From 1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 13:57:37 -0700 Subject: [PATCH] Added a note to page The note about separating allow and deny rules is at the end of the "More information about file path rules" section. --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..d6e4970eb9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,6 +126,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +>[!NOTE] +>We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy. + ## More information about hashes ### Why does scan create four hash rules per XML file?