From f3ab131595dfeee8ca29fc620d6d6ab63804b8a5 Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Fri, 29 Jun 2018 11:03:34 -0700
Subject: [PATCH] Added notes, incorporated review comments.

---
 .../attack-surface-reduction-exploit-guard.md               | 6 ++++++
 .../customize-attack-surface-reduction.md                   | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 1e25be6fc4..a977673685 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -179,10 +179,16 @@ This rule attempts to block Office files that contain macro code that is capable
 This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list:
  
 - Executable files (such as .exe, .dll, or .scr) 
+
+>[NOTE!]
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Use advanced protection against ransomware
  
 This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list.
+
+>[NOTE!]
+>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
  
 ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 345e29bb18..0732ac1826 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -76,7 +76,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
 Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-no.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 
 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.