From 878d041fad0a101b7a29a7470d2e752ec06c76f8 Mon Sep 17 00:00:00 2001
From: "jogeurte@microsoft.com" <jogeurte@microsoft.com>
Date: Tue, 18 May 2021 15:23:52 -0700
Subject: [PATCH] updated guidance for signed policy deployment in the script
 md file. #9495

---
 .../deployment/deploy-wdac-policies-with-script.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 3aed014401..a0308dfadc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -52,6 +52,20 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
    & $RefreshPolicyTool
    ```
 
+### Deploying signed policies
+
+In addition to the steps outlined above, the binary policy file must also be copied to the device's EFI partition. Deploying your policy via [MEM](deploy-windows-defender-application-control-policies-using-intune.md) or the [Application Control CSP](#Deploying-multiple-policies-via-ApplicationControl-CSP) will handle this step automatically. 
+
+1. Mount the EFI volume and make the directory, if it does not exist, in an elevated PowerShell prompt: 
+```powershell
+mountvol J: /S
+J:
+mkdir J:\EFI\Microsoft\Boot\CiPolicies\Active
+```
+
+2. Copy the signed policy binary as `{PolicyGUID}.cip` to J:\EFI\Microsoft\Boot\CiPolicies\Active
+3. Reboot the system.
+
 ## Script-based deployment process for Windows 10 versions earlier than 1903
 
 1. Initialize the variables to be used by the script.