From 97570ddcf62f66f95532bdbff5b148f5774acdc4 Mon Sep 17 00:00:00 2001
From: isbrahm <43386070+isbrahm@users.noreply.github.com>
Date: Mon, 27 Jan 2020 14:27:34 -0800
Subject: [PATCH] Add information about policy deletion

---
 ...nder-application-control-policies-using-intune.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index c3ccef8510..128fb4d3a3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -48,7 +48,8 @@ In order to deploy a custom policy through Intune and define your own circle of
 
 ## Using a Custom OMA-URI Profile
 
-For 1903+ systems, the steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy are:
+### For 1903+ systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [ApplicationControl CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) and deploy a custom WDAC policy to 1903+ systems are:
 
 1. Know a generated policy’s GUID, which can be found in the policy xml as `<PolicyID>`
 2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
@@ -61,7 +62,11 @@ For 1903+ systems, the steps to use Intune's Custom OMA-URI functionality to lev
 
     ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
 
-For pre-1903 systems, the steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy are:
+> [!NOTE]
+> Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to functionally do a rebootless delete, replace the existing policy with an Allow All policy (found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) and then delete the updated policy. This will immediately prevent anything from being blocked and fully deactive the policy on the next reboot.
+
+### For pre-1903 systems
+The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
 
 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned.
 2. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
@@ -70,3 +75,6 @@ For pre-1903 systems, the steps to use Intune's Custom OMA-URI functionality to
     - **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy)
     - **Data type**: Base64
     - **Certificate file**: upload your binary format policy file
+
+> [!NOTE]
+> Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy and/or use a script to delete the existing policy.