Merge branch 'master' of https://github.com/jsuther1974/windows-docs-pr

windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md

@@ -3,9 +3,6 @@ title: Create a WDAC policy for fixed-workload devices using a reference compute
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -53,13 +50,13 @@ You can remove or disable such software on the reference computer.
 
 To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
 
-1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **WDACPolicy.bin** for the names of the files that will be created:
 
    `$CIPolicyPath=$env:userprofile+"\Desktop\"`
 
    `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
 
-   `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+   `$CIPolicyBin=$CIPolicyPath+"WDACPolicy.bin"`
 
 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
 
@@ -70,7 +67,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
    > [!Note]
    > 
    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
-   > 
+   > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
    > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
    > 
    > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@@ -83,7 +80,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
    ```
 
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+After you complete these steps, the WDAC binary file (WDACPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
 
 > [!NOTE]
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).

windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md

@@ -3,9 +3,6 @@ title: Create a WDAC policy for fully-managed devices (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@@ -137,30 +134,30 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
 - **Users with administrative access**<br>
     Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
 
-    Possible mitigations:
+   Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
   - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
 - **Unsigned policies**<br>
     Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
 
-    Existing mitigations applied:
+   Existing mitigations applied:
   - Limit who can elevate to administrator on the device.
 
-    Possible mitigations:
+   Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
 - **Managed installer**<br>
     See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer)
 
-    Existing mitigations applied:
+   Existing mitigations applied:
   - Limit who can elevate to administrator on the device.
 
-    Possible mitigations:
+   Possible mitigations:
   - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
 - **Supplemental policies**<br>
     Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
 
-    Possible mitgations:
+   Possible mitigations:
   - Use signed WDAC policies which allow authorized signed supplemental policies only.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 

windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md

@@ -3,9 +3,6 @@ title: Create a WDAC policy for lightly-managed devices (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer: 
-manager: dansimp
-ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library