diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
index dbc2f8af22..4874e16c5e 100644
--- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
+++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md
@@ -196,163 +196,84 @@ allowed by Filter \#125918 which is from the InternetClient Default Rule.
**InternetClient Default Rule Filter \#125918, Wfpdiag-Case-1.xml**
```
\
-
> \{3389708e-f7ae-4ebc-a61a-f659065ab24e}\
-
> \
-
> \InternetClient Default Rule\
-
> \InternetClient Default Rule\
-
> \
-
> \
-
> \FWPM_PROVIDER_MPSSVC_WSH\
-
> \
-
> \ad2b000000000000\
-
> \.+......\
-
> \
-
> \FWPM_LAYER_ALE_AUTH_CONNECT_V6\
-
> \FWPM_SUBLAYER_MPSSVC_WSH\
-
> \
-
> \FWP_EMPTY\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_PACKAGE_ID\
-
> \FWP_MATCH_NOT_EQUAL\
-
> \
-
> \FWP_SID\
-
> \S-1-0-0\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_IP_REMOTE_ADDRESS\
-
> \FWP_MATCH_RANGE\
-
> \
-
> \FWP_RANGE_TYPE\
-
> \
-
> \
-
> \FWP_BYTE_ARRAY16_TYPE\
-
> \::\
-
> \
-
> \
-
> \FWP_BYTE_ARRAY16_TYPE\
-
> \ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\
-
> \
-
> \
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_CURRENT_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_USER_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_SECURITY_DESCRIPTOR_TYPE\
-
> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\
-
> \
-
> \
-
> \
-
> \
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
> \0\
-
> \
-
> \125918\
-
> \
-
> \FWP_UINT64\
-
> \103079219136\
-
> \
-
\
```
One condition is
@@ -360,19 +281,12 @@ One condition is
**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
```
\
-
> \FWPM_CONDITION_ALE_USER_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_SECURITY_DESCRIPTOR_TYPE\
-
> \O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)\
-
> \
-
\
```
which is the condition for checking capabilities in this filter.
@@ -381,15 +295,12 @@ The important part of this condition is S-1-15-3-1, which is the capability SID
for INTERNET_CLIENT privileges.
From the netEvent’s capabilities section,
-```
+
Capabilities from netEvent, Wfpdiag-Case-1.xml
-
+```
\
-
> **\FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\** \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\
-
\FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\
-
\
```
it shows the packet came from an app with an Internet client token
@@ -665,842 +576,439 @@ In this example, the UWP app is unable to reach the Intranet target address,
10.50.50.50, because it does not have a Private Network capability.
**Classify Drop netEvent, Wfpdiag-Case-4.xml**
-
+```
\
-
\
-
> \2020-05-22T21:29:28.601Z\
-
> \
-
> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\
-
> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\
-
> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\
-
> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\
-
> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\
-
> \FWPM_NET_EVENT_FLAG_APP_ID_SET\
-
> \FWPM_NET_EVENT_FLAG_USER_ID_SET\
-
> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\
-
> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\
-
> \
-
> \FWP_IP_VERSION_V4\
-
> \6\
-
> \10.216.117.17\
-
> \10.50.50.50\
-
> \52998\
-
> \53\
-
> \0\
-
> \
-
> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\
-
> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\
-
> \
-
> \S-1-5-21-2993214446-1947230185-131795049-1000\
-
> \FWP_AF_INET\
-
> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\
-
> \
-
> \0\
-
> \
-
\
-
> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\
-
> \
-
> \121180\
-
> \48\
-
> \0\
-
> \1\
-
> \1\
-
> \MS_FWP_DIRECTION_OUT\
-
> \false\
-
> \
-
> \0\
-
> \0\
-
\
-
\
-
> \
-
> \0000000000000000\
-
> \
-
> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT\
-
> \FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER\
-
> \
-
> \0\
-
> \
-
> \
-
> \
-
> \121180\
-
> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\
-
> \FWP_ACTION_BLOCK\
-
> \
-
> \
-
> \121165\
-
> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
\
-
\
-
+```
## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability
In this example, the UWP app is unable to reach the Intranet target address,
10.1.1.1, even though it has a Private Network capability token.
