Network
 4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
 Event ID | Description
 -|-
 5007 | Event when settings are changed
-1125 | Event when Network protection fires in Audit-mode 
+1125 | Event when network protection fires in audit mode 
-1126 | Event when Network protection fires in Block-mode 
+1126 | Event when network protection fires in block mode 
 ## In this section
 Topic | Description 
 ---|---
-[Evaluate Network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
-[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.
+[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@ -1,5 +1,5 @@
 ---
-title: Requirements and deployment planning guidelines for irtualization-based protection of code integrity (Windows 10)
+title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10)
 description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
 keywords: virtualization, security, malware
 ms.prod: w10
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@ -1,5 +1,5 @@
 ---
-title: Troubleshoot problems with Attack surface reduction rules
+title: Troubleshoot problems with attack surface reduction rules
 description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
 keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
 search.product: eADQiWindows 10XVcnh
@ -14,23 +14,17 @@ ms.author: v-anbic
 ms.date: 05/17/2018
 ---
-# Troubleshoot Attack surface reduction rules
+# Troubleshoot attack surface reduction rules
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
+When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
 - IT administrators
 When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
 - A rule blocks a file, process, or performs some other action that it should not (false positive)
 - A rule does not work as described, or does not block a file or process that it should (false negative)
 There are four steps to troubleshooting these problems:
 1. Confirm that you have met all pre-requisites
@ -38,11 +32,9 @@ There are four steps to troubleshooting these problems:
 3. Add exclusions for the specified rule (for false positives)
 3. Submit support logs
 ## Confirm pre-requisites
-Attack surface reduction (ASR) will only work on devices with the following conditions:
+Attack surface reduction rules will only work on devices with the following conditions:
 >[!div class="checklist"]
 > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
@ -50,47 +42,44 @@ Attack surface reduction (ASR) will only work on devices with the following cond
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
 ## Use audit mode to test the rule
 There are two ways that you can test if the rule is working. 
-You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only. 
+You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only. 
-The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly.
+The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly.
 If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
-You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with.
+You should follow the instructions in the section [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with.
 >[!TIP]
->While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. 
+>While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. 
 Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
 >[!TIP] 
 >Audit mode will stop the rule from blocking the file or process. 
 >
 >If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. 
 >
->Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
 If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
-If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
+1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-
+2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
 1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive).
 2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
 ## Add exclusions for a false positive
-You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders.
+You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
 This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
@ -101,12 +90,11 @@ To add an exclusion, see the [Customize Attack surface reduction](customize-atta
 >
 >This means any files or folders that are excluded will be excluded from all ASR rules.
 If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
 ## Collect diagnostic data
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with attack surface reduction rules.
 When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
@ -115,14 +103,8 @@ You must also attach associated files in a .zip file (such as the file or execut
 Follow the link below for instructions on how to collect the .cab file:
 > [!div class="nextstepaction"]
-> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
+> [Collect and submit diagnostic data](collect-cab-files-exploit-guard-submission.md)
 ## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
 - [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@ -1,5 +1,5 @@
 ---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
 keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
 description: Remove unwanted Exploit protection mitigations.
 search.product: eADQiWindows 10XVcnh
@ -14,28 +14,13 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
-
+# Troubleshoot exploit protection mitigations
 # Troubleshoot Exploit protection mitigations
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
+When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
 When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
 You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
@ -208,9 +193,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
 ## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
 - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Evaluate Exploit protection](evaluate-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
- [Enable Exploit protection](enable-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@ -14,14 +14,12 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
-# Troubleshoot Network protection
+# Troubleshoot network protection
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - IT administrators
 When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
@ -29,8 +27,6 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e
 - Network protection blocks a website that is safe (false positive)
 - Network protection fails to block a suspicious or known malicious website (false negative)
 There are four steps to troubleshooting these problems:
 1. Confirm that you have met all pre-requisites
@ -38,19 +34,16 @@ There are four steps to troubleshooting these problems:
 3. Add exclusions for the specified rule (for false positives)
 3. Submit support logs
 ## Confirm pre-requisites
-Windows Defender Exploit Guard will only work on devices with the following conditions:
+Network protection will only work on devices with the following conditions:
 >[!div class="checklist"]
 > - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
 If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
@ -58,33 +51,33 @@ If these pre-requisites have all been met, proceed to the next step to test the
 There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
-You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions.
+You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions.
 If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
 >[!TIP]
->While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. 
+>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. 
-You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
+You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
-1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
+1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
 >[!IMPORTANT] 
->Audit mode will stop Network protection from blocking known malicious connections. 
+>Audit mode will stop network protection from blocking known malicious connections. 
 >
->If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. 
+>If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. 
 >
 >Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. 
+If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. 
 ## Report a false positive or false negative
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection.
 When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
@ -93,11 +86,6 @@ You can also attach a diagnostic .cab file to your submission if you wish (this
 > [!div class="nextstepaction"]
 > [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
 ## Related topics
 - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@ -14,20 +14,12 @@ ms.author: v-anbic
 ms.date: 08/09/2018
 ---
 # Windows Defender Exploit Guard
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
 There are four features in Windows Defender EG:
@ -63,13 +55,12 @@ This section covers requirements for each feature in Windows Defender EG.
 |--------|---------|
 | ![not supported](./images/ball_empty.png) | Not supported |
 | ![supported](./images/ball_50.png) | Supported |
-| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
+| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
 | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
 | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
 | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
 | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
 | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
@ -78,7 +69,7 @@ The following table lists which features in Windows Defender EG require enabling
 | Feature | Real-time protection |
 |-----------------| ------------------------------------ |
 | Exploit protection | No requirement |
-| Attack surface reduction | Must be enabled |
+| Attack surface reduction rules | Must be enabled |
 | Network protection | Must be enabled |
 | Controlled folder access | Must be enabled |
@ -87,8 +78,8 @@ The following table lists which features in Windows Defender EG require enabling
 Topic | Description 
 ---|---
 [Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent  threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. 
-[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
+[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.   
 [Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
-[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. 
+[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.