Merge branch 'main' into alexbuckgit/docutune-docs-link-absolute-autopr-20220826-145242-5163947

2025-05-12 21:37:22 +00:00 · 2022-08-30 09:14:41 -07:00 · 2022-08-30 09:14:41 -07:00 · 56a6aeae94
commit 56a6aeae94
parent c0d3e386fd ec61c9e257
11 changed files with 149 additions and 40 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -2,7 +2,7 @@

 Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
 This page covers the basic steps for editing our technical documentation.
-For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/).
+For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://docs.microsoft.com/contribute/).

 ## Sign a CLA

@ -19,16 +19,16 @@ We've tried to make editing an existing, public file as simple as possible.

 ### To edit a topic

-1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update.
+1. Browse to the [Microsoft Docs](https://docs.microsoft.com/) article that you want to update.

    > **Note**<br>
    > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main).

 1. Then select the **Pencil** icon.

-    ![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png)
+    ![Screenshot showing the Pencil icon to edit a published article.](images/contribute-link.png)

-    If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs).
+    If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [MicrosoftDocs organization on GitHub](https://github.com/MicrosoftDocs).

    > **TIP**<br>
    > View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article.
@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible.

    ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png)

-1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.
+1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation.

 1. Make your suggested change, and then select **Preview changes** to make sure it looks correct.

@ -82,4 +82,4 @@ In the new issue form, enter a brief title. In the body of the form, describe th

 - You can use your favorite text editor to edit Markdown files.  We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft.
 - You can learn the basics of Markdown in just a few minutes.  To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/).
- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
+- Microsoft technical documentation uses several custom Markdown extensions. To learn more, see the [Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference).
--- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
+++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md
@ -5,7 +5,7 @@ Starting with Windows 10, version 1511 (also known as the Anniversary Update), y

