From 50d6f31d180f4ed34dbe69901b238354c0824f58 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 17 Aug 2020 15:45:54 +0500
Subject: [PATCH 1/9] Update run-detection-test.md

---
 .../microsoft-defender-atp/run-detection-test.md                 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
index 0d98b91181..d87232b04b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
@@ -50,3 +50,4 @@ The Command Prompt window will close automatically. If successful, the detection
 ## Related topics
 - [Onboard Windows 10 devices](configure-endpoints.md)
 - [Onboard servers](configure-server-endpoints.md)
+- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)

From d5d43293dd51916276e88898cc24aa5b89a1282b Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 18 Aug 2020 12:55:27 +0500
Subject: [PATCH 2/9] Comma missing in example

As mentioned in the document that if we are adding a URL without proxy we need to add "," just before the "|". Added this in the documents example section.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7134
---
 .../create-wip-policy-using-intune-azure.md                     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index c1f81c4974..07ac0b55e1 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -456,7 +456,7 @@ contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,conto
 Value format without proxy:
 
 ```code
-contoso.sharepoint.com|contoso.visualstudio.com
+contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
 ```
 
 ### Protected domains

From d307463371e3cea5a25254cbd8779bb6208f0bd8 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Tue, 18 Aug 2020 16:58:16 -0700
Subject: [PATCH 3/9] Update windowsdefenderapplicationguard-csp.md

Updated CSP policy for Edge and Office
---
 .../mdm/windowsdefenderapplicationguard-csp.md           | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 63373c2a34..1732644d9b 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -31,8 +31,11 @@ Turn on Microsoft Defender Application Guard in Enterprise Mode.
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 
 The following list shows the supported values:  
-- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment.
-- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. 
+Options:
+- 0 - Disable Microsoft Defender Application Guard
+- 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
+- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
+- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments
 
 <a href="" id="clipboardfiletype"></a>**Settings/ClipboardFileType**  
 Determines the type of content that can be copied from the host to Application Guard environment and vice versa. 
@@ -297,4 +300,4 @@ ADMX Info:
 - GP name: *AuditApplicationGuard*
 - GP path: *Windows Components/Microsoft Defender Application Guard*
 - GP ADMX file name: *AppHVSI.admx*
-<!--/ADMXMapped-->
\ No newline at end of file
+<!--/ADMXMapped-->

From 7830b9e9916ca1482eceef9bb3a585d29a201f32 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Thu, 20 Aug 2020 04:46:13 -0700
Subject: [PATCH 4/9] Update windowsdefenderapplicationguard-csp.md

---
 .../mdm/windowsdefenderapplicationguard-csp.md                 | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 1732644d9b..59f3f7c19e 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -30,8 +30,7 @@ Turn on Microsoft Defender Application Guard in Enterprise Mode.
 
 Value type is integer. Supported operations are Add, Get, Replace, and Delete.
 
-The following list shows the supported values:  
-Options:
+The following list shows the supported values:
 - 0 - Disable Microsoft Defender Application Guard
 - 1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
 - 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY

From f980e6fa874c1dc647b81c13e1a3f52c68eaa55d Mon Sep 17 00:00:00 2001
From: TimShererWithAquent <v-tishe@microsoft.com>
Date: Thu, 20 Aug 2020 15:32:28 -0700
Subject: [PATCH 5/9] Edit descirptions for SEO.

