diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
index e4a1e510ea..07690733e7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md
@@ -18,7 +18,7 @@ ms.date: 8/27/2020
ms.technology: mde
---
-## Understanding Application Control event tags
+# Understanding Application Control event tags
Windows Defender Application Control (WDAC) events include a number of fields which provide helpful troubleshooting information to figure out exactly what an event means. Below, we have documented the values and meanings for a few useful event tags.
@@ -91,3 +91,32 @@ Represents why verification failed, or if it succeeded.
| 26 | Explicitly denied by WADC policy |
| 27 | The signing chain appears to be tampered/invalid |
| 28 | Resource page hash mismatch |
+
+## Microsoft Root CAs trusted by Windows
+
+The rule means trust anything signed by a cert that chains to this root CA. Enums without values start at 0, and increment by 1 as you go down the below list.
+
+typedef enum _MINCRYPT_KNOWN_ROOT_ID {
+ MincryptKnownRootNone, <-- 0
+ MincryptKnownRootUnknown,
+ MincryptKnownRootSelfsigned,
+ MincryptKnownRootMicrosoftAuthenticodeRoot,
+ MincryptKnownRootMicrosoftProductRoot1997,
+ MincryptKnownRootMicrosoftProductRoot2001,
+ MincryptKnownRootMicrosoftProductRoot2010,
+ MincryptKnownRootMicrosoftStandardRoot2011,
+ MincryptKnownRootMicrosoftCodeVerificationRoot2006,
+ MincryptKnownRootMicrosoftTestRoot1999,
+ MincryptKnownRootMicrosoftTestRoot2010,
+ MincryptKnownRootMicrosoftDMDTestRoot2005,
+ MincryptKnownRootMicrosoftDMDRoot2005,
+ MincryptKnownRootMicrosoftDMDPreviewRoot2005,
+ MincryptKnownRootMicrosoftFlightRoot2014,
+ MincryptKnownRootMicrosoftThirdPartyMarketplaceRoot,
+ MincryptKnownRootMicrosoftEccTestingRootCa2017,
+ MincryptKnownRootMicrosoftEccDevelopmentRootCa2018,
+ MincryptKnownRootMicrosoftEccProductRootCa2018,
+ MincryptKnownRootMicrosoftEccDevicesRootCa2017,
+} MINCRYPT_KNOWN_ROOT_ID, *PMINCRYPT_KNOWN_ROOT_ID;
+
+For well-known roots, the TBS hashes for the certificates are baked into the code for WDAC. For example, they don’t need to be listed as TBS hashes in the policy file.
\ No newline at end of file