From 26a9473445983b5435f5f1ff17a105b4f4a6b8da Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 12 Jun 2018 13:03:25 -0700
Subject: [PATCH 1/4] added new topic for isg

---
 .../TOC.md                                    |   1 +
 ...control-with-intelligent-security-graph.md | 142 ++++++++++++++++++
 2 files changed, 143 insertions(+)
 create mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md

diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 4bf7c5ff89..1d9c033045 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -18,6 +18,7 @@
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
 ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
+### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
new file mode 100644
index 0000000000..57f5838a42
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -0,0 +1,142 @@
+---
+title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
+description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: mdsakibMSFT
+ms.date: 03/01/2018
+---
+
+# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+
+```code
+<Rules> 
+    <Rule> 
+      <Option><b>Enabled:Unsigned System Integrity Policy</b></Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Advanced Boot Options Menu</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Required:Enforce Store Applications</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:UMCI</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Managed Installer</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Intelligent Security Graph Authorization</Option> 
+    </Rule> 
+    <Rule> 
+      <Option>Enabled:Invalidate EAs on Reboot</Option> 
+    </Rule> 
+</Rules> 
+```
+
+## Enable service enforcement in AppLocker policy
+
+Since many installation processes rely on services, it is typically necessary to enable tracking of services. 
+Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. 
+For example:
+
+```code
+<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
+    <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+      <Conditions>
+        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
+      </Conditions>
+    </FilePathRule>
+    <RuleCollectionExtensions>
+      <ThresholdExtensions>
+        <Services EnforcementMode="Enabled" />
+      </ThresholdExtensions>
+      <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+      </RedstoneExtensions>
+    </RuleCollectionExtensions>
+  </RuleCollection>
+  <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
+    <FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
+      <Conditions>
+        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
+      </Conditions>
+    </FilePathRule>
+    <RuleCollectionExtensions>
+      <ThresholdExtensions>
+        <Services EnforcementMode="Enabled" />
+      </ThresholdExtensions>
+      <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+      </RedstoneExtensions>
+    </RuleCollectionExtensions>
+  </RuleCollection>
+```
+
+### Enable the managed installer option in WDAC policy
+
+In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
+This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). 
+An example of the managed installer option being set in policy is shown below.
+
+```code
+<Rules>  
+    <Rule>  
+      <Option>Enabled:Unsigned System Integrity Policy</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:Advanced Boot Options Menu</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:UMCI</Option>  
+    </Rule>  
+    <Rule>  
+      <Option>Enabled:Inherit Default Policy</Option>  
+    </Rule>
+    <Rule>  
+      <Option>Enabled:Managed Installer </Option>  
+    </Rule>  
+  </Rules>  
+```
+
+## Security considerations with managed installer
+
+Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. 
+It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. 
+
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. 
+If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. 
+Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended.
+To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.   
+
+## Known limitations with managed installer
+
+- Application execution control based on managed installer does not support applications that self-update. 
+If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. 
+Enterprises should deploy and install all application updates using the managed installer. 
+In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. 
+Proper review for functionality and security should be performed for the application before using this method. 
+
+- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. 
+Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. 
+
+- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
+
+- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. 
+In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. 
+Proper review for functionality and security should be performed for the application before using this method.
+
+- The managed installer heuristic does not authorize drivers. 
+The WDAC policy must have rules that allow the necessary drivers to run.  
+
+- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. 
+Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. 
+Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 

From 436fe714e3178bc5f9be0c3b65482a4cacdac780 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 09:56:48 -0700
Subject: [PATCH 2/4] added bold to code snippet

---
 ...control-with-intelligent-security-graph.md | 151 ++++++------------
 1 file changed, 53 insertions(+), 98 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 57f5838a42..c5c738cc8e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -15,11 +15,39 @@ ms.date: 03/01/2018
 -   Windows 10
 -   Windows Server 2016
 
+Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. 
+In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.  
 