---
 windows/security/threat-protection/auditing/event-4626.md | 2 +-
 windows/security/threat-protection/auditing/event-4627.md | 2 +-
 windows/security/threat-protection/auditing/event-4634.md | 2 +-
 windows/security/threat-protection/auditing/event-4647.md | 2 +-
 windows/security/threat-protection/auditing/event-4649.md | 2 +-
 windows/security/threat-protection/auditing/event-4657.md | 2 +-
 windows/security/threat-protection/auditing/event-4658.md | 2 +-
 windows/security/threat-protection/auditing/event-4660.md | 2 +-
 windows/security/threat-protection/auditing/event-4673.md | 2 +-
 windows/security/threat-protection/auditing/event-4675.md | 2 +-
 windows/security/threat-protection/auditing/event-4688.md | 2 +-
 windows/security/threat-protection/auditing/event-4689.md | 2 +-
 windows/security/threat-protection/auditing/event-4698.md | 2 +-
 windows/security/threat-protection/auditing/event-4699.md | 2 +-
 windows/security/threat-protection/auditing/event-4700.md | 2 +-
 windows/security/threat-protection/auditing/event-4701.md | 2 +-
 windows/security/threat-protection/auditing/event-4702.md | 2 +-
 windows/security/threat-protection/auditing/event-4703.md | 2 +-
 windows/security/threat-protection/auditing/event-4704.md | 2 +-
 windows/security/threat-protection/auditing/event-4705.md | 2 +-
 20 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index d0474f5941..afb40575c2 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -1,6 +1,6 @@
 ---
 title: 4626(S) User/Device claims information. (Windows 10)
-description: Describes security event 4626(S) User/Device claims information.
+description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 37bc83b16f..fb47564ea9 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -1,6 +1,6 @@
 ---
 title: 4627(S) Group membership information. (Windows 10)
-description: Describes security event 4627(S) Group membership information.
+description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index c7fd725041..d76dc2df61 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -1,6 +1,6 @@
 ---
 title: 4634(S) An account was logged off. (Windows 10)
-description: Describes security event 4634(S) An account was logged off.
+description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 3cb68ae77c..26bbcd86f8 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -1,6 +1,6 @@
 ---
 title: 4647(S) User initiated logoff. (Windows 10)
-description: Describes security event 4647(S) User initiated logoff.
+description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 0c3b10dff5..4e3a27aebc 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -1,6 +1,6 @@
 ---
 title: 4649(S) A replay attack was detected. (Windows 10)
-description: Describes security event 4649(S) A replay attack was detected.
+description: Describes security event 4649(S) A replay attack was detected. This event is generated when KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index f27a05c4d3..cb009c97df 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -1,6 +1,6 @@
 ---
 title: 4657(S) A registry value was modified. (Windows 10)
-description: Describes security event 4657(S) A registry value was modified.
+description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 1569c43d0f..c461aa3d20 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -1,6 +1,6 @@
 ---
 title: 4658(S) The handle to an object was closed. (Windows 10)
-description: Describes security event 4658(S) The handle to an object was closed.
+description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7c03634e8e..0823b6ae3e 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -1,6 +1,6 @@
 ---
 title: 4660(S) An object was deleted. (Windows 10)
-description: Describes security event 4660(S) An object was deleted.
+description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 1caa24d32d..abe71b2e3c 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -1,6 +1,6 @@
 ---
 title: 4673(S, F) A privileged service was called. (Windows 10)
-description: Describes security event 4673(S, F) A privileged service was called.
+description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 20ed1e1911..dd386946d9 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -1,6 +1,6 @@
 ---
 title: 4675(S) SIDs were filtered. (Windows 10)
-description: Describes security event 4675(S) SIDs were filtered.
+description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for specific Active Directory trust.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 55ace9419d..c3c1d955e6 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -1,6 +1,6 @@
 ---
 title: 4688(S) A new process has been created. (Windows 10)
-description: Describes security event 4688(S) A new process has been created.
+description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index cf6f0fce07..81c27d0423 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -1,6 +1,6 @@
 ---
 title: 4689(S) A process has exited. (Windows 10)
-description: Describes security event 4689(S) A process has exited.
+description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 2742b717ce..2158b5855f 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -1,6 +1,6 @@
 ---
 title: 4698(S) A scheduled task was created. (Windows 10)
-description: Describes security event 4698(S) A scheduled task was created.
+description: Describes security event 4698(S) A scheduled task was created. This event is generate when a scheduled task is created.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 280aad111e..35eccf157c 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -1,6 +1,6 @@
 ---
 title: 4699(S) A scheduled task was deleted. (Windows 10)
-description: Describes security event 4699(S) A scheduled task was deleted.
+description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index a53997c7b8..7de372086e 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -1,6 +1,6 @@
 ---
 title: 4700(S) A scheduled task was enabled. (Windows 10)
-description: Describes security event 4700(S) A scheduled task was enabled.
+description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index d1991b0941..efe36fcc4d 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -1,6 +1,6 @@
 ---
 title: 4701(S) A scheduled task was disabled. (Windows 10)
-description: Describes security event 4701(S) A scheduled task was disabled.
+description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 01ef0250a8..4ae828770c 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -1,6 +1,6 @@
 ---
 title: 4702(S) A scheduled task was updated. (Windows 10)
-description: Describes security event 4702(S) A scheduled task was updated.
+description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 9e2056f25d..7483483ea2 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -1,6 +1,6 @@
 ---
 title: 4703(S) A user right was adjusted. (Windows 10)
-description: Describes security event 4703(S) A user right was adjusted.
+description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 7db8499254..bc3e9d5c3a 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -1,6 +1,6 @@
 ---
 title: 4704(S) A user right was assigned. (Windows 10)
-description: Describes security event 4704(S) A user right was assigned.
+description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index a89086caee..6ee9ed2626 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -1,6 +1,6 @@
 ---
 title: 4705(S) A user right was removed. (Windows 10)
-description: Describes security event 4705(S) A user right was removed.
+description: Describes security event 4705(S) A user right was removed. This event is generated when a user right was removed from an account.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy

