From a8272559d158d34bc12cf1844e969a53aa8df09d Mon Sep 17 00:00:00 2001
From: brbrahm <43386070+brbrahm@users.noreply.github.com>
Date: Thu, 16 May 2019 13:47:58 -0700
Subject: [PATCH] Update
 deploy-multiple-windows-defender-application-control-policies.md

---
 ...s-defender-application-control-policies.md | 80 ++++++-------------
 1 file changed, 26 insertions(+), 54 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 73d0e16c9b..4484f5fbe6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -26,9 +26,10 @@ The restriction of only having a single code integrity policy active on a system
     - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
 2.	Multiple Base Policies
     - Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
+    - If two base policies exist on a device, an application has to be allowed by both to run
 3.	Supplemental Policies
     - Users can deploy one or more supplemental policies to expand a base policy
-    - If two base policies exist on a device, an application has to be allowed by both to run
+    - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy
     - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run
 
 ## How do Base and Supplemental Policies Interact?
@@ -38,68 +39,39 @@ The restriction of only having a single code integrity policy active on a system
 - Base + supplemental policy: union
   - Files that are allowed by the base policy or the supplemental policy are not blocked
 
-## PowerShell parameters
+## Creating Multiple Base or Supplemental Policies
 
-New-CIPolicy
-- MultiplePolicyFormat: allows for multiple policies
+Note that multiple policies will not work on pre-1903 systems.
 
+### Allow Multiple Policies
+
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
 ```powershell
-New-CIPolicy [-FilePath] <string> -Level {None | Hash | FileName | SignedVersion | Publisher | FilePublisher | LeafCertificate | PcaCertificate | RootCertificate | WHQL | WHQLPublisher | WHQLFilePublisher | PFN | FilePath}
-   [-DriverFiles <DriverFile[]>] [-Fallback {None | Hash | FileName | SignedVersion | Publisher | FilePublisher | LeafCertificate | PcaCertificate | RootCertificate | WHQL | WHQLPublisher | WHQLFilePublisher | PFN | FilePath}]
-   [-Audit] [-ScanPath <string>] [-ScriptFileNames] [-AllowFileNameFallbacks] [-SpecificFileNameLevel {None | OriginalFileName | InternalName | FileDescription | ProductName | PackageFamilyName | FilePath}] [-UserPEs] [-NoScript]
-   [-Deny] [-NoShadowCopy] [-MultiplePolicyFormat] [-OmitPaths <string[]>] [-PathToCatroot <string>]  [<CommonParameters>] – to generate new policy format(base policy and policy type and policy guid)
+New-CIPolicy -MultiplePolicyFormat -foo –bar
 ```
 
-Set-CIPolicyIdInfo
-- **SupplementsBasePolicyID**: guid of new supplemental policy
-- **BasePolicyToSupplementPath**: base policy that the supplemental policy applies to
-- **ResetPolicyID**: reset the policy guids back to a random guid
+Optionally, you can choose to make the new base policy supplementable (allow supplemental policies).
+```powershell
+Set-RuleOption -FilePath <string> Enabled:Allow Supplemental Policies
+```
+
+For signed base policies that are being made supplementable, you need to ensure that supplemental signers are defined. Use the "Supplemental" switch in Add-SignerRule to provide supplemental signers.
+  ```powershell
+  Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]  [<CommonParameters>]
+  ```
+
+### Supplemental Policy Creation
+
+In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands.
+- "SupplementsBasePolicyID": guid of new supplemental policy
+- "BasePolicyToSupplementPath": base policy that the supplemental policy applies to
 
 ```powershell
 Set-CIPolicyIdInfo [-FilePath] <string> [-PolicyName <string>] [-SupplementsBasePolicyID <guid>] [-BasePolicyToSupplementPath <string>] [-ResetPolicyID] [-PolicyId <string>]  [<CommonParameters>]
 ```
 
-Add-SignerRule
-- **Supplemental**: provides supplemental signers
+Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy guids back to a random guid.
 
-```powershell
-Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]  [<CommonParameters>] 
-```
+### Merging policies
 
-Set-RuleOption
-- **Enabled:Allow Supplemental Policies**: makes base policy able to be supplemented
-
-### Examples
-
-**Scenario #1: Creating a new base policy**
-
-```powershell
-New-CiPolicy -MulitplePolicyFormat -foo –bar
-```
-
-- **MultiplePolicyFormat** switch results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base.
-  Can optionally choose to make it supplementable:
-  - Set-RuleOption has a new option **Enabled:Allow Supplemental Policies** to set for base policy
-- For signed policies that are being made supplementable, need to ensure that supplemental signers are defined. Use “Add-SignerRule” to provide supplemental signers.
-  ```powershell
-  Add-SignerRule -FilePath <string> -CertificatePath <string> [-Kernel] [-User] [-Update] [-Supplemental] [-Deny]  [<CommonParameters>]
-  ```
-
-**Scenario #2: Creating a new supplemental policy**
-
-1. Scan using `New-CiPolicy –MuliplePolicyFormat` to generate a base policy:
-   ```powershell
-   New-CIPolicy -Level PcaCertificate -UserPEs -ScanPath <path> -MultiplePolicyFormat 3> <path\CIPolicyLog.txt> -FilePath <path\SupplementalPolicy.xml>
-   ```
-2. Change this new base policy to a supplemental policy
-   - Provide path of base in `Set-CIPolicyIdInfo –BasePolicytoSupplementPath`
-   - Provide GUID of base in `Set-CIPolicyIdInfo –SupplementsBasePolicyID`
-   ```powershell
-   Set-CIPolicyIdInfo -BasePolicyToSupplementPath <path\SupplementalPolicy.xml> -SupplementsBasePolicyID <BasePolicyID> -FilePath <path\SupplementalPolicy.xml>
-   ```   
-   - Can revert the policy back to being a base policy using `-ResetPolicyID`
-   
-**Scenario #3: Merging policies**
-
-- When merging, the policy type and ID of the leftmost/first policy specified is used
-  - If the leftmost is a base policy with ID <ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID <ID>
+When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID <ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID <ID>.