diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 3b17d0a161..c71d3ab6c0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/20/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/16/2018
---
# Review event logs and error codes to troubleshoot issues with Windows Defender AV
@@ -1377,6 +1377,60 @@ User action:
No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.
+
+
+| Event ID: 1151 |
+
+|
+Symbolic name:
+ |
+
+MALWAREPROTECTION_SERVICE_HEALTH_REPORT
+ |
+
+
+|
+Message:
+ |
+
+Endpoint Protection client health report (time in UTC)
+
+ |
+
+
+|
+Description:
+ |
+
+Windows Defender client health report.
+
+- Platform Version: <Current platform version>
+- Engine Version: <Antimalware Engine version>
+- Network Realtime Inspection engine version: <Network Realtime Inspection engine version>
+- Antivirus signature version: <Antivirus signature version>
+- Antispyware signature version: <Antispyware signature version>
+- Network Realtime Inspection signature version: <Network Realtime Inspection signature version>
+- RTP state: <Realtime protection state> (Enabled or Disabled)
+- OA state: <On Access state> (Enabled or Disabled)
+- IOAV state: <IE Downloads and Outlook Express Attachments state> (Enabled or Disabled)
+- BM state: <Behavior Monitoring state> (Enabled or Disabled)
+- Antivirus signature age: <Antivirus signature age> (in days)
+- Antispyware signature age: <Antispyware signature age> (in days)
+- Last quick scan age: <Last quick scan age> (in days)
+- Last full scan age: <Last full scan age> (in days)
+- Antivirus signature creation time: ?<Antivirus signature creation time>
+- Antispyware signature creation time: ?<Antispyware signature creation time>
+- Last quick scan start time: ?<Last quick scan start time>
+- Last quick scan end time: ?<Last quick scan end time>
+- Last quick scan source: <Last quick scan source> (1 = scheduled, 2 = on demand)
+- Last full scan start time: ?<Last full scan start time>
+- Last full scan end time: ?<Last full scan end time>
+- Last full scan source: <Last full scan source> (1 = scheduled, 2 = on demand)
+- Product status: For internal troubleshooting
+
+ |
+
+
| Event ID: 2000 |
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index 9768e44f92..33dbf70047 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
-ms.date: 11/20/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/16/2018
---
@@ -100,6 +100,8 @@ Event ID | Description
5007 | Event when settings are changed
1124 | Audited Controlled folder access event
1123 | Blocked Controlled folder access event
+1127 | Blocked Controlled folder access sector write block event
+1128 | Audited Controlled folder access sector write block event
## Use audit mode to measure impact
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 687dea2866..ed651cfc93 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -8,10 +8,10 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.date: 12/12/2017
+ms.date: 04/16/2018
localizationpriority: medium
-author: iaanw
-ms.author: iawilt
+author: andreabichsel
+ms.author: v-anbic
---
@@ -190,6 +190,8 @@ Network protection | Windows Defender (Operational) | 1126 | Event when Network
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
+Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
+Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
\ No newline at end of file