diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 59f309b4ab..c6e02becaf 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index d5fb36ac0b..058966943e 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -108,7 +108,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
 
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 49e9d275ab..89f4c7887d 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -88,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 50903ddc26..31b9b673c4 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
 
     a. Click **Endpoint Management** on the **Navigation pane**.
 
-    b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+    b. Click the **Endpoint offboarding** section.
+
+    c. Select **Group Policy**, click **Download package** and save the .zip file.
 
 2.	Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
 
diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png
index ae3d800c69..ed34f9dc65 100644
Binary files a/windows/keep-secure/images/atp-disableantispyware-regkey.png and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 3a2b9f8868..f05e878db5 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -229,22 +229,21 @@ If the verification fails and your environment is using a proxy to connect to th
 
 **Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
 
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
 
-  - ```DisableAntiSpyware```
-  - ```DisableAntiVirus```
+  - DisableAntiSpyware
+  - DisableAntiVirus
 
-  For example, in Group Policy:
+  For example, in Group Policy there should be no entries such as the following values:
 
-  ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
-  ```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
+  - ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
 -  After clearing the policy, run the onboarding steps again on the endpoint.
 
 - You can also check the following registry key values to verify that the policy is disabled:
 
-  1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
-  2. Find the value ```DisableAntiSpyware```.
-  3. Ensure that the value is set to 0.
+  1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
+  2. Ensure that the value ```DisableAntiSpyware``` is not present.
 
     ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)