From d7ff60f5816d9c84b8e5791c6d53583e5bdb98b9 Mon Sep 17 00:00:00 2001
From: jsuther1974 <jsuther@microsoft.com>
Date: Fri, 27 Sep 2019 10:02:51 -0700
Subject: [PATCH] Add critical warning for mixing path based rules with DENY
 rules

---
 .../select-types-of-rules-to-create.md                          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 530d8659f9..db654141a9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -110,6 +110,8 @@ They could also choose to create a catalog that captures information about the u
 ## Create path-based rules 
 
 Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules.
+> [!NOTE]
+> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
 
 - New-CIPolicy parameter
   - FilePath: create path rules under path \<path to scan> for anything not user-writeable (at the individual file level)