diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 849d3ce821..b1da16e27a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -41,6 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 |--------|-----------|
 | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
 | 8029 | Block script/MSI file |
+| 8036| COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs |
 | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
 
 ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events
@@ -108,7 +109,7 @@ A list of other relevant event IDs and their corresponding description.
 | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | 
 | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
 | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
-| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
+| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. |
 | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | 
 | 3097 | The Code Integrity policy cannot be refreshed. | 
 | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index d6e4970eb9..f110ba66c4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
 
 >[!NOTE]
->We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy.
+>For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher.
 
 ## More information about hashes