Generalize WDAC main topic to cover app control

windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md

@@ -80,12 +80,6 @@ The following are examples of scenarios in which AppLocker can be used:
 
 AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
 
-## System requirements
-
-AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md).
-
-AppLocker rules can be created on domain controllers.
-
 ## Installing AppLocker
 
 AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).

windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md

@@ -1,6 +1,6 @@
 ---
-title: Windows Defender Application Control (WDAC) (Windows 10)
+title: Application Control for Windows
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
@@ -17,7 +17,7 @@ manager: dansimp
 ms.date: 01/08/2019
 ---
 
-# Windows Defender Application Control 
+# Application Control
 
 **Applies to:**
 
@@ -25,36 +25,77 @@ ms.date: 01/08/2019
 -   Windows Server 2016
 -   Windows Server 2019 
 
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. 
+With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
-In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. 
 
-However, when a user runs a process, that process has the same level of access to data that the user has. 
+In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software.
-As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. 
 
-Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. 
+Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1).
-Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. 
-Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). 
 
-Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). 
+Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.).
-WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1). 
+
+> [!NOTE]
+> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
+
+Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:<br>
+-   **Windows Defender Application Control**; and
+-   **AppLocker**
+
+## Windows Defender Application Control
+
+Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC).
 
 > [!NOTE]
 > Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
 
-## WDAC System Requirements
+WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
+-   Attributes of the codesigning certificate(s) used to sign an app and its binaries;
+-   Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
+-   The reputation of the app as determined by Microsoft's Intelligent Security Graph;
+-   The identity of the process that initiated the installation of the app and its binaries (managed installer);
+-   The path from which the app or file is launched (beginning with Windows 10 version 1903);
+-   The process that launched the app or binary.
 
-WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. 
+### WDAC System Requirements
+
+WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above.
 They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune.
-Group Policy or Intune can be used to distribute WDAC policies. 
+Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above.
 
-## New and changed functionality
+## AppLocker
 
-Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender Device Guard configurable code integrity policies.  
+AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers.
 
-Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). 
+AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on:
-For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md).  
+-   Attributes of the codesigning certificate(s) used to sign an app and its binaries;
+-   Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file;
+-   The path from which the app or file is launched (beginning with Windows 10 version 1903).
+
+### AppLocker System Requirements
+
+AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). 
+AppLocker policies can be deployed using Group Policy or MDM.
+
+## Choose when to use WDAC or AppLocker
+
+Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. 
+
+**WDAC is best when:**
+-   You are adopting application control primarily for security reasons.
+-   Your application control policy can be applied to all users on the managed computers.
+-   All of the devices you wish to manage are running Windows 10.
+
+**AppLocker is best when:**
+-   You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
+-   You need to apply different policies for different users or groups on a shared computer.
+-   You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature.
+-   You do not wish to enforce application control on application files such as DLLs or drivers.
+
+**When to use both WDAC and AppLocker together**
+AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps.
+As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
 
 ## See also
 
 - [WDAC design guide](windows-defender-application-control-design-guide.md)
 - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
+- [AppLocker overview](applocker/applocker-overview.md)

windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md

@@ -1,30 +0,0 @@
----
-title: Windows Defender Device Guard and AppLocker (Windows 10)
-description: Explains how  
-keywords: virtualization, whitelisting, security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-ms.collection: M365-security-compliance
-author: jsuther1974
-ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 05/03/2018
----
-
-# Windows Defender Device Guard with AppLocker
-
-Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario. 
-There are many scenarios in which WDAC would be used alongside AppLocker rules. 
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
-> [!NOTE]
-> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
-
-AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. 
-In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.