 ### Site list xml file
 <!-- rework this entire paragraph -->
-This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
+This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.

 ```xml
 <site-list version="205">
--- a/browsers/includes/helpful-topics-include.md
+++ b/browsers/includes/helpful-topics-include.md
@ -35,4 +35,4 @@ ms.topic: include
 - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
 - [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956)
 - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646)
- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
+- [Fix web compatibility issues using document modes and the Enterprise Mode site list](/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list)
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@ -56,13 +56,13 @@ If you’ve been approved and are part of the Enrollment for Education Solutions

 3. This will route you to the purchase page in the Microsoft Admin center. You will need to log in to your Administrator account.

-4. If necessary, fill in any requested organization or payment information 
+4. If necessary, fill in any requested organization or payment information.

 5. Select the quantity of licenses you would like to purchase and select **Place Order**.

-6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users)
+6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users).

-If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](https://docs.microsoft.com/microsoft-365/commerce/licenses/buy-licenses).
+If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses).

 ### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing

@ -96,14 +96,16 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th

    ![Invoice Details page showing items that need to be completed for an invoice. PO number is highlighted.](images/mcee-invoice-info.png)

-For more info on invoices and how to pay by invoice, see [How to pay for your subscription](https://docs.microsoft.com/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).  
+For more info on invoices and how to pay by invoice, see [How to pay for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?).  

 ## Distribute Minecraft
-After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).  

+After Minecraft: Education Edition is added to your Microsoft Admin Center inventory, you can [assign these licenses to your users](/microsoft-365/admin/manage/assign-licenses-to-users) or [download the app](https://aka.ms/downloadmee).

 ## Learn more
-[About Intune Admin roles in the Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)
+
+[About Intune Admin roles in the Microsoft 365 admin center](/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac)

 ## Related topics
+
 [Get Minecraft: Education Edition](get-minecraft-for-education.md)
--- a/template.md
+++ b/template.md
@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period.
 ## docs.ms extensions

 > [!div class="nextstepaction"]
-> [Next step action](/mem/configmgr)
+> [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/mem/configmgr)
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@ -18,13 +18,13 @@ The table below shows the applicability of Windows:
 |Edition|Windows 10|Windows 11|
 |--- |--- |--- |
 |Home|No|No|
-|Pro|No|Yes|
-|Windows SE|No|Yes|
+|Pro|Yes|Yes|
+|Windows SE|Yes|Yes|
 |Business|No|No|
-|Enterprise|No|Yes|
-|Education|No|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|

-The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
+The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module.

 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:

--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@ -33,6 +33,9 @@ manager: aaroncz
    <a href="#remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
  </dd>
  <dd>
+  <dd>
+    <a href="#remotedesktopservices-donotallowwebauthnredirection">RemoteDesktopServices/DoNotAllowWebAuthnRedirection</a>
+  </dd>
    <a href="#remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
  </dd>
  <dd>
@ -130,7 +133,7 @@ ADMX Info:

 <!--/Scope-->
 <!--Description-->
-Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.

 If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

@ -257,6 +260,56 @@ ADMX Info:

 <hr/>

+<!--Policy-->
+<a href="" id="remotedesktopservices-donotallowwebauthnredirection"></a>**RemoteDesktopServices/DoNotAllowWebAuthnRedirection**  
+
+<!--SupportedSKUs-->
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other).
+
+By default, Remote Desktop allows redirection of WebAuthn requests.
+
+If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session.
+
+If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+
+If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session.
+<!--/Description-->
+
+<!--ADMXBacked-->
+ADMX Info:  
+-   GP Friendly name: *Do not allow WebAuthn redirection*
+-   GP name: *TS_WEBAUTHN*
+-   GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection*
+-   GP ADMX file name: *terminalserver.admx*
+
+<!--/ADMXBacked-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**  

--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@ -139,6 +139,9 @@ ms.collection: highpri
  <dd>
    <a href="#update-managepreviewbuilds">Update/ManagePreviewBuilds</a>
  </dd> 
+  <dd>
+    <a href="#update-NoUpdateNotificationDuringActiveHours">Update/NoUpdateNotificationDuringActiveHours</a>
+  </dd>
  <dd>
    <a href="#update-pausedeferrals">Update/PauseDeferrals</a>
  </dd>
@ -2382,6 +2385,55 @@ The following list shows the supported values:

 <hr/>

+<!--Policy-->
+<a href="" id="update-NoUpdateNotificationDuringActiveHours"></a>**Update/NoUpdateNotificationDuringActiveHours**  
+
+<!--SupportedSKUs-->
+The table below shows the applicability of Windows:
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Windows SE|No|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+<!--/SupportedSKUs-->
+<hr/>
+
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached.  Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device.
+
+Supported value type is a boolean.
+
+0 (Default) This configuration will provide the default behavior (notifications may display during active hours) 
+1: This setting will prevent notifications from displaying during active hours.
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+- GP Friendly name: *Display options for update notifications*
+- GP name: *NoUpdateNotificationDuringActiveHours*
+- GP element: *NoUpdateNotificationDuringActiveHours*
+- GP path: *Windows Components\WindowsUpdate\Manage end user experience*
+- GP ADMX file name: *WindowsUpdate.admx*
+<!--/ADMXMapped-->
+
+<!--/Policy-->
+<hr/>
+
+
 <!--Policy-->
 <a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**  

--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@ -97,8 +97,8 @@ Either the support staff or a user can start a Quick Assist session.

    - Type *Quick Assist* in the search box and press ENTER.
    - Press **CTRL** + **Windows** + **Q**
-    - For Windows 10 users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
-    - For Windows 11 users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.
+    - For **Windows 10** users, from the Start menu, select **Windows Accessories**, and then choose **Quick Assist**.
+    - For **Windows 11** users, from the Start menu, select **All Apps**, **Windows Tools**, and then choose **Quick Assist**.

 2. In the **Give assistance** section, the helper selects **Assist another person**. The helper might be asked to choose their account or sign in. Quick Assist generates a time-limited security code.

@ -141,7 +141,7 @@ Visit [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps

 ### Install Quick Assist Offline

-To install Quick Assist offline, you'll need to download your APPXBUNDLE and unecoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.
+To install Quick Assist offline, you'll need to download your APPXBUNDLE and unencoded XML file from [Microsoft Store for Business](https://businessstore.microsoft.com). Visit [Download an offline-licensed app](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) for more information.

 1. Start **Windows PowerShell** with Administrative privileges.
 1. In PowerShell, change the directory to the location you've saved the file to in step 1. (CD &#x3C;*location of package file*&#x3E;)
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
@ -50,10 +50,10 @@ sections:
          - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10.
          - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability.
          - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include:
-              - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
-              - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
-              - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
-              - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
+              - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html)
+              - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
+              - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
+              - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
          
      - question: |
          Where can I find out if an application or device is compatible with Windows 10?
@ -125,7 +125,7 @@ sections:
        answer: |
          For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
          
-          Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
+          Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
          
          To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
          
@ -152,4 +152,3 @@ sections:
          - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
          - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
          - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
-          - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home).
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@ -10,11 +10,11 @@ ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
-author: dansimp
-ms.reviewer: isbrahm
+author: jgeurten
+ms.reviewer: jsuther1974
 ms.author: dansimp
 manager: dansimp
-ms.date: 06/28/2022
+ms.date: 08/29/2022
 ms.technology: windows-sec
 ---

@ -120,6 +120,9 @@ As part of normal operations, they'll eventually install software updates, or pe

 Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).

+> [!NOTE]
+> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+
 ## More information about filepath rules

 Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
@ -139,7 +142,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.

 > [!NOTE]
-> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied.

 > [!NOTE]
 > There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.