Updated select-types-of-rules-to-create

Created a "More information about hashes," and placed it above the "Windows Defender Application Control filename rules" section.

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -126,6 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
 
 You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
 
+## More information about hashes 
+
+### Why does scan create 4 hash rules per XML file?
+
+(Hash Sha1, Hash Sha256, Hash Page Sha1, Hash Page Sha256)
+During validation CI will choose which hashes to calculate depending on how the file is signed.  E.g. if the file is page-hash signed the entire file would not get paged in to do a full sha256 authenticode and we would just match using the first page hash.
+
+In the cmdlets, rather than try to predict which hash CI will use, we pre calculate and use the 4 hashes (sha1/sha2 authenticode, and sha1/sha2 of first page).  This is also resilient to if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+
+### Why does scan create 8 hash rules for certain XML files?
+
+Separate rules are created for UMCI and KMCI. In some cases, files which are purely user-mode or purely kernel-mode may still generate both sets, as CI cannot always precisely determine what is purely user vs. kernel mode and errs on the side of caution.
+
 ## Windows Defender Application Control filename rules
 
 File name rule levels let you specify file attributes to base a rule on. File name rules provide the same security guarantees that explicit signer rules do, as they are based on non-mutable file attributes. Specification of the file name level occurs when creating new policy rules.