From dfca6ca526e75b4c2a31353a4c26b3069f224045 Mon Sep 17 00:00:00 2001 From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit> Date: Fri, 3 Dec 2021 09:10:44 -0800 Subject: [PATCH] Update create-wdac-deny-policy.md --- .../create-wdac-deny-policy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index b88a95b439..b1e685d970 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -137,13 +137,14 @@ $DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath ``` ### Adding Allow All Rules -If necessary, as in the cases listed above, [Allow All rules](48) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: +If necessary, as in the cases listed above, `[Allow All rules](48)` might need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the AllowAll xml present on the client system in the WDAC template folder: ```PowerShell $DenyPolicy = $AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPolicy ``` + ### Deploying the Deny Policy Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options: