added note to adress issue 755

2025-05-14 06:17:22 +00:00 · 2018-04-23 10:00:01 -07:00 · 2018-04-23 10:00:01 -07:00 · 4d02386ffe
commit 4d02386ffe
parent dfddbf78ef
2 changed files with 6 additions and 6 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@ -30,7 +30,7 @@ Each installed software application should be validated as trustworthy before yo
 We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. 
 Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. 
 You can remove or disable such software on the reference computer. 
-You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](windows-defender-application-control-and-applocker.md). 
+


 To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@ -29,13 +29,13 @@ A managed installer uses a new rule collection in AppLocker to specify one or mo
 Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority.  

 Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. 
-If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
+If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
+
+Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. 
+Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. 

 > [!NOTE] 
-> Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. 
->
-> Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. 
-> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
+> Only one SiPolicy.p7b file can be active on a system. The last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then SCCM targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file.

 ## Configuring a managed installer with AppLocker and Windows Defender Application Control