diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index d48d5da38b..a28ab4ca3e 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -397,6 +397,17 @@ The following GPO snippet performs the following tasks:
 
 ![configure event channels.](images/capi-gpo.png)
 
+The following table also contains the six actions to configure in the GPO:
+
+| Program/Script                     | Arguments                                                                                                |
+|------------------------------------|----------------------------------------------------------------------------------------------------------|
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true                                                           |
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768                                                     |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768                                               |
+| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true                                     |
+| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896                                |
+
 ## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
 
 Here are the minimum steps for WEF to operate:
@@ -655,4 +666,4 @@ You can get more info with the following links:
 -   [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
 -   [Event Query Schema](/windows/win32/wes/queryschema-schema)
 -   [Windows Event Collector](/windows/win32/wec/windows-event-collector)
--   [4625(F): An account failed to log on](./auditing/event-4625.md)
\ No newline at end of file
+-   [4625(F): An account failed to log on](./auditing/event-4625.md)