added that wilcards are supported for apps only

windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md

@@ -31,17 +31,13 @@ You can enable controlled folder access by using any of the these methods:
 - [Group Policy](#group-policy)
 - [PowerShell](#powershell)
 
-[Audit mode](#evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
+[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
 
->[!NOTE]
+Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
->The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
+- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+
-><p>
+For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
->Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
->- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
->- System Center Endpoint Protection **Allow users to add exclusions and overrides**
->For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
 
 ## Windows Security app
 
@@ -51,6 +47,10 @@ You can enable controlled folder access by using any of the these methods:
 
 3. Set the switch for **Controlled folder access** to **On**.
 
+>[!NOTE]
+>If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
+
 ## Intune
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
@@ -60,6 +60,8 @@ You can enable controlled folder access by using any of the these methods:
 1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. 
 1. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection and click **Add**. 
    ![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
+   >[!NOTE]
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. 
 1. Click **OK** to save each open blade and click **Create**. 
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.