Update merge-windows-defender-application-control-policies.md

windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md

@@ -1,58 +1,90 @@
 ---
-title: Merge Windows Defender Application Control policies (Windows 10)
+title: Merge Windows Defender Application Control policies (WDAC) (Windows 10)
-description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide.
+description: Learn how to merge WDAC policies as part of your policy lifecycle management. 
 keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jogeurte
-ms.author: dansimp
+ms.author: jogeurte
+ms.manager: jsuther
 manager: dansimp
-ms.date: 05/03/2018
+ms.date: 04/22/2021
 ms.technology: mde
+ms.topic: article
+ms.localizationpriority: medium
 ---
 
-# Merge Windows Defender Application Control policies
+# Merge Windows Defender Application Control (WDAC) policies
 
 **Applies to:**
 
--   Windows 10
+- Windows 10
--   Windows Server 2016
+- Windows Server 2016 and above
 
-Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
+This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
 
 > [!NOTE]
-> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then a managed installer using Microsoft Endpoint Configuration Manager targeted the same device, the Configuration Manager policy would overwrite the SiPolicy.p7b file.
+> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one WDAC policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
 
-To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
+## Merge multiple WDAC policy XML files together
+
+There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
 
 1. Initialize the variables that will be used:
 
-   `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+   ```powershell
-
+   $PolicyName= "Lamna_FullyManagedClients_Audit"
-   `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+   $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
-
+   $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
-   `$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+   $MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
-
+   ```
-   `$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
-
-   `$CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
-
-   > [!NOTE]
-   > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
 
 2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
 
-   `Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+   ```powershell
+   Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
+   ```
 
-3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format:
+   > [!NOTE]
+   > You can merge additional policies with the Merge-CIPolicy step above by adding them to the -PolicyPaths parameter separated by commas. The new policy file specified by -OutputFilePath will have the Policy information from the first policy in the list. For example, in the above example, the $MergedPolicy will inherit the policy type, ID, name, and version information from $LamnaPolicy. To change any of those values, use [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo) and [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion).
 
-   `ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin`
+## Merge WDAC rules directly into a policy XML
 
-Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:
+
+1. Install the [WDAC Wizard](wdac-wizard.md) packaged MSIX app.
+2. Download the [Refresh Policy tool](https://aka.ms/refreshpolicy) for your processor architecture and save it to your desktop as RefreshPolicy.exe.
+3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:
+
+   ```powershell
+   $PackageInfo = Get-AppxPackage -Name Microsoft.WDAC.WDACWizard
+   $Rules = New-CIPolicyRule -Package $PackageInfo
+   ```
+
+4. Add FilePublisher rules for the RefreshPolicy.exe:
+
+   ```powershell
+   $Rules += New-CIPolicyRule -DriverFilePath $env:USERPROFILE\Desktop\RefreshPolicy.exe -Level FilePublisher
+   ```
+
+5. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge the new rules directly into the MergedPolicy file created in the previous procedure's final step:
+
+   ```powershell
+   Merge-CIPolicy -PolicyPaths $MergedPolicy -OutputFilePath $MergedPolicy -Rules $Rules
+   ```
+
+## Convert and deploy merged policy to managed endpoints
+
+Now that you have your new, merged policy, you can convert and deploy the policy binary to your managed endpoints.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+   ```powershell
+   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
+   ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $WDACPolicyBin
+   ```
+
+   > [!NOTE]
+   > In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.