Merged PR 4747: wdeg updates

1. Explain NOTSET when using PS for system-level EP mitigations
2. Explain how CFA will show its state in the UI when configured with PS/GP
3. Explain that you can't convert EMET default XMLs, you have to import them to EMET first
4. Describe how to enable MandatoryASLR

windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md

@@ -185,7 +185,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
  The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
 
  >[!IMPORTANT]
- >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overriden.
+ >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
 
 
  You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
@@ -194,6 +194,15 @@ Exporting the configuration as an XML file allows you to copy the configuration
 Get-ProcessMitigation -Name processName.exe 
 ```
 
+>[!IMPORTANT]
+>System-level mitigations that have not been configured will show a status of `NOTSET`. 
+>
+>For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. 
+>
+>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. 
+>
+>The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
+
 Use `Set` to configure each mitigation in the following format:
 
  ```PowerShell

windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -49,6 +49,12 @@ You can enable Controlled folder access with the Windows Defender Security Cente
 
 For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
 
+>[!NOTE]
+>The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**.
+>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**, as protection offered by the feature will not work.
+>See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
+
 
 ### Use the Windows Defender Security app to enable Controlled folder access
 

windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md

@@ -59,10 +59,13 @@ The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample
 
 Before you export a configuration file, you need to ensure you have the correct settings.
 
-You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instrucitons for configuring mitigations.
+You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instructions for configuring mitigations.
 
 When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
 
+
+
+
 ### Use the Windows Defender Security Center app to export a configuration file
 
 
@@ -114,6 +117,7 @@ After importing, the settings will be instantly applied and can be reviewed in t
 Change `filename` to the location and name of the Exploit protection XML file.
 
 >[!IMPORTANT]
+>
 >Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
 
 
@@ -123,6 +127,15 @@ You can convert an existing EMET configuration file to the new format used by Ex
 
 You can only do this conversion in PowerShell.
 
+>[!WARNING]
+>
+>You cannot directly convert the default EMET configuration files that are distributed with EMET. These files are intended to help set up EMET for a first-time user. Attempting to directly convert these files into an Exploit protection configuration file will not work.
+>
+>However, if you want to apply the same settings as in the default EMET configuration files, you must first import the default configuration file into EMET, then export the settings to a new file. 
+>
+>You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection.
+
+
 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
 
@@ -132,6 +145,13 @@ You can only do this conversion in PowerShell.
 
 Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use.
 
+>[!IMPORTANT]
+>
+>If you have enabled Mandatory ASLR for any apps in EMET, export the EMET settings to an XML file, and then convert the XML file into an Exploit protection configuration file, you will need to manually edit the converted XML file to ensure the Mandatory ASLR mitigation setting is correctly configured:
+>
+> 1. Open the PowerShell-converted XML file in a text editor.
+> 2. Search for `ASLR ForceRelocateImages="false"` and change it to `ASLR ForceRelocateImages="true"` for each app that you want Mandatory ASLR to be enabled.
+
 
 ## Manage or deploy a configuration