From 5b6bba426c4fdb739f1febd77978c6906ad3f458 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 16 Apr 2019 16:00:43 -0700
Subject: [PATCH 1/5] Update
 respond-file-alerts-windows-defender-advanced-threat-protection.md

add hex
---
 ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index e5f643f908..a15f907fa2 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -258,6 +258,10 @@ If you encounter a problem when trying to submit a file, try each of the followi
   a. Change the following registry entry and values to change the policy on specific machines:
  ```
 HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+AllowSampleCollection (dword) 1 (hex)
+
+
+Where: 
   Value = 0 – block sample collection
   Value = 1 – allow sample collection
 ```

From 240c73c3916a67077a1710757d06a7ae4ca7d706 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 18 Apr 2019 16:55:13 -0700
Subject: [PATCH 2/5] update error

---
 ...alerts-windows-defender-advanced-threat-protection.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index a15f907fa2..a482be899c 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -257,11 +257,10 @@ If you encounter a problem when trying to submit a file, try each of the followi
 
   a. Change the following registry entry and values to change the policy on specific machines:
  ```
-HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-AllowSampleCollection (dword) 1 (hex)
-
-
-Where: 
+Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+Name: AllowSampleCollection 
+Type: DWORD 
+Value: 
   Value = 0 – block sample collection
   Value = 1 – allow sample collection
 ```

From f1e7de83818af4e0c39a73c220691a877efe2200 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 18 Apr 2019 16:58:25 -0700
Subject: [PATCH 3/5] Update
 respond-file-alerts-windows-defender-advanced-threat-protection.md

---
 ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index a482be899c..e8a6fb62e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -260,7 +260,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
 Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
 Name: AllowSampleCollection 
 Type: DWORD 
-Value: 
+Hexadecimal value : 
   Value = 0 – block sample collection
   Value = 1 – allow sample collection
 ```

From 639f826369a79caabe6919e6dfe3ef6edae356e8 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 18 Apr 2019 17:02:45 -0700
Subject: [PATCH 4/5] Update
 respond-file-alerts-windows-defender-advanced-threat-protection.md

---
 ...ows-defender-advanced-threat-protection.md | 21 ++++++++-----------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index e8a6fb62e1..544077f49b 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -253,22 +253,19 @@ If you encounter a problem when trying to submit a file, try each of the followi
 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
 2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
 3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-4. Verify the policy setting enables sample collection and try to submit the file again.
+4. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
 
-  a. Change the following registry entry and values to change the policy on specific machines:
- ```
-Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-Name: AllowSampleCollection 
-Type: DWORD 
-Hexadecimal value : 
-  Value = 0 – block sample collection
-  Value = 1 – allow sample collection
-```
+    ```
+    Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+    Name: AllowSampleCollection 
+    Type: DWORD 
+    Hexadecimal value : 
+      Value = 0 – block sample collection
+      Value = 1 – allow sample collection
+    ```
 5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
 
-> [!NOTE]
-> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.
 
 ## Related topic
 - [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)

From cacc4365f50074a579ecf1d885c11b0496a434be Mon Sep 17 00:00:00 2001
From: lomayor <louie.mayor@microsoft.com>
Date: Fri, 19 Apr 2019 10:28:57 -0700
Subject: [PATCH 5/5] Update attack-surface-reduction-exploit-guard.md

---
 .../attack-surface-reduction-exploit-guard.md | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index e16b905b59..5bfe2c6ba4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -63,22 +63,22 @@ Event ID | Description
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:
 
-Rule name | GUID
--|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Rule name | GUID | File & folder exclusions
+-|-|-
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 | Supported
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A | Supported
+Block Office applications from creating executable content  | 3B576869-A4EC-4529-8536-B80A7769E899 | Supported
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 | Supported
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D | Not supported
+Block execution of potentially obfuscated scripts  | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC | Supported
+Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B | Supported
+Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
+Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
 
 Each rule description indicates which apps or file types the rule applies to. In general, the rules for Office apps apply to only Word, Excel, PowerPoint, and OneNote, or they apply to Outlook. Except where specified, attack surface reduction rules don't apply to any other Office apps.