updates to image alts

windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -144,7 +144,7 @@ You can review the Windows event log to see events that are created when an Atta
 
 2. On the left panel, under **Actions**, click **Import custom view...**
 
-    ![](images/events-import.gif)
+    ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
 
 3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
 

windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md

@@ -75,7 +75,7 @@ You can review the Windows event log to see events that are created when Control
 
 3. On the left panel, under **Actions**, click **Import custom view...**
 
-    ![](images/events-import.gif)
+    ![Animation showing the import custom view on the Event viewer window](images/events-import.gif)
 
 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
 

windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md

@@ -75,7 +75,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
 
 4. Click **Add a protected folder** and follow the prompts to add apps.
 
-    ![](images/cfa-prot-folders.png)
+    ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png)
 
  
 ### Use Group Policy to protect additional folders
@@ -107,7 +107,7 @@ You can use the Windows Defender Security Center app or Group Policy to add and
 Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
 
 
-![](images/cfa-allow-folder-ps.png)
+![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png)
 
 
 >[!IMPORTANT]
@@ -144,7 +144,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
 
 4. Click **Add an allowed app** and follow the prompts to add apps.
 
-    ![](images/cfa-allow-app.png)
+    ![Screenshot of the add an allowed app button](images/cfa-allow-app.png)
 
 ### Use Group Policy to whitelist specific apps
 
@@ -178,7 +178,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
 Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
 
 
-![](images/cfa-allow-app-ps.png)
+![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png)
 
 
 >[!IMPORTANT]

windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md

@@ -51,25 +51,25 @@ It also describes how to enable or configure the mitigations using Windows Defen
 All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
 
 
-You can set each of the mitigations to on, off, or to their default value as indicated in the table below. Some mitigations have additional options, these are indicated in the description in the table.
+You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
 
 
 Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". 
 
-![](images/ep-default.png)
+![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png)
 
 The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults.
 
 For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic.
 
-Mitigation | Description | Can be applied to, and default value for system mitigations | Audit mode available
+Mitigation | Description | Can be applied to | Audit mode available
 - | - | - | -
-Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
+Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
-Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
+Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
+Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
+Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)]
-Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level (system default: **On**) | [!include[Check mark no](images/svg/check-no.md)]
+Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
-Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level (system default: **Off**) | [!include[Check mark no](images/svg/check-no.md)]
+Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level  | [!include[Check mark no](images/svg/check-no.md)]
 Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
 Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
 Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)]
@@ -127,7 +127,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection** label:
 
-    ![](images/wdsc-exp-prot.png)
+    ![App & browser control screen in the Windows Defender Security Center](images/wdsc-exp-prot.png)
         
 3.	Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
     - **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
@@ -139,7 +139,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
 
     Changing some settings may required a restart, which will be indicated in red text underneath the setting.
 
-    ![](images/wdsc-exp-prot-sys-settings.png)
+    ![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png)
 
 4. Repeat this for all the system-level mitigations you want to configure.
 
@@ -154,7 +154,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
 
 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then the **Exploit protection settings** at the bottom of the screen:
 
-    ![](images/wdsc-exp-prot.png)
+    ![Screenshot showing the Exploit protection label highlighted in the Windows Defender Security Center App & browser settings section](images/wdsc-exp-prot.png)
 
     
 3.	Go to the **Program settings** section and choose the app you want to apply mitigations to:
@@ -164,14 +164,14 @@ Exporting the configuration as an XML file allows you to copy the configuration
         - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
         - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
 
-        ![](images/wdsc-exp-prot-app-settings.png)
+        ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png)
 
 
 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
 
 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
 
-    ![](images/wdsc-exp-prot-app-settings-options.png)
+    ![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png)
 
 You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. 
 

windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -79,7 +79,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
         -  Disabled = 0
         -  Audit mode = 2
 
-![](images/asr-rules-gp.png)
+![Group policy setting showing a blank ASR rule ID and value of 1](images/asr-rules-gp.png)
 
 
         

windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -60,7 +60,7 @@ For further details on how audit mode works, and when you might want to use it,
     
 3.	Set the switch for the feature to **On**
 
-    ![](images/cfa-on.png)
+    ![Screenshot of the CFA feature switched to On](images/cfa-on.png)
 
 ### Use Group Policy to enable Controlled folder access
 
@@ -77,7 +77,7 @@ For further details on how audit mode works, and when you might want to use it,
     - **Disable (Default)** - The Controlled folder access feature will not work. All apps can make changes to files in protected folders.
     - **Audit Mode** - If a malicious or suspicious app attempts to make a change to a file in a protected folder, the change will be allowed but will be recorded in the Windows event log. This allows you to assess the impact of this feature on your organization.
 
-    ![](images/cfa-gp-enable.png)
+    ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png)
 
 >[!IMPORTANT]
 >To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.

windows/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md

@@ -57,7 +57,7 @@ This tool has a simple user interface that lets you choose a rule, configure it
 
 When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken.
 
-![](images/asr-test-tool.png)
+![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png)
 
 Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running.
 
@@ -99,7 +99,7 @@ Audit | The rule wil fire, but the suspicious behavior will **not** be blocked f
 
 Block mode will cause a notification to appear on the user's desktop:
 
-![](images/asr-notif.png)
+![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png)
 
 You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk.
 

windows/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md

@@ -73,11 +73,11 @@ You can enable Controlled folder access, run the tool, and see what the experien
 
 6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
 
-    ![](images/cfa-filecreator.png)
+    ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png)
 
 7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
 
-    ![](images/cfa-notif.png)
+    ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png)
 
 ## Review Controlled folder access events in Windows Event Viewer
 

windows/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md

@@ -64,7 +64,7 @@ You can also carry out the processes described in this topic in audit or disable
 
 You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
 
-![](images/np-notif.png)
+![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png)
  
  
  ## Review Network protection events in Windows Event Viewer

windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md

@@ -47,7 +47,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 ### Import an existing XML custom view
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropraite file to an easily accessible location. The following filenames are each of the custom views:
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views:
     -  Controlled folder access events custom view: *cfa-events.xml*
     -  Exploit protection events custom view: *ep-events.xml*
     -  Attack surface reduction events custom view: *asr-events.xml*
@@ -57,7 +57,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 3. On the left panel, under **Actions**, click **Import Custom View...**
 
-    ![](images/events-import.gif)
+    ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
 
 4. Navigate to where you extracted XML file for the custom view you want and select it. 
 
@@ -73,7 +73,7 @@ You can also manually navigate to the event area that corresponds to the Windows
 
 3. On the left panel, under **Actions**, click **Create Custom View...**
 
-    ![](images/events-create.gif)
+    ![Animation highlighting the create cusomt view option on the Event viewer window ](images/events-create.gif)
 
 4. Go to the XML tab and click **Edit query manually**. You'll see a warning that you won't be able to edit the query using the **Filter** tab if you use the XML option. Click **Yes**.