38386504 - Edit 2

windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md

@@ -142,7 +142,7 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
 > For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
 
 > [!NOTE]
-> There is currently a bug where MSIs cannot be allow listed in file path rules.
+> There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.
 
 ## More information about hashes
 

windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md

@@ -108,8 +108,4 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
 9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
 
 > [!NOTE]
-> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set. 
-
-## Disable unsigned Windows Defender Application Control policies
-
-For information regarding Event ID 3099 Options, see [Understanding Application Control events](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#event-id-3099-options).
+> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.