From cdecc3168902b9c4de822b9696641cd71f8873e7 Mon Sep 17 00:00:00 2001
From: Justin Hall <justinha@microsoft.com>
Date: Fri, 10 May 2019 15:25:55 -0700
Subject: [PATCH] new topic for multiple policies

---
 .../TOC.md                                    |  1 +
 ...s-defender-application-control-policies.md | 43 +++++++++++++++++++
 ...improvements-in-windows-10-version-1903.md | 25 +----------
 3 files changed, 45 insertions(+), 24 deletions(-)
 create mode 100644 windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md

diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
index 89a1b3bafb..bdaf9c0a68 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -16,6 +16,7 @@
 #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
 ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
+### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
 ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
 ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..a542e82236
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -0,0 +1,43 @@
+---
+title: Deploy multiple Windows Defender Application Control Policies  (Windows 10)
+description: Windows Defender Application Control supports multiple code integrity policies for one device.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: jsuther1974
+ms.date: 05/10/2019
+---
+
+# Deploy multiple Windows Defender Application Control Policies 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Beginning with Windows 10 version 1903, WDAC supports multiple code integrity policies for one device. 
+
+## Precedence
+
+- Multiple base policies: intersection
+  - Only applications allowed by both policies run without generating block events
+- Base + supplemental policy: union
+  - Files that are allowed by the base policy or the supplemental policy are not blocked
+
+## Newly Supported Scenarios
+
+WDAC brings you the ability to support multiple CI policies. Three scenarios are now supported:
+
+1.	Enforce and Audit Side-by-Side (Intersection)
+    - To validate policy changes before deploying in enforcement mode, deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
+2.	Multiple Base Policies (Intersection)
+    - Enforce two or more base policies simultaneously to allow simpler policy targeting for policies with different scope/intent
+    - Ex. Base1 is a corporate standard policy that is relatively loose to accommodate all organizations while forcing minimum corp standards (e.g. Windows works + Managed Installer + path rules). Base2 is a team-specific policy that further restricts what is allowed to run (e.g. Windows works + Managed Installer + corporate signed apps only)
+3.	Supplemental Policies (Union)
+    - Deploy a supplemental policy (or policies) to expand a base policy
+    - Ex. The Azure host base policy restricts tightly to just allow Windows and hardware drivers. Can add a supplemental policy to allow just the additional signer rules needed to support signed code from the Exchange team.
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md
index b563a2c54f..95d58415d4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-improvements-in-windows-10-version-1903.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 05/06/2018
+ms.date: 05/06/2019
 ---
 
 # Windows Defender Application Control improvements in Windows 10 version 1903 
@@ -61,29 +61,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD
   Set-RuleOption -o 18 .\policy.xml
   ```
 
-## Multiple Policies
-
-Beginning with Windows 10 version 1903, WDAC supports multiple code integrity policies for one device. 
-
-### Precedence
-
-- Multiple base policies: intersection
-  - Only applications allowed by both policies run without generating block events
-- Base + supplemental policy: union
-  - Files that are allowed by the base policy or the supplemental policy are not blocked
-
-### Newly Supported Scenarios
-
-WDAC brings you the ability to support multiple CI policies. Three scenarios are now supported:
-
-1.	Enforce and Audit Side-by-Side (Intersection)
-    - To validate policy changes before deploying in enforcement mode, deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
-2.	Multiple Base Policies (Intersection)
-    - Enforce two or more base policies simultaneously to allow simpler policy targeting for policies with different scope/intent
-    - Ex. Base1 is a corporate standard policy that is relatively loose to accommodate all organizations while forcing minimum corp standards (e.g. Windows works + Managed Installer + path rules). Base2 is a team-specific policy that further restricts what is allowed to run (e.g. Windows works + Managed Installer + corporate signed apps only)
-3.	Supplemental Policies (Union)
-    - Deploy a supplemental policy (or policies) to expand a base policy
-    - Ex. The Azure host base policy restricts tightly to just allow Windows and hardware drivers. Can add a supplemental policy to allow just the additional signer rules needed to support signed code from the Exchange team.
 
 ## COM Whitelisting