**Classify Drop netEvent, Wfpdiag-Case-5.xml**
-
+```
\
-
> \
-
> \2020-05-22T20:54:53.499Z\
-
> \
-
> \FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET\
-
> \FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET\
-
> \FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET\
-
> \FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET\
-
> \FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET\
-
> \FWPM_NET_EVENT_FLAG_APP_ID_SET\
-
> \FWPM_NET_EVENT_FLAG_USER_ID_SET\
-
> \FWPM_NET_EVENT_FLAG_IP_VERSION_SET\
-
> \FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET\
-
> \
-
> \FWP_IP_VERSION_V4\
-
> \6\
-
> \10.216.117.17\
-
> \10.1.1.1\
-
> \52956\
-
> \53\
-
> \0\
-
> \
-
> \5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000\
-
> \\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
> .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...\
-
> \
-
> \S-1-5-21-2993214446-1947230185-131795049-1000\
-
> \FWP_AF_INET\
-
> \S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936\
-
> \
-
> \0\
-
> \
-
\
-
> \FWPM_NET_EVENT_TYPE_CLASSIFY_DROP\
-
> \
-
> \121180\
-
> \48\
-
> \0\
-
> \1\
-
> \1\
-
> \MS_FWP_DIRECTION_OUT\
-
> \false\
-
> \
-
> \0\
-
> \0\
-
> \
-
> \
-
> \
-
> \0000000000000000\
-
> \
-
> \FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK\
-
> \
-
> \0\
-
> \
-
> \
-
> \
-
> \121180\
-
> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH\
-
> \FWP_ACTION_BLOCK\
-
> \
-
> \
-
> \121165\
-
> \FWPP_SUBLAYER_INTERNAL_FIREWALL_WF\
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
> \
-
\
-
+```
The following shows the filter that blocked the event:
**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
+```
\
-
> \{e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}\
-
> \
-
> \Block Outbound Default Rule\
-
> \Block Outbound Default Rule\
-
> \
-
> \
-
> \FWPM_PROVIDER_MPSSVC_WSH\
-
> \
-
> \c029000000000000\
-
> \.)......\
-
> \
-
> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\
-
> \FWPM_SUBLAYER_MPSSVC_WSH\
-
> \
-
> \FWP_EMPTY\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_PACKAGE_ID\
-
> \FWP_MATCH_NOT_EQUAL\
-
> \
-
> \FWP_SID\
-
> \S-1-0-0\
-
> \
-
> \
-
> \
-
> \
-
> \FWP_ACTION_BLOCK\
-
> \
-
> \
-
> \0\
-
> \
-
> \121180\
-
> \
-
> \FWP_UINT64\
-
> \274877906944\
-
> \
-
\
-
+```
If the target was in the private range, then it should have been allowed by a
PrivateNetwork Outbound Default Rule filter.
-The following PrivateNetwork Outbound Default Rule filters have conditions for
-matching Intranet IP addresses. Since the expected Intranet target address,
-10.1.1.1, is not included in these filters it becomes clear that the address is
-not in the private range. Check the policies which configure the private range
-on the machine (MDM, GP, etc) and make sure it includes the private target
-address you wanted to reach.
+The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address,
+10.1.1.1, is not included in these filters it becomes clear that the address isnot in the private range. Check the policies which configure the private range
+on the machine (MDM, GP, etc) and make sure it includes the private targetaddress you wanted to reach.