From 215011719af39ba6d5a253da4e60c084edbd2824 Mon Sep 17 00:00:00 2001
From: TimShererWithAquent <v-tishe@microsoft.com>
Date: Fri, 21 Aug 2020 09:10:18 -0700
Subject: [PATCH 6/9] Additional fixes.

---
 windows/security/threat-protection/auditing/event-4698.md | 2 +-
 windows/security/threat-protection/auditing/event-4705.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 2158b5855f..ba941d6b5d 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -1,6 +1,6 @@
 ---
 title: 4698(S) A scheduled task was created. (Windows 10)
-description: Describes security event 4698(S) A scheduled task was created. This event is generate when a scheduled task is created.
+description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 6ee9ed2626..5b337c9941 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -1,6 +1,6 @@
 ---
 title: 4705(S) A user right was removed. (Windows 10)
-description: Describes security event 4705(S) A user right was removed. This event is generated when a user right was removed from an account.
+description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy

From 5bae6bad193f33fc360be4ab47417a67917dad8f Mon Sep 17 00:00:00 2001
From: Rebecca Agiewich <v-reagie@microsoft.com>
Date: Tue, 25 Aug 2020 10:35:56 -0700
Subject: [PATCH 7/9] Update event-4649.md

---
 windows/security/threat-protection/auditing/event-4649.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 4e3a27aebc..dce0305250 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -1,6 +1,6 @@
 ---
 title: 4649(S) A replay attack was detected. (Windows 10)
-description: Describes security event 4649(S) A replay attack was detected. This event is generated when KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
+description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy

From ea4b9539c1812a9afa93f5277df4046f988a65fa Mon Sep 17 00:00:00 2001
From: Rebecca Agiewich <v-reagie@microsoft.com>
Date: Tue, 25 Aug 2020 10:36:37 -0700
Subject: [PATCH 8/9] Update event-4675.md

---
 windows/security/threat-protection/auditing/event-4675.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index dd386946d9..978d25bf39 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -1,6 +1,6 @@
 ---
 title: 4675(S) SIDs were filtered. (Windows 10)
-description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for specific Active Directory trust.
+description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy

From f05e7f6e490af712a10fecd40df0c1ab84d03de0 Mon Sep 17 00:00:00 2001
From: Gary Moore <v-gmoor@microsoft.com>
Date: Tue, 25 Aug 2020 14:37:29 -0700
Subject: [PATCH 9/9] Spacing, indentation, valid code block types

The complete list of valid types for code blocks is here: https://docsmetadatatool.azurewebsites.net/allowlists/#
---
 .../create-wip-policy-using-intune-azure.md   | 64 ++++++++++---------
 1 file changed, 33 insertions(+), 31 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 07ac0b55e1..73946540c5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -129,7 +129,8 @@ If you don't know the Store app publisher or product name, you can find them by
 
 If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
 
->**Note**<br>Your PC and phone must be on the same wireless network.
+> [!NOTE]
+> Your PC and phone must be on the same wireless network.
 
