Merge pull request #9847 from v-kikl/kk-wdac-edits-tasks-23655302-and-34510389

Edited select-type and event-id documents.

windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md

@@ -86,6 +86,32 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
 reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
 ```
 
+## System Integrity Policy Options
+The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
+
+| Bit Address | Policy Rule Option |
+|-------|------|
+| 2 | Enabled:UMCI |
+| 3 | Enabled:Boot Menu Protection |
+| 4 | Enabled:Intelligent Security Graph Authorization |
+| 5 | Enabled:Invalidate EAs on Reboot |
+| 7 | Required:WHQL |
+| 10 | Enabled:Allow Supplemental Policies |
+| 11 | Disabled:Runtime FilePath Rule Protection |
+| 13 | Enabled:Revoked Expired As Unsigned |
+| 16 | Enabled:Audit Mode (Default) |
+| 17 | Disabled:Flight Signing |
+| 18 | Enabled:Inherit Default Policy |
+| 19 | Enabled:Unsigned System Integrity Policy (Default) |
+| 20 | Enabled:Dynamic Code Security |
+| 21 | Required:EV Signers |
+| 22 | Enabled:Boot Audit on Failure |
+| 23 | Enabled:Advanced Boot Options Menu |
+| 24 | Disabled:Script Enforcement |
+| 25 | Required:Enforce Store Applications |
+| 27 | Enabled:Managed Installer  |
+| 28 | Enabled:Update Policy No Reboot |
+
 ## Appendix
 A list of other relevant event IDs and their corresponding description.
 

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
 | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
 | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
+| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
 
 ## Windows Defender Application Control file rule levels