minor updates

windows/client-management/mdm/applicationcontrol-csp.md

@@ -12,7 +12,7 @@ ms.date: 05/21/2019
 # ApplicationControl CSP
 
 Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike AppLocker CSP, the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
-Existing WDAC policies which were deployed using the AppLocker CSP’s CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will occur in the ApplicationControl CSP only.
+Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will occur in ApplicationControl CSP only.
 
 The ApplicationControl CSP was added in Windows 10, version 1903.
 
@@ -26,7 +26,7 @@ Defines the root node for the ApplicationControl CSP.
 Scope is permanent. Supported operation is Get.
 
 <a href="" id="applicationcontrol-policies"></a>**ApplicationControl/Policies**  
-This node contains all the policies, each identified by their GUID.
+This node contains all the policies, each identified by their globally unique identifier (GUID).
 
 Scope is permanent. Supported operation is Get.
 
@@ -45,7 +45,7 @@ Value type is b64. Supported value is any well-formed WDAC policy, i.e. the base
 Default value is empty.
 
 <a href="" id="applicationcontrol-policies-policyguid-policyinfo"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo**  
-This node is the subtree for nodes that describe the policy indicated by the GUID.
+This node contains the nodes that describe the policy indicated by the GUID.
 
 Scope is dynamic. Supported operation is Get.
 
@@ -110,35 +110,35 @@ Scope is dynamic. Supported operation is Get.
 
 Value type is char.
 
-## ApplicationControl CSP usage guidance  
+## Usage guidance  
 
-Here are the usage guidance for ApplicationControl CSP:
+To use ApplicationControl CSP, you must:
 - Know a generated policy’s GUID, which can be found in the policy xml as `<PolicyTypeID>`.
 - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
-- Create a policy node (a Base64-encoded blob of the binary policy representation) using the certutil -encode command line tool.
+- Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool.
 
-    Sample certutil invocation:
-    ```
-    certutil -encode WinSiPolicy.p7b WinSiPolicy.cer 
-    ```
-    Alternatively, you can use the following PowerShell invocation:
-    ```
-    [Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
-    ```
-> [!NOTE]
-> If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you use Base64 as the data type when using Custom OMA-URI functionality to apply the Code Integrity policy.
+Here is a sample certutil invocation:
+```
+certutil -encode WinSiPolicy.p7b WinSiPolicy.cer 
+```
+An alternative to using certutil would be to use the following PowerShell invocation:
+```
+[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
+```
+If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI
+functionality to apply the Code Integrity policy.
 
-## Deploy policies using ApplicationControl CSP
+### Deploy policies
 To deploy a new base policy using the CSP, perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data}. Refer to the the Format section in the Example 1 below.
 
 To deploy base policy and supplemental policies:
-- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy
-- Repeat for each base or supplemental policy (with its own GUID and data)
+- Perform an ADD on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy** using the Base64-encoded policy node as {Data} with the GUID and policy data for the base policy.
+- Repeat for each base or supplemental policy (with its own GUID and data).
 
 The following example shows the deployment of two base policies and a supplemental policy (which already specifies the base policy it supplements and does not need that reflected in the ADD).
 
 **Example 1: Add first base policy**
-```
+```xml
 <Add>
     <CmdID>1</CmdID>
     <Item>
@@ -153,22 +153,22 @@ The following example shows the deployment of two base policies and a supplement
 </Add>
 ```
 **Example 2: Add second base policy**
-```
+```xml
 <Add>
     <CmdID>1</CmdID>
     <Item>
         <Target>
             <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{Base2GUID}/Policy</LocURI>
         </Target>
-          <Meta>
+        <Meta>
             <Format xmlns="syncml:metinf">b64</Format>
-          </Meta>
-            <Data> {Base2Data} </Data>
+        </Meta>
+        <Data> {Base2Data} </Data>
     </Item>
 </Add>
 ```
 **Example 3: Add supplemental policy**
-```
+```xml
 <Add>
     <CmdID>1</CmdID>
     <Item>
@@ -178,17 +178,17 @@ The following example shows the deployment of two base policies and a supplement
         <Meta>
             <Format xmlns="syncml:metinf">b64</Format>
         </Meta>
-            <Data> {Supplemental1Data} </Data>
+        <Data> {Supplemental1Data} </Data>
     </Item>
 </Add>
 ```
-## Get policy
+### Get policies
 
 Perform a GET using a deployed policy’s GUID to interrogate/inspect the policy itself or information about it.
 The following table displays the result of Get operation on different nodes:
 
-|Nodes|Get Operation Results|
-|-------------|------|
+|Nodes | Get Results|
+|------------- | ------|
 |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy|raw p7b|
 |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/Version|policy version|
 |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/IsEffective|is the policy in effect|
@@ -198,7 +198,7 @@ The following table displays the result of Get operation on different nodes:
 |./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/PolicyInfo/FriendlyName|the friendly name per the policy|
 
 **Sample Get command**  
-```
+```xml
  <Get>
     <CmdID>1</CmdID>
         <Item>
@@ -209,7 +209,7 @@ The following table displays the result of Get operation on different nodes:
  </Get>
 ```
 
-## Delete the policy
+### Delete policies
 To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationControl/Policies/_PolicyGUID_/Policy**.
 
 > [!Note]
@@ -218,7 +218,7 @@ To delete an unsigned policy, perform a DELETE on **./Vendor/MSFT/ApplicationCon
 To delete a signed policy, first replace it with a signed update allowing unsigned policy, then deploy another update with unsigned policy, then perform delete.
     
 **Delete a policy**
-```
+```xml
    <Delete>
      <CmdID>1</CmdID>
         <Item>