 1. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
@@ -194,19 +195,19 @@ To add another Desktop app, click the ellipsis **…**. After you’ve entered t
  
 If you’re unsure about what to include for the publisher, you can run this PowerShell command:
 
-```ps1
+```powershell
 Get-AppLockerFileInformation -Path "<path_of_the_exe>"
 ```
 
 Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example:
 
-```ps1
+```powershell
 Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"
 ```
 
 In this example, you'd get the following info:
 
-```
+```console
 Path                   Publisher
 ----                   ---------
 %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
@@ -279,22 +280,22 @@ For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com
     This is the XML file that AppLocker creates for Microsoft Dynamics 365.
 
     ```xml
-        <?xml version="1.0"?>
-        <AppLockerPolicy Version="1">
-            <RuleCollection EnforcementMode="NotConfigured" Type="Appx">
-                <FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
-                    <Conditions>
-                        <FilePublisherCondition BinaryName="*" ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
-                            <BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
-                        </FilePublisherCondition>
-                    </Conditions>
-                </FilePublisherRule>
-            </RuleCollection>
-            <RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
-            <RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
-            <RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
-            <RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
-        </AppLockerPolicy>
+    <?xml version="1.0"?>
+    <AppLockerPolicy Version="1">
+        <RuleCollection EnforcementMode="NotConfigured" Type="Appx">
+            <FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
+                <Conditions>
+                    <FilePublisherCondition BinaryName="*" ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
+                        <BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
+                    </FilePublisherCondition>
+                </Conditions>
+            </FilePublisherRule>
+        </RuleCollection>
+        <RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
+        <RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
+        <RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
+        <RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
+    </AppLockerPolicy>
     ```
 
 12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
@@ -335,6 +336,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
 
+
 **To import a list of protected apps using Microsoft Intune**
 
 1. In **Protected apps**, click **Import apps**.
@@ -428,7 +430,7 @@ Separate multiple resources with the "|" delimiter.
 If you don’t use proxy servers, you must also include the "," delimiter just before the "|". 
 For example: 
 
-```code
+```console
 URL <,proxy>|URL <,proxy>
 ```
 
@@ -441,7 +443,7 @@ In this case, Windows blocks the connection by default.
 To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting. 
 For example: 
 
-```code
+```console
 URL <,proxy>|URL <,proxy>/*AppCompat*/
 ```
 
@@ -449,13 +451,13 @@ When you use this string, we recommend that you also turn on [Azure Active Direc
 
 Value format with proxy:
 
-```code
+```console
 contoso.sharepoint.com,contoso.internalproxy1.com|contoso.visualstudio.com,contoso.internalproxy2.com
 ```
 
 Value format without proxy:
 
-```code
+```console
 contoso.sharepoint.com,|contoso.visualstudio.com,|contoso.onedrive.com
 ```
 
@@ -465,7 +467,7 @@ Specify the domains used for identities in your environment.
 All traffic to the fully-qualified domains appearing in this list will be protected.
 Separate multiple domains with the "|" delimiter.
 
-```code
+```console
 exchange.contoso.com|contoso.com|region.contoso.com
 ```
 
@@ -475,7 +477,7 @@ Specify the DNS suffixes used in your environment.
 All traffic to the fully-qualified domains appearing in this list will be protected.
 Separate multiple resources with the "," delimiter.
 
-```code
+```console
 corp.contoso.com,region.contoso.com
 ```
 
@@ -488,7 +490,7 @@ This list shouldn’t include any servers listed in your Internal proxy servers
 Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 
-```code
+```console
 proxy.contoso.com:80;proxy2.contoso.com:443
 ```
 
@@ -500,7 +502,7 @@ This list shouldn’t include any servers listed in your Proxy servers list.
 Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
 Separate multiple resources with the ";" delimiter.
 
-```code
+```console
 contoso.internalproxy1.com;contoso.internalproxy2.com
 ```
 
@@ -539,7 +541,7 @@ Specify your authentication redirection endpoints for your company.
 These locations are considered enterprise or personal, based on the context of the connection before the redirection.
 Separate multiple resources with the "," delimiter.
 
-```code
+```console
 sts.contoso.com,sts.contoso2.com
 ```
 
@@ -597,8 +599,8 @@ After you've decided where your protected apps can access enterprise data on you
         
 - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
 
->[!NOTE]
->Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
+  > [!NOTE]
+  > Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.
 
 **Allow Windows Search Indexer to search encrypted files.** Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.