-```code
+Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
+
+## How does the integration between WDAC and the Intelligent Security Graph work? 
+
+The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision.   
+
+After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.  
+
+The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.    
+
+>[!NOTE]
+>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines.  
+
+Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). 
+
+## Configuring Intelligent Security Graph authorization for Windows Defender Application Control 
+
+Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps: 
+
+- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) 
+- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) 
+
+### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML 
+
+In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. 
+
+<pre>
 <Rules> 
     <Rule> 
-      <Option><b>Enabled:Unsigned System Integrity Policy</b></Option> 
+      <Option>Enabled:Unsigned System Integrity Policy</Option> 
     </Rule> 
     <Rule> 
       <Option>Enabled:Advanced Boot Options Menu</Option> 
@@ -27,12 +55,12 @@ ms.date: 03/01/2018
     <Rule> 
       <Option>Required:Enforce Store Applications</Option> 
     </Rule> 
-    <Rule> 
-      <Option>Enabled:UMCI</Option> 
-    </Rule> 
-    <Rule> 
-      <Option>Enabled:Managed Installer</Option> 
-    </Rule> 
+    <b><Rule></b> 
+      <b><Option>Enabled:UMCI</Option></b> 
+    <b></Rule></b> 
+    <b><Rule></b> 
+      <b><Option>Enabled:Managed Installer</Option></b> 
+    <b></Rule></b> 
     <Rule> 
       <Option>Enabled:Intelligent Security Graph Authorization</Option> 
     </Rule> 
@@ -40,103 +68,30 @@ ms.date: 03/01/2018
       <Option>Enabled:Invalidate EAs on Reboot</Option> 
     </Rule> 
 </Rules> 
+</pre>
+
+### Enable the necessary services to allow WDAC to use the ISG correctly on the client
+
+In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32.
+
+```
+appidtel start
 ```
 
-## Enable service enforcement in AppLocker policy
+For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.   
 
-Since many installation processes rely on services, it is typically necessary to enable tracking of services. 
-Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. 
-For example:
+## Security considerations with using the Intelligent Security Graph 
 
-```code
-<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
-    <FilePathRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
-      <Conditions>
-        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.dll" />
-      </Conditions>
-    </FilePathRule>
-    <RuleCollectionExtensions>
-      <ThresholdExtensions>
-        <Services EnforcementMode="Enabled" />
-      </ThresholdExtensions>
-      <RedstoneExtensions>
-        <SystemApps Allow="Enabled"/>
-      </RedstoneExtensions>
-    </RuleCollectionExtensions>
-  </RuleCollection>
-  <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
-    <FilePathRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Dummy Rule" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
-      <Conditions>
-        <FilePathCondition Path="%OSDRIVE%\ThisWillBeBlocked.exe" />
-      </Conditions>
-    </FilePathRule>
-    <RuleCollectionExtensions>
-      <ThresholdExtensions>
-        <Services EnforcementMode="Enabled" />
-      </ThresholdExtensions>
-      <RedstoneExtensions>
-        <SystemApps Allow="Enabled"/>
-      </RedstoneExtensions>
-    </RuleCollectionExtensions>
-  </RuleCollection>
-```
+Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. 
 
-### Enable the managed installer option in WDAC policy
+Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.  
 
-In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). 
-An example of the managed installer option being set in policy is shown below.
+## Known limitations with using the Intelligent Security Graph
 
-```code
-<Rules>  
-    <Rule>  
-      <Option>Enabled:Unsigned System Integrity Policy</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:Advanced Boot Options Menu</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:UMCI</Option>  
-    </Rule>  
-    <Rule>  
-      <Option>Enabled:Inherit Default Policy</Option>  
-    </Rule>
-    <Rule>  
-      <Option>Enabled:Managed Installer </Option>  
-    </Rule>  
-  </Rules>  
-```
+Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
 
-## Security considerations with managed installer
+Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy.
 
-Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. 
-It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. 
+The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 
-Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. 
-If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. 
-Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended.
-To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation.   
-
-## Known limitations with managed installer
-
-- Application execution control based on managed installer does not support applications that self-update. 
-If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. 
-Enterprises should deploy and install all application updates using the managed installer. 
-In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. 
-Proper review for functionality and security should be performed for the application before using this method. 
-
-- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. 
-Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. 
-
-- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy.
-
-- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. 
-In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. 
-Proper review for functionality and security should be performed for the application before using this method.
-
-- The managed installer heuristic does not authorize drivers. 
-The WDAC policy must have rules that allow the necessary drivers to run.  
-
-- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. 
-Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. 
-Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 
+In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. 
\ No newline at end of file

From e7903a90bbcc957f988d2d36f2e6274084f47ae4 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 13:52:18 -0700
Subject: [PATCH 3/4] fixed formatting

---
 ...control-with-intelligent-security-graph.md | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index c5c738cc8e..f5dfca7d37 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -22,7 +22,7 @@ Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) pro
 
 ## How does the integration between WDAC and the Intelligent Security Graph work? 
 
-The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision.   
+The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.   
 
 After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.  
 
@@ -42,9 +42,9 @@ Setting up the ISG authorization is easy regardless of what management solution
 
 ### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML 
 
-In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. 
+In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. 
 
-<pre>
+```code
 <Rules> 
     <Rule> 
       <Option>Enabled:Unsigned System Integrity Policy</Option> 
@@ -55,12 +55,12 @@ In order to enable trust for executables based on classifications in the ISG, th
     <Rule> 
       <Option>Required:Enforce Store Applications</Option> 
     </Rule> 
-    <b><Rule></b> 
-      <b><Option>Enabled:UMCI</Option></b> 
-    <b></Rule></b> 
-    <b><Rule></b> 
-      <b><Option>Enabled:Managed Installer</Option></b> 
-    <b></Rule></b> 
+    <Rule>
+      <Option>Enabled:UMCI</Option>
+    </Rule>
+    <Rule>
+      <Option>Enabled:Managed Installer</Option> 
+    </Rule>
     <Rule> 
       <Option>Enabled:Intelligent Security Graph Authorization</Option> 
     </Rule> 
@@ -68,7 +68,7 @@ In order to enable trust for executables based on classifications in the ISG, th
       <Option>Enabled:Invalidate EAs on Reboot</Option> 
     </Rule> 
 </Rules> 
-</pre>
+```
 
 ### Enable the necessary services to allow WDAC to use the ISG correctly on the client
 
@@ -88,9 +88,9 @@ Users with administrator privileges or malware running as an administrator user
 
 ## Known limitations with using the Intelligent Security Graph
 
-Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
+Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG.  
 
-Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy.
+Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy.
 
 The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.  
 

From a84f2885449ccb019c65048e9c19d06cf8b925ca Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 13 Jun 2018 13:56:08 -0700
Subject: [PATCH 4/4] fixed formatting

---
 ...ndows-defender-application-control-with-managed-installer.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index efb071bcb1..badaf77f39 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -6,7 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: mdsakibMSFT
-ms.date: 03/01/2018
+ms.date: 06/13/2018
 ---
 
 # Deploy Managed Installer for Windows Defender Application Control