Update enable-attack-surface-reduction.md

Author: denisebmsft

defender-endpoint/enable-attack-surface-reduction.md

@@ -87,14 +87,14 @@ Enterprise-level management such as Intune or Microsoft Configuration Manager is
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an attack surface reduction rule determines the file or folder contains malicious behavior, it doesn't block the file from running.
 
 > [!IMPORTANT]
-> Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files will be allowed to run, and no report or event will be recorded. If attack surface reduction rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-attack-surface-reduction-rules-using-audit).
+> Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Excluded files are allowed to run, and no report or event are recorded. If attack surface reduction rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](attack-surface-reduction-rules-deployment-test.md#step-1-test-attack-surface-reduction-rules-using-audit).
 An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service continues to trigger events until the service is stopped and restarted.
 
 When adding exclusions, keep these points in mind:
 
 * Exclusions are typically based on individual files or folders (using folder paths or the full path of the file to be excluded).
 * Exclusion paths can use environment variables and wildcards. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists)
-* When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it is possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions).
+* When deployed through group policy or PowerShell, exclusions apply to all attack surface reduction rules. Using Intune, it's possible to configure an exclusion for a specific attack surface reduction rule. See [Configure attack surface reduction rules per-rule exclusions](attack-surface-reduction-rules-deployment-test.md#configure-attack-surface-reduction-per-rule-exclusions).
 
 * Exclusions can be added based on certificate and file hashes, by allowing specified Defender for Endpoint file and certificate indicators. See [Overview of indicators](indicators-overview.md).
 
@@ -132,8 +132,7 @@ The following procedures for enabling attack surface reduction rules include ins
 ### Intune
 
 > [!IMPORTANT]
-> If using Intune on Windows Server 2012 R2 and Windows Server 2016 unified version.
-> You need to set these to "Not Configured", since they are not supported on these OS'es, otherwise, the policies will fail to apply:
+> If using Intune on Windows Server 2012 R2 and Windows Server 2016 unified version, you need to set these to `Not Configured`, because they're not not supported on these OS versions. Otherwise, the following policies fail to apply:
 > - Block persistence through Windows Management Instrumentation (WMI) event subscription
 > - Block JavaScript or VBScript from launching downloaded executable content
 > - Use advanced protection against ransomware