**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
-
+```
\
-
> \{fd65507b-e356-4e2f-966f-0c9f9c1c6e78}\
-
> \
-
> \PrivateNetwork Outbound Default Rule\
-
> \PrivateNetwork Outbound Default Rule\
-
> \
-
> \
-
> \FWPM_PROVIDER_MPSSVC_WSH\
-
> \
-
> \f22d000000000000\
-
> \.-......\
-
> \
-
> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\
-
> \FWPM_SUBLAYER_MPSSVC_WSH\
-
> \
-
> \FWP_EMPTY\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_PACKAGE_ID\
-
> \FWP_MATCH_NOT_EQUAL\
-
> \
-
> \FWP_SID\
-
> \S-1-0-0\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_IP_REMOTE_ADDRESS\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1.1.1.1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_CURRENT_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_USER_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_SECURITY_DESCRIPTOR_TYPE\
-
> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\
-
> \
-
> \
-
> \
-
> \
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
> \0\
-
> \
-
> \129656\
-
> \
-
> \FWP_UINT64\
-
> \144115600392724416\
-
> \
-
> \
-
> \
-
> \{b11b4f8a-222e-49d6-8d69-02728681d8bc}\
-
> \
-
> \PrivateNetwork Outbound Default Rule\
-
> \PrivateNetwork Outbound Default Rule\
-
> \
-
> \
-
> \FWPM_PROVIDER_MPSSVC_WSH\
-
> \
-
> \f22d000000000000\
-
> \.-......\
-
> \
-
> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\
-
> \FWPM_SUBLAYER_MPSSVC_WSH\
-
> \
-
> \FWP_EMPTY\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_PACKAGE_ID\
-
> \FWP_MATCH_NOT_EQUAL\
-
> \
-
> \FWP_SID\
-
> \S-1-0-0\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_IP_REMOTE_ADDRESS\
-
> \FWP_MATCH_RANGE\
-
> \
-
> \FWP_RANGE_TYPE\
-
> \
-
> \
-
> \FWP_UINT32\
-
> \172.16.0.0\
-
> \
-
> \
-
> \FWP_UINT32\
-
> \172.31.255.255\
-
> \
-
> \
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_CURRENT_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_USER_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_SECURITY_DESCRIPTOR_TYPE\
-
> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\
-
> \
-
> \
-
> \
-
> \
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
> \0\
-
> \
-
> \129657\
-
> \
-
> \FWP_UINT64\
-
> \36029209335832512\
-
> \
-
\
-
\
-
> \{21cd82bc-6077-4069-94bf-750e5a43ca23}\
-
> \
-
> \PrivateNetwork Outbound Default Rule\
-
> \PrivateNetwork Outbound Default Rule\
-
> \
-
> \
-
> \FWPM_PROVIDER_MPSSVC_WSH\
-
> \
-
> \f22d000000000000\
-
> \.-......\
-
> \
-
> \FWPM_LAYER_ALE_AUTH_CONNECT_V4\
-
> \FWPM_SUBLAYER_MPSSVC_WSH\
-
> \
-
> \FWP_EMPTY\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_PACKAGE_ID\
-
> \FWP_MATCH_NOT_EQUAL\
-
> \
-
> \FWP_SID\
-
> \S-1-0-0\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_IP_REMOTE_ADDRESS\
-
> \FWP_MATCH_RANGE\
-
> \
-
> \FWP_RANGE_TYPE\
-
> \
-
> \
-
> \FWP_UINT32\
-
> \192.168.0.0\
-
> \
-
> \
-
> \FWP_UINT32\
-
> \192.168.255.255\
-
> \
-
> \
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ORIGINAL_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_CURRENT_PROFILE_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_UINT32\
-
> \1\
-
> \
-
> \
-
> \
-
> \FWPM_CONDITION_ALE_USER_ID\
-
> \FWP_MATCH_EQUAL\
-
> \
-
> \FWP_SECURITY_DESCRIPTOR_TYPE\
-
> \O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)\
-
> \
-
> \
-
> \
-
> \
-
> \FWP_ACTION_PERMIT\
-
> \
-
> \
-
> \0\
-
> \
-
> \129658\
-
> \
-
> \FWP_UINT64\
-
> \36029209335832512\
-
> \
-
\
-
+```
# Debugging Past Drops
If you are debugging a network drop from the past or from a remote machine, you