Add article on rule collection extensions and review some articles

windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md

@@ -1,61 +1,56 @@
 ---
 title: Administer AppLocker
-description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 12/19/2023
 ---
 
 # Administer AppLocker
 
-> [!NOTE]
+This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
 
 AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
 
 - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
 - Assign a rule to a security group or an individual user.
 - Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
 - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
 - Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
-  > **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
+
- 
 ## In this section
 
-| Topic | Description |
+| Article | Description |
 | - | - |
-| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
+| [Maintain AppLocker policies](maintain-applocker-policies.md) | This article describes how to maintain rules within AppLocker policies. |
-| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
+| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
-| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
+| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
-| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
+| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
-| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
+| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
-| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
+| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
-| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
+| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
-| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
+| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
-| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
+| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
-| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
+| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
-| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
 
-## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
+## Using the MMC snap-ins to administer AppLocker
 
-You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
+You can administer AppLocker policies using the Group Policy Management Console to create or edit a Group Policy Object (GPO). To create or edit an AppLocker policy on a local computer, use the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
 
 ### Administer AppLocker using Group Policy
 
 You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
 
-1.  Open the Group Policy Management Console (GPMC).
+1. Open the Group Policy Management Console (GPMC).
-2.  Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
+2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then select **Edit**.
-3.  In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
 
 ### Administer AppLocker on the local PC
 
-1.  Click **Start**, type **local security policy**, and then click **Local Security Policy**.
+1. Select **Start**, type **local security policy**, and then select **Local Security Policy**.
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3.  In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
 
 ## Using Windows PowerShell to administer AppLocker
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md

@@ -6,41 +6,40 @@ ms.collection:
 - must-keep
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 06/07/2023
+ms.date: 12/19/2023
 ---
 
 # AppLocker
 
-> [!NOTE]
+This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control.
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
 
 > [!NOTE]
-> AppLocker is unable to control processes running under the system account on any operating system.
+> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
+> [!NOTE]
+> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement).
 
 AppLocker can help you:
 
 - Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
 - Assign a rule to a security group or an individual user.
 - Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
 - Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
-- Simplify creating and managing AppLocker rules by using Windows PowerShell.
+- Create and manage AppLocker rules by using Windows PowerShell.
 
-AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
+AppLocker helps prevent users from running unapproved apps. AppLocker addresses the following app control scenarios:
 
-- **Application inventory**: AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+- **Application inventory**: AppLocker has the ability to apply its policy in an audit-only mode where all app launch activity is allowed but registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
 - **Protection against unwanted software**: AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
 - **Licensing conformance**: AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
 - **Software standardization**: AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-- **Manageability improvement**: AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
 
 ## When to use AppLocker
 
 In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
 
-However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user runs unauthorized software, including malware. AppLocker helps mitigate these types of security issues by restricting the files that users or groups are allowed to run. Because AppLocker can control DLLs and scripts, it's also useful to control who can install and run ActiveX controls.
 
 AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
 
@@ -49,21 +48,18 @@ The following are examples of scenarios in which AppLocker can be used:
 - Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
 - An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
 - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
+- The license to an app is revoked or expired in your organization, so you need to prevent it from being used by everyone.
 - A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
 - Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
 - A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+- Some people in your organization who require different software share a computer, and you need to protect specific apps.
 - In addition to other measures, you need to control the access to sensitive data through app usage.
 
-> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
-
 AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
 
 ## Installing AppLocker
 
-AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
+AppLocker is included with all editions of Windows except Windows 10 version 1809 or earlier. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
 
 > [!NOTE]
 > GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
@@ -74,15 +70,15 @@ AppLocker on Server Core installations isn't supported.
 
 ### Virtualization considerations
 
-You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
+You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you risk losing the policies that you create and maintain if the virtualized instance is removed or fails.
 
 ### Security considerations
 
 Application control policies specify which apps are allowed to run on the local computer. The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
 
-The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
+The countermeasure is to create a sound design for your application control policies on PCs in your organization. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
 
-A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
+A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. You should thoroughly test the policies in a lab environment before you deploy them in production. It's also important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
 
 For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations:
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md

@@ -0,0 +1,38 @@
+---
+title: AppLocker rule collection extensions
+description: This article describes the RuleCollectionExtensions added in Windows 10.
+ms.collection:
+- tier3
+- must-keep
+ms.topic: conceptual
+ms.localizationpriority: medium
+ms.date: 12/19/2023
+---
+
+# AppLocker rule collection extensions
+
+This article describes the rule collection extensions added in Windows 10 or later. Rule collection extensions are optional features available only for the EXE and DLL rule collections. Configure rule collection extensions by directly editing your AppLocker policy XML as shown in the following XML fragment.
+
+```xml
+<RuleCollectionExtensions>
+    <ThresholdExtensions>
+        <Services EnforcementMode="Enabled"/>
+    </ThresholdExtensions>
+    <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+    </RedstoneExtensions>
+</RuleCollectionExtensions>
+```
+
+> [!IMPORTANT]
+> When adding any rule collection extensions to your AppLocker policy, you must include both the *ThresholdExtensions* and *RedstoneExtensions* or your policy will cause unexpected behavior.
+
+## Services enforcement
+
+By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) feature.
+
+To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode="Enabled"/>`` in the ``<ThresholdExtensions>`` section as shown in the preceding XML fragment.
+
+## System apps
+
+When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device night behave unexpectedly. To automatically allow all system code that is part of Windows, set ``<SystemApps Allow="Enabled"/>`` in the ``<RedstoneExtensions>`` section as shown in the preceding XML fragment.

windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md

@@ -2,22 +2,22 @@
 title: WDAC and AppLocker Overview
 description: Compare Windows application control technologies.
 ms.localizationpriority: medium
-ms.date: 04/04/2023
+ms.date: 12/19/2023
 ms.topic: article
 ---
 
 # Windows Defender Application Control and AppLocker Overview
 
 > [!NOTE]
-> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md).
 
 Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
 
 ## Windows Defender Application Control
 
-Windows Defender Application Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
 
-Windows Defender Application Control policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
+WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
 
 - Attributes of the codesigning certificate(s) used to sign an app and its binaries
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
@@ -31,7 +31,7 @@ Windows Defender Application Control policies apply to the managed computer as a
 
 ### WDAC System Requirements
 
-Windows Defender Application Control (WDAC) policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
+WDAC policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
 
 For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
 
@@ -45,6 +45,8 @@ AppLocker policies can apply to all users on a computer, or to individual users
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
 - The path from which the app or file is launched.
 
+AppLocker is also used by some features of WDAC, including [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) and the [Intelligent Security Graph](/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph).
+
 ### AppLocker System Requirements
 
 AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
@@ -52,13 +54,12 @@ AppLocker policies can be deployed using Group Policy or MDM.
 
 ## Choose when to use WDAC or AppLocker
 
-Generally, it's recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
+Generally, customers who are able to implement application control using WDAC, rather than AppLocker, should do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
 
-However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
+However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when:
 
 - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
 - You need to apply different policies for different users or groups on shared computers.
 - You don't want to enforce application control on application files such as DLLs or drivers.
 
-AppLocker can also be deployed as a complement to Windows Defender Application Control (WDAC) to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps.
+AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.