diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index add268e0ee..d6e4970eb9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -126,6 +126,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
 
+>[!NOTE]
+>We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy.
+
 ## More information about hashes
 
 ### Why does scan create four hash rules per XML file?