Update deploy-windows-defender-application-control-policies-using-group-policy.md

2025-06-21 05:13:40 +00:00 · 2022-06-27 16:37:24 -07:00
parent a252a0ecce
commit 608b24ade4
1 changed files with 9 additions and 10 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 02/28/2018
+ms.date: 06/27/2022
 ms.technology: windows-sec
 ---

@ -26,10 +26,9 @@ ms.technology: windows-sec
 - Windows 11
 - Windows Server 2016 and above

->[!NOTE]
->Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-
 > [!NOTE]
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>
 > Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.

 Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
@ -41,9 +40,9 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
 2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.

   > [!NOTE]
-   > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
+   > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).

-   ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png)
+   ![Group Policy Management, create a GPO.](../images/dg-fig24-creategpo.png)

 3. Name the new GPO. You can choose any name.

@ -60,7 +59,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
    > [!NOTE]
    > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.

-    ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png)
+    ![Group Policy called Deploy Windows Defender Application Control.](../images/dg-fig26-enablecode.png)

    > [!NOTE]
    > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.