Update enable-troubleshooting-mode.md

Update section for events that are being generated when changing settings in troubleshooting mode

Author: gh-andrem

defender-endpoint/enable-troubleshooting-mode.md

@@ -62,7 +62,9 @@ During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc
 
   - Logs and snapshots are collected and are available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Microsoft doesn't remove this data from the device until an admin has collected it.
 
-- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device page.
+- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device itself.
+  - `Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational`
+  - Potential events may be event ID 5000, 5001, 5004, 5007 and others. See more details at [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus#event-id-5000).
 
 - Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 4 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode.