diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index a7d64bd225..dcad6a2586 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -3,313 +3,309 @@
 - name: About application control for Windows
   href: windows-defender-application-control.md
   expanded: true
-  items: 
+  items:
     - name: WDAC and AppLocker Overview
       href: wdac-and-applocker-overview.md
-      items: 
-        - name: WDAC and AppLocker Feature Availability
-          href: feature-availability.md
-        - name: Virtualization-based protection of code integrity
-          href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
-    - name: WDAC design guide
-      href: windows-defender-application-control-design-guide.md
-      items: 
-        - name: Plan for WDAC policy lifecycle management
-          href: plan-windows-defender-application-control-management.md
-        - name: Design your WDAC policy
-          items: 
-            - name: Understand WDAC policy design decisions
-              href: understand-windows-defender-application-control-policy-design-decisions.md
-            - name: Understand WDAC policy rules and file rules
-              href: select-types-of-rules-to-create.md
-              items: 
-                - name: Allow apps installed by a managed installer
-                  href: configure-authorized-apps-deployed-with-a-managed-installer.md
-                - name: Allow reputable apps with Intelligent Security Graph (ISG)
-                  href: use-windows-defender-application-control-with-intelligent-security-graph.md
-                - name: Allow COM object registration
-                  href: allow-com-object-registration-in-windows-defender-application-control-policy.md
-                - name: Use WDAC with .NET hardening
-                  href: use-windows-defender-application-control-with-dynamic-code-security.md
-                - name: Manage packaged apps with WDAC
-                  href: manage-packaged-apps-with-windows-defender-application-control.md
-                - name: Use WDAC to control specific plug-ins, add-ins, and modules
-                  href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
-                - name: Understand WDAC policy settings
-                  href: understanding-wdac-policy-settings.md
-            - name: Use multiple WDAC policies
-              href: deploy-multiple-windows-defender-application-control-policies.md
-        - name: Create your WDAC policy
-          items: 
-            - name: Example WDAC base policies
-              href: example-wdac-base-policies.md
-            - name: Policy creation for common WDAC usage scenarios
-              href: types-of-devices.md
-              items: 
-                - name: Create a WDAC policy for lightly managed devices
-                  href: create-wdac-policy-for-lightly-managed-devices.md
-                - name: Create a WDAC policy for fully managed devices
-                  href: create-wdac-policy-for-fully-managed-devices.md
-                - name: Create a WDAC policy for fixed-workload devices
-                  href: create-initial-default-policy.md
-                - name: Create a WDAC deny list policy
-                  href: create-wdac-deny-policy.md
-                - name: Microsoft recommended block rules
-                  href: microsoft-recommended-block-rules.md
-                - name: Microsoft recommended driver block rules
-                  href: microsoft-recommended-driver-block-rules.md
-            - name: Use the WDAC Wizard tool
-              href: wdac-wizard.md
-              items: 
-                - name: Create a base WDAC policy with the Wizard
-                  href: wdac-wizard-create-base-policy.md
-                - name: Create a supplemental WDAC policy with the Wizard
-                  href: wdac-wizard-create-supplemental-policy.md
-                - name: Editing a WDAC policy with the Wizard
-                  href: wdac-wizard-editing-policy.md
-                - name: Merging multiple WDAC policies with the Wizard
-                  href: wdac-wizard-merging-policies.md
-    - name: WDAC deployment guide
-      href: windows-defender-application-control-deployment-guide.md
-      items: 
-        - name: Deploy WDAC policies with MDM
-          href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
-        - name: Deploy WDAC policies with Configuration Manager
-          href: deployment/deploy-wdac-policies-with-memcm.md
-        - name: Deploy WDAC policies with script
-          href: deployment/deploy-wdac-policies-with-script.md
-        - name: Deploy WDAC policies with group policy
-          href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
-        - name: Audit WDAC policies
-          href: audit-windows-defender-application-control-policies.md
-        - name: Merge WDAC policies
-          href: merge-windows-defender-application-control-policies.md
-        - name: Enforce WDAC policies
-          href: enforce-windows-defender-application-control-policies.md
-        - name: Use code signing to simplify application control for classic Windows applications
-          href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
-          items: 
-            - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
-              href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
-            - name: "Optional: Create a code signing cert for WDAC"
-              href: create-code-signing-cert-for-windows-defender-application-control.md
-            - name: Deploy catalog files to support WDAC
-              href: deploy-catalog-files-to-support-windows-defender-application-control.md
-        - name: Use signed policies to protect Windows Defender Application Control against tampering
-          href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
-        - name: Disable WDAC policies
-          href: disable-windows-defender-application-control-policies.md
-        - name: LOB Win32 Apps on S Mode
-          href: LOB-win32-apps-on-s.md
-    - name: WDAC operational guide
-      href: windows-defender-application-control-operational-guide.md
-      items: 
-        - name: Understanding Application Control event tags
-          href: event-tag-explanations.md
-        - name: Understanding Application Control event IDs
-          href: event-id-explanations.md
-        - name: Query WDAC events with Advanced hunting
-          href: querying-application-control-events-centrally-using-advanced-hunting.md
-        - name: Known Issues
-          href: operations/known-issues.md
-        - name: Managed installer and ISG technical reference and troubleshooting guide
-          href: configure-wdac-managed-installer.md
-    - name: WDAC AppId Tagging guide
-      href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+    - name: WDAC and AppLocker Feature Availability
+      href: feature-availability.md
+    - name: Virtualization-based protection of code integrity
+      href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: WDAC design guide
+  href: windows-defender-application-control-design-guide.md
+  items:
+    - name: Plan for WDAC policy lifecycle management
+      href: plan-windows-defender-application-control-management.md
+    - name: Design your WDAC policy
       items:
-        - name: Creating AppId Tagging Policies
-          href: AppIdTagging/design-create-appid-tagging-policies.md
-        - name: Deploying AppId Tagging Policies
-          href: AppIdTagging/deploy-appid-tagging-policies.md
-        - name: Testing and Debugging AppId Tagging Policies
-          href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
-    - name: AppLocker
-      href: applocker\applocker-overview.md
-      items: 
-        - name: Administer AppLocker
-          href: applocker\administer-applocker.md
-          items: 
-            - name: Maintain AppLocker policies
-              href: applocker\maintain-applocker-policies.md
-            - name: Edit an AppLocker policy
-              href: applocker\edit-an-applocker-policy.md
-            - name: Test and update an AppLocker policy
-              href: applocker\test-and-update-an-applocker-policy.md
-            - name: Deploy AppLocker policies by using the enforce rules setting
-              href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
-            - name: Use the AppLocker Windows PowerShell cmdlets
-              href: applocker\use-the-applocker-windows-powershell-cmdlets.md
-            - name: Use AppLocker and Software Restriction Policies in the same domain
-              href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
-            - name: Optimize AppLocker performance
-              href: applocker\optimize-applocker-performance.md
-            - name: Monitor app usage with AppLocker
-              href: applocker\monitor-application-usage-with-applocker.md
-            - name: Manage packaged apps with AppLocker
-              href: applocker\manage-packaged-apps-with-applocker.md
-            - name: Working with AppLocker rules
-              href: applocker\working-with-applocker-rules.md
-              items: 
-                - name: Create a rule that uses a file hash condition
-                  href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
-                - name: Create a rule that uses a path condition
-                  href: applocker\create-a-rule-that-uses-a-path-condition.md
-                - name: Create a rule that uses a publisher condition
-                  href: applocker\create-a-rule-that-uses-a-publisher-condition.md
-                - name: Create AppLocker default rules
-                  href: applocker\create-applocker-default-rules.md
-                - name: Add exceptions for an AppLocker rule
-                  href: applocker\configure-exceptions-for-an-applocker-rule.md
-                - name: Create a rule for packaged apps
-                  href: applocker\create-a-rule-for-packaged-apps.md
-                - name: Delete an AppLocker rule
-                  href: applocker\delete-an-applocker-rule.md
-                - name: Edit AppLocker rules
-                  href: applocker\edit-applocker-rules.md
-                - name: Enable the DLL rule collection
-                  href: applocker\enable-the-dll-rule-collection.md
-                - name: Enforce AppLocker rules
-                  href: applocker\enforce-applocker-rules.md
-                - name: Run the Automatically Generate Rules wizard
-                  href: applocker\run-the-automatically-generate-rules-wizard.md
-            - name: Working with AppLocker policies
-              href: applocker\working-with-applocker-policies.md
-              items: 
-                - name: Configure the Application Identity service
-                  href: applocker\configure-the-application-identity-service.md
-                - name: Configure an AppLocker policy for audit only
-                  href: applocker\configure-an-applocker-policy-for-audit-only.md
-                - name: Configure an AppLocker policy for enforce rules
-                  href: applocker\configure-an-applocker-policy-for-enforce-rules.md
-                - name: Display a custom URL message when users try to run a blocked app
-                  href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
-                - name: Export an AppLocker policy from a GPO
-                  href: applocker\export-an-applocker-policy-from-a-gpo.md
-                - name: Export an AppLocker policy to an XML file
-                  href: applocker\export-an-applocker-policy-to-an-xml-file.md
-                - name: Import an AppLocker policy from another computer
-                  href: applocker\import-an-applocker-policy-from-another-computer.md
-                - name: Import an AppLocker policy into a GPO
-                  href: applocker\import-an-applocker-policy-into-a-gpo.md
-                - name: Add rules for packaged apps to existing AppLocker rule-set
-                  href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
-                - name: Merge AppLocker policies by using Set-ApplockerPolicy
-                  href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
-                - name: Merge AppLocker policies manually
-                  href: applocker\merge-applocker-policies-manually.md
-                - name: Refresh an AppLocker policy
-                  href: applocker\refresh-an-applocker-policy.md
-                - name: Test an AppLocker policy by using Test-AppLockerPolicy
-                  href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
-        - name: AppLocker design guide
-          href: applocker\applocker-policies-design-guide.md
-          items: 
-            - name: Understand AppLocker policy design decisions
-              href: applocker\understand-applocker-policy-design-decisions.md
-            - name: Determine your application control objectives
-              href: applocker\determine-your-application-control-objectives.md
-            - name: Create a list of apps deployed to each business group
-              href: applocker\create-list-of-applications-deployed-to-each-business-group.md
-              items: 
-                - name: Document your app list
-                  href: applocker\document-your-application-list.md
-            - name: Select the types of rules to create
-              href: applocker\select-types-of-rules-to-create.md
-              items: 
-                - name: Document your AppLocker rules
-                  href: applocker\document-your-applocker-rules.md
-            - name: Determine the Group Policy structure and rule enforcement
-              href: applocker\determine-group-policy-structure-and-rule-enforcement.md
-              items: 
-                - name: Understand AppLocker enforcement settings
-                  href: applocker\understand-applocker-enforcement-settings.md
-                - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
-                  href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
-                - name: Document the Group Policy structure and AppLocker rule enforcement
-                  href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
-            - name: Plan for AppLocker policy management
-              href: applocker\plan-for-applocker-policy-management.md
-        - name: AppLocker deployment guide
-          href: applocker\applocker-policies-deployment-guide.md
-          items: 
-            - name: Understand the AppLocker policy deployment process
-              href: applocker\understand-the-applocker-policy-deployment-process.md
-            - name: Requirements for Deploying AppLocker Policies
-              href: applocker\requirements-for-deploying-applocker-policies.md
-            - name: Use Software Restriction Policies and AppLocker policies
-              href: applocker\using-software-restriction-policies-and-applocker-policies.md
-            - name: Create Your AppLocker policies
-              href: applocker\create-your-applocker-policies.md
-              items: 
-                - name: Create Your AppLocker rules
-                  href: applocker\create-your-applocker-rules.md
-            - name: Deploy the AppLocker policy into production
-              href: applocker\deploy-the-applocker-policy-into-production.md
-              items: 
-                - name: Use a reference device to create and maintain AppLocker policies
-                  href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
-                  items: 
-                    - name: Determine which apps are digitally signed on a reference device
-                      href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
-                    - name: Configure the AppLocker reference device
-                      href: applocker\configure-the-appLocker-reference-device.md
-        - name: AppLocker technical reference
-          href: applocker\applocker-technical-reference.md
-          items: 
-            - name: What Is AppLocker?
-              href: applocker\what-is-applocker.md
-            - name: Requirements to use AppLocker
-              href: applocker\requirements-to-use-applocker.md
-            - name: AppLocker policy use scenarios
-              href: applocker\applocker-policy-use-scenarios.md
-            - name: How AppLocker works
-              href: applocker\how-applocker-works-techref.md
-              items: 
-                - name: Understanding AppLocker rule behavior
-                  href: applocker\understanding-applocker-rule-behavior.md
-                - name: Understanding AppLocker rule exceptions
-                  href: applocker\understanding-applocker-rule-exceptions.md
-                - name: Understanding AppLocker rule collections
-                  href: applocker\understanding-applocker-rule-collections.md
-                - name: Understanding AppLocker allow and deny actions on rules
-                  href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
-                - name: Understanding AppLocker rule condition types
-                  href: applocker\understanding-applocker-rule-condition-types.md
-                  items: 
-                    - name: Understanding the publisher rule condition in AppLocker
-                      href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
-                    - name: Understanding the path rule condition in AppLocker
-                      href: applocker\understanding-the-path-rule-condition-in-applocker.md
-                    - name: Understanding the file hash rule condition in AppLocker
-                      href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
-                - name: Understanding AppLocker default rules
-                  href: applocker\understanding-applocker-default-rules.md
-                  items: 
-                    - name: Executable rules in AppLocker
-                      href: applocker\executable-rules-in-applocker.md
-                    - name: Windows Installer rules in AppLocker
-                      href: applocker\windows-installer-rules-in-applocker.md
-                    - name: Script rules in AppLocker
-                      href: applocker\script-rules-in-applocker.md
-                    - name: DLL rules in AppLocker
-                      href: applocker\dll-rules-in-applocker.md
-                    - name: Packaged apps and packaged app installer rules in AppLocker
-                      href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
-            - name: AppLocker architecture and components
-              href: applocker\applocker-architecture-and-components.md
-            - name: AppLocker processes and interactions
-              href: applocker\applocker-processes-and-interactions.md
-            - name: AppLocker functions
-              href: applocker\applocker-functions.md
-            - name: Security considerations for AppLocker
-              href: applocker\security-considerations-for-applocker.md
-            - name: Tools to Use with AppLocker
-              href: applocker\tools-to-use-with-applocker.md
-              items: 
-                - name: Using Event Viewer with AppLocker
-                  href: applocker\using-event-viewer-with-applocker.md
-            - name: AppLocker Settings
-              href: applocker\applocker-settings.md
-- name: Windows security
-  href: /windows/security/
-
+        - name: Understand WDAC policy design decisions
+          href: understand-windows-defender-application-control-policy-design-decisions.md
+        - name: Understand WDAC policy rules and file rules
+          href: select-types-of-rules-to-create.md
+          items:
+            - name: Allow apps installed by a managed installer
+              href: configure-authorized-apps-deployed-with-a-managed-installer.md
+            - name: Allow reputable apps with Intelligent Security Graph (ISG)
+              href: use-windows-defender-application-control-with-intelligent-security-graph.md
+            - name: Allow COM object registration
+              href: allow-com-object-registration-in-windows-defender-application-control-policy.md
+            - name: Use WDAC with .NET hardening
+              href: use-windows-defender-application-control-with-dynamic-code-security.md
+            - name: Manage packaged apps with WDAC
+              href: manage-packaged-apps-with-windows-defender-application-control.md
+            - name: Use WDAC to control specific plug-ins, add-ins, and modules
+              href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+            - name: Understand WDAC policy settings
+              href: understanding-wdac-policy-settings.md
+        - name: Use multiple WDAC policies
+          href: deploy-multiple-windows-defender-application-control-policies.md
+    - name: Create your WDAC policy
+      items:
+        - name: Example WDAC base policies
+          href: example-wdac-base-policies.md
+        - name: Policy creation for common WDAC usage scenarios
+          href: types-of-devices.md
+          items:
+            - name: Create a WDAC policy for lightly managed devices
+              href: create-wdac-policy-for-lightly-managed-devices.md
+            - name: Create a WDAC policy for fully managed devices
+              href: create-wdac-policy-for-fully-managed-devices.md
+            - name: Create a WDAC policy for fixed-workload devices
+              href: create-initial-default-policy.md
+            - name: Create a WDAC deny list policy
+              href: create-wdac-deny-policy.md
+            - name: Microsoft recommended block rules
+              href: microsoft-recommended-block-rules.md
+            - name: Microsoft recommended driver block rules
+              href: microsoft-recommended-driver-block-rules.md
+        - name: Use the WDAC Wizard tool
+          href: wdac-wizard.md
+          items:
+            - name: Create a base WDAC policy with the Wizard
+              href: wdac-wizard-create-base-policy.md
+            - name: Create a supplemental WDAC policy with the Wizard
+              href: wdac-wizard-create-supplemental-policy.md
+            - name: Editing a WDAC policy with the Wizard
+              href: wdac-wizard-editing-policy.md
+            - name: Merging multiple WDAC policies with the Wizard
+              href: wdac-wizard-merging-policies.md
+- name: WDAC deployment guide
+  href: windows-defender-application-control-deployment-guide.md
+  items:
+    - name: Deploy WDAC policies with MDM
+      href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+    - name: Deploy WDAC policies with Configuration Manager
+      href: deployment/deploy-wdac-policies-with-memcm.md
+    - name: Deploy WDAC policies with script
+      href: deployment/deploy-wdac-policies-with-script.md
+    - name: Deploy WDAC policies with group policy
+      href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+    - name: Audit WDAC policies
+      href: audit-windows-defender-application-control-policies.md
+    - name: Merge WDAC policies
+      href: merge-windows-defender-application-control-policies.md
+    - name: Enforce WDAC policies
+      href: enforce-windows-defender-application-control-policies.md
+    - name: Use code signing to simplify application control for classic Windows applications
+      href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+      items:
+        - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
+          href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
+        - name: "Optional: Create a code signing cert for WDAC"
+          href: create-code-signing-cert-for-windows-defender-application-control.md
+        - name: Deploy catalog files to support WDAC
+          href: deploy-catalog-files-to-support-windows-defender-application-control.md
+    - name: Use signed policies to protect Windows Defender Application Control against tampering
+      href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+    - name: Disable WDAC policies
+      href: disable-windows-defender-application-control-policies.md
+    - name: LOB Win32 Apps on S Mode
+      href: LOB-win32-apps-on-s.md
+- name: WDAC operational guide
+  href: windows-defender-application-control-operational-guide.md
+  items:
+    - name: Understanding Application Control event tags
+      href: event-tag-explanations.md
+    - name: Understanding Application Control event IDs
+      href: event-id-explanations.md
+    - name: Query WDAC events with Advanced hunting
+      href: querying-application-control-events-centrally-using-advanced-hunting.md
+    - name: Known Issues
+      href: operations/known-issues.md
+    - name: Managed installer and ISG technical reference and troubleshooting guide
+      href: configure-wdac-managed-installer.md
+- name: WDAC AppId Tagging guide
+  href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+  items:
+    - name: Creating AppId Tagging Policies
+      href: AppIdTagging/design-create-appid-tagging-policies.md
+    - name: Deploying AppId Tagging Policies
+      href: AppIdTagging/deploy-appid-tagging-policies.md
+    - name: Testing and Debugging AppId Tagging Policies
+      href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+- name: AppLocker
+  href: applocker\applocker-overview.md
+  items:
+    - name: Administer AppLocker
+      href: applocker\administer-applocker.md
+      items:
+        - name: Maintain AppLocker policies
+          href: applocker\maintain-applocker-policies.md
+        - name: Edit an AppLocker policy
+          href: applocker\edit-an-applocker-policy.md
+        - name: Test and update an AppLocker policy
+          href: applocker\test-and-update-an-applocker-policy.md
+        - name: Deploy AppLocker policies by using the enforce rules setting
+          href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+        - name: Use the AppLocker Windows PowerShell cmdlets
+          href: applocker\use-the-applocker-windows-powershell-cmdlets.md
+        - name: Use AppLocker and Software Restriction Policies in the same domain
+          href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
+        - name: Optimize AppLocker performance
+          href: applocker\optimize-applocker-performance.md
+        - name: Monitor app usage with AppLocker
+          href: applocker\monitor-application-usage-with-applocker.md
+        - name: Manage packaged apps with AppLocker
+          href: applocker\manage-packaged-apps-with-applocker.md
+        - name: Working with AppLocker rules
+          href: applocker\working-with-applocker-rules.md
+          items:
+            - name: Create a rule that uses a file hash condition
+              href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
+            - name: Create a rule that uses a path condition
+              href: applocker\create-a-rule-that-uses-a-path-condition.md
+            - name: Create a rule that uses a publisher condition
+              href: applocker\create-a-rule-that-uses-a-publisher-condition.md
+            - name: Create AppLocker default rules
+              href: applocker\create-applocker-default-rules.md
+            - name: Add exceptions for an AppLocker rule
+              href: applocker\configure-exceptions-for-an-applocker-rule.md
+            - name: Create a rule for packaged apps
+              href: applocker\create-a-rule-for-packaged-apps.md
+            - name: Delete an AppLocker rule
+              href: applocker\delete-an-applocker-rule.md
+            - name: Edit AppLocker rules
+              href: applocker\edit-applocker-rules.md
+            - name: Enable the DLL rule collection
+              href: applocker\enable-the-dll-rule-collection.md
+            - name: Enforce AppLocker rules
+              href: applocker\enforce-applocker-rules.md
+            - name: Run the Automatically Generate Rules wizard
+              href: applocker\run-the-automatically-generate-rules-wizard.md
+        - name: Working with AppLocker policies
+          href: applocker\working-with-applocker-policies.md
+          items:
+            - name: Configure the Application Identity service
+              href: applocker\configure-the-application-identity-service.md
+            - name: Configure an AppLocker policy for audit only
+              href: applocker\configure-an-applocker-policy-for-audit-only.md
+            - name: Configure an AppLocker policy for enforce rules
+              href: applocker\configure-an-applocker-policy-for-enforce-rules.md
+            - name: Display a custom URL message when users try to run a blocked app
+              href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+            - name: Export an AppLocker policy from a GPO
+              href: applocker\export-an-applocker-policy-from-a-gpo.md
+            - name: Export an AppLocker policy to an XML file
+              href: applocker\export-an-applocker-policy-to-an-xml-file.md
+            - name: Import an AppLocker policy from another computer
+              href: applocker\import-an-applocker-policy-from-another-computer.md
+            - name: Import an AppLocker policy into a GPO
+              href: applocker\import-an-applocker-policy-into-a-gpo.md
+            - name: Add rules for packaged apps to existing AppLocker rule-set
+              href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+            - name: Merge AppLocker policies by using Set-ApplockerPolicy
+              href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
+            - name: Merge AppLocker policies manually
+              href: applocker\merge-applocker-policies-manually.md
+            - name: Refresh an AppLocker policy
+              href: applocker\refresh-an-applocker-policy.md
+            - name: Test an AppLocker policy by using Test-AppLockerPolicy
+              href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
+    - name: AppLocker design guide
+      href: applocker\applocker-policies-design-guide.md
+      items:
+        - name: Understand AppLocker policy design decisions
+          href: applocker\understand-applocker-policy-design-decisions.md
+        - name: Determine your application control objectives
+          href: applocker\determine-your-application-control-objectives.md
+        - name: Create a list of apps deployed to each business group
+          href: applocker\create-list-of-applications-deployed-to-each-business-group.md
+          items:
+            - name: Document your app list
+              href: applocker\document-your-application-list.md
+        - name: Select the types of rules to create
+          href: applocker\select-types-of-rules-to-create.md
+          items:
+            - name: Document your AppLocker rules
+              href: applocker\document-your-applocker-rules.md
+        - name: Determine the Group Policy structure and rule enforcement
+          href: applocker\determine-group-policy-structure-and-rule-enforcement.md
+          items:
+            - name: Understand AppLocker enforcement settings
+              href: applocker\understand-applocker-enforcement-settings.md
+            - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
+              href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+            - name: Document the Group Policy structure and AppLocker rule enforcement
+              href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
+        - name: Plan for AppLocker policy management
+          href: applocker\plan-for-applocker-policy-management.md
+    - name: AppLocker deployment guide
+      href: applocker\applocker-policies-deployment-guide.md
+      items:
+        - name: Understand the AppLocker policy deployment process
+          href: applocker\understand-the-applocker-policy-deployment-process.md
+        - name: Requirements for Deploying AppLocker Policies
+          href: applocker\requirements-for-deploying-applocker-policies.md
+        - name: Use Software Restriction Policies and AppLocker policies
+          href: applocker\using-software-restriction-policies-and-applocker-policies.md
+        - name: Create Your AppLocker policies
+          href: applocker\create-your-applocker-policies.md
+          items:
+            - name: Create Your AppLocker rules
+              href: applocker\create-your-applocker-rules.md
+        - name: Deploy the AppLocker policy into production
+          href: applocker\deploy-the-applocker-policy-into-production.md
+          items:
+            - name: Use a reference device to create and maintain AppLocker policies
+              href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+              items:
+                - name: Determine which apps are digitally signed on a reference device
+                  href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+                - name: Configure the AppLocker reference device
+                  href: applocker\configure-the-appLocker-reference-device.md
+    - name: AppLocker technical reference
+      href: applocker\applocker-technical-reference.md
+      items:
+        - name: What Is AppLocker?
+          href: applocker\what-is-applocker.md
+        - name: Requirements to use AppLocker
+          href: applocker\requirements-to-use-applocker.md
+        - name: AppLocker policy use scenarios
+          href: applocker\applocker-policy-use-scenarios.md
+        - name: How AppLocker works
+          href: applocker\how-applocker-works-techref.md
+          items:
+            - name: Understanding AppLocker rule behavior
+              href: applocker\understanding-applocker-rule-behavior.md
+            - name: Understanding AppLocker rule exceptions
+              href: applocker\understanding-applocker-rule-exceptions.md
+            - name: Understanding AppLocker rule collections
+              href: applocker\understanding-applocker-rule-collections.md
+            - name: Understanding AppLocker allow and deny actions on rules
+              href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
+            - name: Understanding AppLocker rule condition types
+              href: applocker\understanding-applocker-rule-condition-types.md
+              items:
+                - name: Understanding the publisher rule condition in AppLocker
+                  href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
+                - name: Understanding the path rule condition in AppLocker
+                  href: applocker\understanding-the-path-rule-condition-in-applocker.md
+                - name: Understanding the file hash rule condition in AppLocker
+                  href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
+            - name: Understanding AppLocker default rules
+              href: applocker\understanding-applocker-default-rules.md
+              items:
+                - name: Executable rules in AppLocker
+                  href: applocker\executable-rules-in-applocker.md
+                - name: Windows Installer rules in AppLocker
+                  href: applocker\windows-installer-rules-in-applocker.md
+                - name: Script rules in AppLocker
+                  href: applocker\script-rules-in-applocker.md
+                - name: DLL rules in AppLocker
+                  href: applocker\dll-rules-in-applocker.md
+                - name: Packaged apps and packaged app installer rules in AppLocker
+                  href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+        - name: AppLocker architecture and components
+          href: applocker\applocker-architecture-and-components.md
+        - name: AppLocker processes and interactions
+          href: applocker\applocker-processes-and-interactions.md
+        - name: AppLocker functions
+          href: applocker\applocker-functions.md
+        - name: Security considerations for AppLocker
+          href: applocker\security-considerations-for-applocker.md
+        - name: Tools to Use with AppLocker
+          href: applocker\tools-to-use-with-applocker.md
+          items:
+            - name: Using Event Viewer with AppLocker
+              href: applocker\using-event-viewer-with-applocker.md
+        - name: AppLocker Settings
+          href: applocker\applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 2d13639669..baee8a7e94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -23,9 +23,9 @@ ms.technology: windows-sec
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -118,9 +118,6 @@ Alice follows these steps to complete this task:
 
 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
 
-    > [!NOTE]
-    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
-
    ```powershell
    [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
    $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 9cb8de44f4..07deea124a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -13,9 +13,9 @@ audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 11/15/2019
+ms.author: vinpa
+manager: aaroncz
+ms.date: 08/10/2022
 ms.technology: windows-sec
 ---
 
@@ -23,9 +23,9 @@ ms.technology: windows-sec
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -58,82 +58,103 @@ Based on the above, Alice defines the pseudo-rules for the policy:
    - WHQL (third-party kernel drivers)
    - Windows Store signed apps
 
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
-5. **Admin-only path rules** for the following locations:
+1. **"MEMCM works”** rules that include:
+    - Signer and hash rules for Configuration Manager components to properly function.
+    - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
+
+1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+
+1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
+
+1. **Admin-only path rules** for the following locations:
    - C:\Program Files\*
    - C:\Program Files (x86)\*
    - %windir%\*
 
 ## Create a custom base policy using an example WDAC base policy
 
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
 
 Alice follows these steps to complete this task:
 
-> [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
-
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
-
-      ```powershell
-      $PolicyName= "Lamna_LightlyManagedClients_Audit"
-      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
-      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
-      ```
-
-3. Copy the policy created by Configuration Manager to the desktop:
-
-      ```powershell
-      cp $MEMCMPolicy $LamnaPolicy
-      ```
-
-4. Give the new policy a unique ID, descriptive name, and initial version number:
-
-      ```powershell
-      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
-      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
-      ```
-
-5. Modify the copied policy to set policy rules:
-
-      ```powershell
-      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
-      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
-      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
-      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
-      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
-      Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
-      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
-      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
-      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
-      ```
-
-6. Add rules to allow windir and Program Files directories:
-
-      ```powershell
-      $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
-      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
-      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
-      Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
-      ```
-
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
-
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
 
     > [!NOTE]
-    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+    > If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in this step.
 
-   ```powershell
-   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
-   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
-   ```
+    ```powershell
+    $PolicyPath = $env:userprofile+"\Desktop\"
+    $PolicyName= "Lamna_LightlyManagedClients_Audit"
+    $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
+    $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
+    ```
 
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Copy the example policy to the desktop:
+
+    ```powershell
+    Copy-Item $ExamplePolicy $LamnaPolicy
+    ```
+
+1. Modify the policy to remove unsupported rule:
+
+    > [!NOTE]
+    > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
+
+    ```powershell
+    [xml]$xml = Get-Content $LamnaPolicy
+    $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+    $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+    $node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
+    $node.ParentNode.RemoveChild($node)
+    $xml.Save($LamnaPolicy)
+    ```
+
+1. Give the new policy a unique ID, descriptive name, and initial version number:
+
+    ```powershell
+    Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+    Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+    ```
+
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
+
+    > [!NOTE]
+    > If you do not use Configuration Manager, skip this step.
+
+    ```powershell
+    $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+    Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+    ```
+
+1. Modify the policy to set additional policy rules:
+
+    ```powershell
+    Set-RuleOption -FilePath $LamnaPolicy -Option 3  # Audit Mode
+    Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+    Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+    ```
+
+1. Add rules to allow windir and Program Files directories:
+
+    ```powershell
+    $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+    $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+    Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+    ```
+
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
+
+    ```powershell
+    [xml]$policyXML = Get-Content $LamnaPolicy
+    $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
+    ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+    ```
+
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
@@ -141,44 +162,69 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
 
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
 
-- **Users with administrative access**<br>
-    By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+  By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+  Possible mitigations:
 
-    Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**<br>
-    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
 
-    Possible mitigations:
+- **Unsigned policies**
+
+  Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+  Possible mitigations:
+
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
   - Limit who can elevate to administrator on the device.
-- **Managed installer**<br>
-    See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
 
-    Possible mitigations:
+- **Managed installer**
+
+  See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+  Possible mitigations:
+
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**<br>
-    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
 
-    Possible mitigations:
+- **Intelligent Security Graph (ISG)**
+
+  See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
+
+  Possible mitigations:
+
   - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**<br>
-    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
 
-    Possible mitigations:
+- **Supplemental policies**
+
+  Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+  Possible mitigations:
+
   - Use signed WDAC policies that allow authorized signed supplemental policies only.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**<br>
-    See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
 
-    Possible mitigations:
+- **FilePath rules**
+
+  See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+  Possible mitigations:
+
   - Limit who can elevate to administrator on the device.
   - Migrate from filepath rules to managed installer or signature-based rules.
 
+- **Signed files**
+
+  Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+
+  Possible mitigations:
+
+  - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
+
 ## Up next
 
 - [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 601db3b421..cd504ed4ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -15,7 +15,7 @@ author: jsuther1974
 ms.reviewer: jogeurte
 ms.author: dansimp
 manager: dansimp
-ms.date: 11/15/2019
+ms.date: 08/05/2022
 ms.technology: windows-sec
 ---
 
@@ -23,9 +23,9 @@ ms.technology: windows-sec
 
 **Applies to:**
 
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -39,7 +39,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
 | **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
 | **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index b39d1f45b2..5dd1e3fd49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -9,7 +9,7 @@ metadata:
 # ms.subservice: Application-Control
 # ms.topic: landing-page
 # author: Kim Klein
-# ms.author: Jordan Geurten 
+# ms.author: Jordan Geurten
 # manager: Jeffrey Sutherland
 # ms.update: 04/30/2021
 # linkListType: overview | how-to-guide | tutorial | video
@@ -21,13 +21,15 @@ landingContent:
     linkLists:
       - linkListType: overview
         links:
+          - text: What is Application Control?
+            url: windows-defender-application-control.md
           - text: What is Windows Defender Application Control (WDAC)?
             url: wdac-and-applocker-overview.md
           - text: What is AppLocker?
             url: applocker\applocker-overview.md
           - text: WDAC and AppLocker feature availability
-            url: feature-availability.md  
-  # Card               
+            url: feature-availability.md
+  # Card
   - title: Learn about Policy Design
     linkLists:
       - linkListType: overview
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 498ab02284..562849c65a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -15,21 +15,21 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 09/29/2021
+ms.date: 08/11/2022
 ---
 
 # Microsoft recommended block rules
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. 
+Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
 
 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
 
@@ -87,27 +87,25 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 |---|---|
 | `Alex Ionescu` | `@aionescu`|
 | `Brock Mammen`| |
-| `Casey Smith` | `@subTee` | 
+| `Casey Smith` | `@subTee` |
 | `James Forshaw` | `@tiraniddo` |
 | `Jimmy Bayne` | `@bohops` |
 | `Kim Oppalfens` | `@thewmiguy` |
 | `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
 | `Lee Christensen` | `@tifkin_` |
-| `Matt Graeber` | `@mattifestation` | 
-| `Matt Nelson` | `@enigma0x3` | 
+| `Matt Graeber` | `@mattifestation` |
+| `Matt Nelson` | `@enigma0x3` |
 | `Oddvar Moe` | `@Oddvarmoe` |
 | `Philip Tsukerman` | `@PhilipTsukerman` |
 | `Vladas Bulavas` | `Kaspersky Lab` |
 | `William Easton` | `@Strawgate` |
 
-<br />
-
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
+> [!NOTE]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
 
 Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
 
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes. 
+Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
 
 For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules.
 
@@ -119,6 +117,10 @@ Microsoft recommends that you block the following Microsoft-signed applications
 
 Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
 
+<br>
+<details>
+  <summary>Expand this section to see the WDAC policy XML</summary>
+
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
@@ -905,8 +907,8 @@ Select the correct version of each .dll for the Windows release you plan to supp
           <FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
           <FileRuleRef RuleID="ID_DENY_WSLHOST" />
           <!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
-          <FileRuleRef RuleID="ID_DENY_MSXML3" /> 
-          <FileRuleRef RuleID="ID_DENY_MSXML6" /> 
+          <FileRuleRef RuleID="ID_DENY_MSXML3" />
+          <FileRuleRef RuleID="ID_DENY_MSXML6" />
           <FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
           -->
           <FileRuleRef RuleID="ID_DENY_D_1" />
@@ -1524,9 +1526,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
   <HvciOptions>0</HvciOptions>
 </SiPolicy>
 ```
-<br />
 
-> [!Note]
+</details>
+
+> [!NOTE]
 > To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
 
 ## More information
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 7c16581109..130ec8b14c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -1,6 +1,6 @@
 ---
 title: Microsoft recommended driver block rules (Windows)
-description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.  
+description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
 keywords:  security, malware, kernel mode, driver
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
@@ -20,28 +20,49 @@ manager: dansimp
 
 **Applies to:**
 
--   Windows 10
--   Windows 11
--   Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
 
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
-
-- Hypervisor-protected code integrity (HVCI) enabled devices
-- Windows 10 in S mode (S mode) devices
-
-The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes: 
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
 
 - Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
 - Malicious behaviors (malware) or certificates used to sign malware
 - Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
 
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article. 
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
+](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+
+## Microsoft vulnerable driver blocklist
+
+<!-- MAXADO-6286432 -->
+
+Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
+
+| Condition | Windows 10 or 11 | Windows 11 22H2 or later |
+|--|:--:|:--:|
+| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
+| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
+| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
+| Clean install of Windows | :x: | :heavy_check_mark: |
+
+> [!NOTE]
+> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
+
+## Blocking vulnerable drivers using WDAC
 
 Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
 
+> [!IMPORTANT]
+> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
+
+<br>
+<details>
+  <summary>Expand this section to see the blocklist WDAC policy XML</summary>
+
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
@@ -52,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Rule>
       <Option>Enabled:Unsigned System Integrity Policy</Option>
     </Rule>
-	<Rule>
+    <Rule>
       <Option>Enabled:Audit Mode</Option>
     </Rule>
     <Rule>
@@ -109,7 +130,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Deny ID="ID_DENY_BANDAI_SHA256" FriendlyName="bandai.sys Hash Sha256" Hash="7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8" />
     <Deny ID="ID_DENY_BANDAI_SHA1_PAGE" FriendlyName="bandai.sys Hash Page Sha1" Hash="EA360A9F23BB7CF67F08B88E6A185A699F0C5410" />
     <Deny ID="ID_DENY_BANDAI_SHA256_PAGE" FriendlyName="bandai.sys Hash Page Sha256" Hash="BB83738210650E09307CE869ACA9BFA251024D3C47B1006B94FCE2846313F56E" />
-	<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
+    <Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
     <Deny ID="ID_DENY_BS_RCIO64_SHA256" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha256" Hash="0381632CD236CD94FA9E64CCC958516AC50F9437F99092E231A607B1E6BE6CF8" />
     <Deny ID="ID_DENY_BS_RCIO64_SHA1_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha1" Hash="C28B640BECA5E2834D2A373F139869CC309F6631" />
     <Deny ID="ID_DENY_BS_RCIO64_SHA256_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha256" Hash="9378F7DFF94D9409D38FA1A125C52734D6BAEA90913FC3CEE2659FD36AB0DA29" />
@@ -207,9 +228,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Deny ID="ID_DENY_DIRECTIO_34" FriendlyName="PassMark DirectIo.sys Hash Page Sha1" Hash="05E20D0274A4FCC5368F25C62174003A555917E7" />
     <Deny ID="ID_DENY_DIRECTIO_35" FriendlyName="PassMark DirectIo.sys Hash Page Sha256" Hash="70344F2494D6B7EE4C5716E886D912447CFFE9695D2286814DC3CE0361727BBA" />
     <Deny ID="ID_DENY_DIRECTIO_36" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="706686F2A1EF4738A1856D01AB10EB730FC7B327" />
-    <Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
+    <Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
     <Deny ID="ID_DENY_DIRECTIO_38" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B423CA58603513B5D3A9669736D5E13C353FD6F9" />
-    <Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
+    <Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
     <Deny ID="ID_DENY_DIRECTIO_3A" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="AE806CA05E141B71664D9C6F20CC2369EF26F996" />
     <Deny ID="ID_DENY_DIRECTIO_3B" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="D0559503988DAA407FCC11E59079560CB456BB84" />
     <Deny ID="ID_DENY_MSIO_SHA1_1" FriendlyName="MsIo.sys Hash Sha1" Hash="0CB0FD5BEA730E4EAAEC1426B0C15376CCAC6D83" />
@@ -401,7 +422,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
     <FileAttrib ID="ID_FILEATTRIB_BS_HWMIO64" FriendlyName="" FileName="BS_HWMIO64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.1806.2200" />
     <FileAttrib ID="ID_FILEATTRIB_BS_I2CIO" FriendlyName="" FileName="BS_I2cIo.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.1.0.0" />
-	<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
+    <FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
     <FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
     <FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
@@ -412,7 +433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <FileAttrib ID="ID_FILEATTRIB_LIBNICM_DRIVER" FriendlyName="" FileName="libnicm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
     <FileAttrib ID="ID_FILEATTRIB_MTCBSV64" FriendlyName="mtcBSv64.sys FileAttribute" FileName="mtcBSv64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.2.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_NCHGBIOS2X64" FriendlyName="" FileName="NCHGBIOS2x64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.2.4.0" />
-	<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
+    <FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
     <FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
     <FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
     <FileAttrib ID="ID_FILEATTRIB_PHYSMEM" FriendlyName="Physmem.sys FileAttribute" FileName="physmem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@@ -421,13 +442,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <FileAttrib ID="ID_FILEATTRIB_RTKIOW8X64_DRIVER" FriendlyName="" FileName="rtkiow8x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_RTKIOW10X64_DRIVER" FriendlyName="" FileName="rtkiow10x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_RWDRV_DRIVER" FriendlyName="" FileName="RwDrv.sys" MinimumFileVersion="65535.65535.65535.65535" />
-	<FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
-    <FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys"  MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
+    <FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
     <FileAttrib ID="ID_FILEATTRIB_SANDRA" FriendlyName="" FileName="SANDRA" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_SANDRA_DRIVER" FriendlyName="" FileName="sandra.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_SEGWINDRVX64" FriendlyName="segwindrvx64.sys FileAttribute" FileName="segwindrvx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="100.0.7.2" />
     <FileAttrib ID="ID_FILEATTRIB_TREND_MICRO" FriendlyName="TmComm.sys" FileName="TmComm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.0.0.0" />
-	<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
+    <FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_VIRAGT" FriendlyName="viragt.sys 32-bit" FileName="viragt.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.80.0.0" />
     <FileAttrib ID="ID_FILEATTRIB_VIRAGT64" FriendlyName="viragt64.sys" FileName="viragt64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.11" />
     <FileAttrib ID="ID_FILEATTRIB_VMDRV" FriendlyName="vmdrv.sys FileAttribute" FileName="vmdrv.sys" MinimumFileVersion="10.0.10011.16384" />
@@ -483,7 +504,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
       <FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
-	  <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@@ -525,7 +546,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
       <CertRoot Type="TBS" Value="041750993D7C9E063F02DFE74699598640911AAB" />
       <CertPublisher Value="innotek GmbH" />
     </Signer>
-	<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
+    <Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
       <CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
       <CertPublisher Value="Oracle Corporation" />
       <FileAttribRef RuleID="ID_FILEATTRIB_VBOX" />
@@ -565,11 +586,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2014" Name="Microsoft Windows Third Party Component CA 2014">
       <CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
       <CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
-	  <FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
       <FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_LHA" />
       <FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
-	  <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
@@ -579,7 +600,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
       <FileAttribRef RuleID="ID_FILEATTRIB_VIRAGT64" />
       <FileAttribRef RuleID="ID_FILEATTRIB_VMDRV" />
     </Signer>
-   <Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
+    <Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
       <CertRoot Type="TBS" Value="90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212" />
       <CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
       <FileAttribRef RuleID="ID_FILEATTRIB_HPPORTIOX64" />
@@ -623,7 +644,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
       <CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
       <CertPublisher Value="Novell, Inc." />
       <FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
-	  <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
+      <FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
       <FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
     </Signer>
@@ -702,12 +723,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
       <CertPublisher Value="Advanced Micro Devices Inc." />
       <FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
     </Signer>
-	<Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
+    <Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
       <CertRoot Type="TBS" Value="C7FC1727F5B75A6421A1F95C73BBDB23580C48E5" />
       <CertPublisher Value="Agnitum Ltd." />
       <FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_2" />
     </Signer>
-	<Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
+    <Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
       <CertRoot Type="TBS" Value="4CDC38C800761463749C3CBD94A12F32E49877BF" />
       <CertPublisher Value="Agnitum Ltd." />
       <FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_1" />
@@ -740,19 +761,19 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <Signer ID="ID_SIGNER_JEROMIN_CODY_ERIC" Name="Jeromin Cody Eric">
       <CertRoot Type="TBS" Value="dfa6171201b51a2ec174310e8fb9f4c0fde2d365235e589ded0213c5279bea6e" />
     </Signer>
-	<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
+    <Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
       <CertRoot Type="TBS" Value="A86DE66D8198E4272859881476A6F9936034A482" />
     </Signer>
-	<Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
+    <Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
       <CertRoot Type="TBS" Value="80854F578E2A3B5552EA839BA4F98DDFE94B2381" />
     </Signer>
-	<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
+    <Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
       <CertRoot Type="TBS" Value="15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7" />
     </Signer>
-	<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
+    <Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
       <CertRoot Type="TBS" Value="F049A238763D4A90B148AB10A500F96EBF1DC436" />
     </Signer>
-	<Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
+    <Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
       <CertRoot Type="TBS" Value="47F4B9898631773231B32844EC0D49990AC4EB1E" />
       <CertPublisher Value="CHENGDU YIWO Tech Development Co., Ltd." />
     </Signer>
@@ -774,14 +795,14 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
     <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DENIED_VULN_MAL_SIGNERS" FriendlyName="Signers of known vulnerable or malicious drivers">
       <ProductSigners>
         <DeniedSigners>
-		  <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
-		  <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
-		  <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
-		  <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
+          <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
+          <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
+          <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
+          <DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
           <DeniedSigner SignerId="ID_SIGNER_AMDPP" />
           <DeniedSigner SignerId="ID_SIGNER_CAPCOM" />
-          <DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" /> 
-          <DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" /> 
+          <DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
+          <DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" />
           <DeniedSigner SignerId="ID_SIGNER_ELBY" />
           <DeniedSigner SignerId="ID_SIGNER_ENE" />
           <DeniedSigner SignerId="ID_SIGNER_DIGICERT_EV" />
@@ -794,37 +815,37 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
           <DeniedSigner SignerId="ID_SIGNER_GEOTRUST_SRL_2010" />
           <DeniedSigner SignerId="ID_SIGNER_GLOBALSIGN_TG_SOFT" />
           <DeniedSigner SignerId="ID_SIGNER_HANDAN" />
-		  <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
-		  <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
-		  <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
-		  <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
-          <DeniedSigner SignerId="ID_SIGNER_HP" /> 
+          <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
+          <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
+          <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
+          <DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
+          <DeniedSigner SignerId="ID_SIGNER_HP" />
           <DeniedSigner SignerId="ID_SIGNER_INTEL_IQVW" />
           <DeniedSigner SignerId="ID_SIGNER_JEROMIN_CODY_ERIC" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
           <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
           <DeniedSigner SignerId="ID_SIGNER_NANJING" />
-		  <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
-		  <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
-		  <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
+          <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
+          <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
+          <DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
           <DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
           <DeniedSigner SignerId="ID_SIGNER_REALTEK" />
           <DeniedSigner SignerId="ID_SIGNER_RWEVERY" />
-		  <DeniedSigner SignerId="ID_SIGNER_SAASAME" />
+          <DeniedSigner SignerId="ID_SIGNER_SAASAME" />
           <DeniedSigner SignerId="ID_SIGNER_SANDRA" />
           <DeniedSigner SignerId="ID_SIGNER_SANDRA_THAWTE" />
           <DeniedSigner SignerId="ID_SIGNER_SPEEDFAN" />
           <DeniedSigner SignerId="ID_SIGNER_SYMANTEC_CLASS_3" />
           <DeniedSigner SignerId="ID_SIGNER_TRUST_ASIA" />
           <DeniedSigner SignerId="ID_SIGNER_VBOX" />
-		  <DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
-		  <DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
+          <DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
+          <DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004_BIOSTAR" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_BIOSTAR" />
-          <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_REALTEK" /> 
+          <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_REALTEK" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010_2" />
           <DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010_BIOSTAR" />
@@ -884,7 +905,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
           <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
           <FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
           <FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
-		  <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
+          <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
           <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
           <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
           <FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
@@ -988,17 +1009,17 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
           <FileRuleRef RuleID="ID_DENY_DIRECTIO_3A" />
           <FileRuleRef RuleID="ID_DENY_DIRECTIO_3B" />
           <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_1" />
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_1" /> 		
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_1" /> 	
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_1" />	
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_1" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_1" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_1" />
           <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_2" />
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_2" />		
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_2" /> 	
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_2" />	
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_2" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_2" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_2" />
           <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_3" />
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_3" />		
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_4" />	
-          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_4" />		
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_3" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA1_4" />
+          <FileRuleRef RuleID="ID_DENY_MSIO_SHA256_4" />
           <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1" />
           <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256" />
           <FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1_PAGE" />
@@ -1166,11 +1187,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
           <FileRuleRef RuleID="ID_DENY_PROCESSHACKER"/>
           <FileRuleRef RuleID="ID_DENY_AMP"/>
           <FileRuleRef RuleID="ID_DENY_ASMMAP"/>
-          <FileRuleRef RuleID="ID_DENY_ASMMAP_64"/> 
+          <FileRuleRef RuleID="ID_DENY_ASMMAP_64"/>
           <FileRuleRef RuleID="ID_DENY_PHYMEMX_64"/>
           <FileRuleRef RuleID="ID_DENY_DBK_32"/>
           <FileRuleRef RuleID="ID_DENY_DBK_64"/>
-		  </FileRulesRef>
+        </FileRulesRef>
       </ProductSigners>
     </SigningScenario>
     <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="">
@@ -1198,8 +1219,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
   </Settings>
 </SiPolicy>
 ```
-<br />
 
+</details>
+
+> [!NOTE]
+> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
 
 ## More information
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e1f7559c0d..f675141e00 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: dansimp
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 06/28/2022
+ms.date: 08/12/2022
 ms.technology: windows-sec
 ---
 
@@ -22,9 +22,9 @@ ms.technology: windows-sec
 
 **Applies to:**
 
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
 
 > [!NOTE]
 > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).<br/> NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
 | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
 | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
 | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.<br/> NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
 | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.<br/> NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
 
 | Rule level | Description |
 |----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
 | **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
 | **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
 | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
 | **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
 | **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
 | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
 | **RootCertificate** | Currently unsupported. |
@@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
 > When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
 
 > [!NOTE]
+>
 > - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
 > - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
 
+> [!NOTE]
+> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
+>
+> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
+> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
+> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
+
 ## Example of file rule levels in use
 
 For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@@ -146,20 +154,20 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
 
 ## More information about hashes
 
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated. 
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
 
-The Authenticode/PE image hash can be calculated for digitally signed and unsigned files. 
+The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
 
 ### Why does scan create four hash rules per XML file?
 
 The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
 During validation, CI will choose which hashes to calculate, depending on how the file is signed.  For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
 
-In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page).  This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page).  This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
 
 ### Why does scan create eight hash rules for certain XML files?
 
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
 
 ## Windows Defender Application Control filename rules
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index a552764722..e8ea61c23d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -46,15 +46,24 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
 - **Windows Defender Application Control (WDAC)**; and
 - **AppLocker**
 
-## In this section
+## WDAC and Smart App Control
 
-| Article | Description |
-| --- | --- |
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
+
+| Value | Description |
+|-------|-------------|
+| 0     | Off         |
+| 1     | Enforce     |
+| 2     | Evaluation  |
+
+> [!IMPORTANT]
+> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
 
 ## Related articles
 
 - [WDAC design guide](windows-defender-application-control-design-guide.md)
 - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
+- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
 - [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file