Initial commit of MEMCM doc supplement work

windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md

@@ -38,7 +38,7 @@ Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be
 
 ## Deploy AppId Tagging Policies with MDM
 
-Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
+Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri). 
 
 ## Deploy AppId Tagging Policies with MEMCM
 

windows/security/threat-protection/windows-defender-application-control/TOC.yml

@@ -73,13 +73,13 @@
       href: windows-defender-application-control-deployment-guide.md
       items: 
         - name: Deploy WDAC policies with MDM
-          href: deploy-windows-defender-application-control-policies-using-intune.md
+          href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
         - name: Deploy WDAC policies with MEMCM
           href: deployment/deploy-wdac-policies-with-memcm.md
         - name: Deploy WDAC policies with script
           href: deployment/deploy-wdac-policies-with-script.md
         - name: Deploy WDAC policies with Group Policy
-          href: deploy-windows-defender-application-control-policies-using-group-policy.md
+          href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
         - name: Audit WDAC policies
           href: audit-windows-defender-application-control-policies.md
         - name: Merge WDAC policies

windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md

@@ -159,4 +159,4 @@ Policies should be thoroughly evaluated and first rolled out in audit mode befor
 
 3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
 
-4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
+4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)

windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md

@@ -41,8 +41,59 @@ MEMCM includes native support for WDAC, which allows you to configure Windows 10
 
 Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
 
+### Create a WDAC Policy in MEMCM
+
+1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
+
+![Create a WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy.jpg)
+
+2. Enter the name of the policy > **Next**
+3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
+4. Select the mode which you want the policy to run (Enforcement enabled / Audit Only) 
+5. Click **Next**
+
+![Create an enforced WDAC policy in MEMCM.](../images/memcm/memcm-create-wdac-policy-2.jpg)
+
+6. Click **Add** to begin creating rules for trusted software
+
+![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule.jpg)
+
+7. Select **File** or **Folder** to create a path rule > **Browse**
+
+![Create a WDAC path rule in MEMCM.](../images/memcm/memcm-create-wdac-rule-2.jpg)
+
+8. Select the executable or folder for your path rule > **OK**
+
+![Select the file or folder.](../images/memcm/memcm-create-wdac-rule-3.jpg)
+
+9. Select **OK** to add the rule to the table of trusted files or folder
+10. Select **Next** to navigate to the summary page > **Close**
+
+![Confirm the WDAC path rule in MEMCM.](../images/memcm/memcm-confirm-wdac-rule.jpg)
+
+### Deploy the WDAC Policy in MEMCM
+
+1. Right-click the newly created policy > **Deploy Application Control Policy**
+
+![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac.jpg)
+
+2. Select **Browse**
+
+![Deploy WDAC via MEMCM.](../images/memcm/memcm-deploy-wdac-2.jpg)
+
+3. Select the Device Collection you created earlier > **OK**
+
+![Select the device collection.](../images/memcm/memcm-deploy-wdac-3.jpg)
+
+4. Change the schedule > **OK**
+
+![Change the WDAC deployment schedule.](../images/memcm/memcm-deploy-wdac-4.jpg)
+
+
 For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
 
+The entire WDAC in MEMCM Lab Paper is available for download [here](../pdfs/WDAC-Deploy-WDAC-using-MEMCM.pdf).
+
 ## Deploy custom WDAC policies using Packages/Programs or Task Sequences
 
 Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.

windows/security/threat-protection/windows-defender-application-control/feature-availability.md

@@ -34,7 +34,7 @@ ms.technology: windows-sec
 |-------------|------|-------------|
 | Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later  | Available on Windows 8 or later   |
 | SKU availability     | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.  | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.  |
-| Management solutions   | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
+| Management solutions   | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
 | Per-User and Per-User group rules | Not available (policies are device-wide)  | Available on Windows 8+  |
 | Kernel mode policies  | Available on all Windows 10 versions and Windows 11  | Not available |
 | Per-app rules  | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)  | Not available |

windows/security/threat-protection/windows-defender-application-control/index.yml

@@ -99,13 +99,13 @@ landingContent:
       - linkListType: tutorial
         links:
           - text: Deployment with MDM
-            url: deploy-windows-defender-application-control-policies-using-intune.md
+            url: deployment/deploy-windows-defender-application-control-policies-using-intune.md
           - text: Deployment with MEMCM
             url: deployment/deploy-wdac-policies-with-memcm.md
           - text: Deployment with script and refresh policy
             url: deployment/deploy-wdac-policies-with-script.md
           - text: Deployment with Group Policy
-            url: deploy-windows-defender-application-control-policies-using-group-policy.md
+            url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
   # Card
   - title: Learn how to monitor WDAC events
     linkLists:

windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md

@@ -105,7 +105,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
    > [!NOTE]
    > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
 
-9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
 
 > [!NOTE]
 > The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. 

windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md

@@ -41,7 +41,7 @@ All WDAC policy changes should be deployed in audit mode before proceeding to en
 
 There are several options to deploy WDAC policies to managed endpoints, including:
 
-1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
+1. [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
 2. [Deploy using Microsoft Endpoint Configuration Manager (MEMCM)](deployment/deploy-wdac-policies-with-memcm.md)
 3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
-4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
+4. [Deploy via Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)