Merge pull request #1581 from jsuther1974/master

Improved scenario-focused documentation for WDAC and made minor edits to existing topics.
2025-05-13 05:47:23 +00:00 · 2019-11-22 12:24:19 -08:00 · 2019-11-22 12:24:19 -08:00 · f3bfed005f
commit f3bfed005f
parent b4379fd8a3 c06fde9504
11 changed files with 447 additions and 44 deletions
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.md
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@ -5,20 +5,23 @@
 ### Design and create your WDAC policy
 #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
 #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md)
-#### [Create an initial default policy](create-initial-default-policy.md)
+##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md)
-#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
+##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 #### [Example WDAC base policies](example-wdac-base-policies.md)
 #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
 #### [Common WDAC deployment scenarios](types-of-devices.md)
 ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
 ##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
 ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
 ##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
 ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
 ### [Types of devices](types-of-devices.md)
 ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
 ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
 ### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md)
 ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
 ### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md)
 ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
 ### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md)
 ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
 ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md)
 ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md)
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@ -1,11 +1,8 @@
 ---
-title: Create a Windows Defender Application Control policy from a reference computer (Windows 10)
+title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
@ -20,14 +17,15 @@ manager: dansimp
 ms.date: 05/03/2018
 ---
-# Create a Windows Defender Application Control policy from a reference computer
+# Create a WDAC policy for fixed-workload devices using a reference computer
 **Applies to:**
 -   Windows 10
-   Windows Server 2016
+-   Windows Server 2016 and above
 This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
 This section outlines the process to create a WDAC policy with Windows PowerShell. 
 For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
 Then create the WDAC policy by scanning the system for installed applications. 
 The policy file is converted to binary format when it gets created so that Windows can interpret it.
@ -52,24 +50,24 @@ You can remove or disable such software on the reference computer.
 To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
-1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+1. Initialize variables that you will use.
-   `$CIPolicyPath=$env:userprofile+"\Desktop\"`
+   ```powershell
-
+   $PolicyPath=$env:userprofile+"\Desktop\"
-   `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+   $PolicyName="FixedWorkloadPolicy_Audit"
-
+   $WDACPolicy=$PolicyPath+$PolicyName+".xml"
-   `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+   $WDACPolicyBin=$PolicyPath+$PolicyName+".bin"
 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
   ```powershell
-   New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt 
+   New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt 
   ```
   > [!Note]
   > 
   > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
-   > 
+   > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md).
   > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
   > 
   > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
@ -79,10 +77,10 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
 3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
   ```powershell
-   ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+   ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin
   ```
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
 > [!NOTE]
 > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@ -0,0 +1,168 @@
 ---
 title: Create a WDAC policy for fully-managed devices (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.topic: conceptual
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
 ms.date: 11/20/2019
 ---
 # Create a WDAC policy for fully-managed devices
 **Applies to:**
 -   Windows 10
 -   Windows Server 2016 and above
 This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
 > [!NOTE]
 > Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 **Alice Pena** is the IT team lead tasked with the rollout of WDAC.
 Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
 ## Define the "circle-of-trust" for fully-managed devices
 Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
 - All clients are running Windows 10 version 1903 or above;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
 > [!NOTE]
 > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
 - Most, but not all, apps are deployed using MEMCM;
 - Sometimes, IT staff install apps directly to these devices without using MEMCM;
 - All users except IT are standard users on these devices.
 Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules.
 Based on the above, Alice defines the pseudo-rules for the policy:
 1. **“Windows works”** rules which authorizes:
   - Windows
   - WHQL (3rd party kernel drivers)
   - Windows Store signed apps
 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
 The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
 - Removal of the Intelligent Security Graph (ISG) option; and
 - Removal of filepath rules.
 ## Create a custom base policy using an example WDAC base policy
 Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
 Alice follows these steps to complete this task:
 > [!NOTE]
 > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
 1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
      ```powershell
      $PolicyName= "Lamna_FullyManagedClients_Audit"
      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
      ```
 3. Copy the policy created by MEMCM to the desktop:
      ```powershell
      cp $MEMCMPolicy $LamnaPolicy
      ```
 4. Give the new policy a unique ID, descriptive name, and initial version number:
      ```powershell
      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
      ```
 5. Modify the copied policy to set policy rules:
      ```powershell
      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
      ```
 6. If appropriate, add additional signer or file rules to further customize the policy for your organization.
 7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
    > [!NOTE]
    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
   ```powershell
   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
   ```
 8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 ## Security considerations of this fully-managed policy
 Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
 - **Users with administrative access**<br>
    Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
   Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
  - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
 - **Unsigned policies**<br>
    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
   Existing mitigations applied:
  - Limit who can elevate to administrator on the device.
   Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
 - **Managed installer**<br>
    See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
   Existing mitigations applied:
  - Limit who can elevate to administrator on the device.
   Possible mitigations:
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
 - **Supplemental policies**<br>
    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
   Possible mitigations:
  - Use signed WDAC policies which allow authorized signed supplemental policies only.
  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 ## Up next
 - [Create a WDAC policy for fixed-workload devices using a reference computer](create-initial-default-policy.md)
 - [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@ -0,0 +1,184 @@
 ---
 title: Create a WDAC policy for lightly-managed devices (Windows 10)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: whitelisting, security, malware
 ms.topic: conceptual
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
 ms.date: 11/15/2019
 ---
 # Create a WDAC policy for lightly-managed devices
 **Applies to:**
 -   Windows 10
 -   Windows Server 2016 and above
 This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
 > [!NOTE]
 > Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 **Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
 For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
 ## Define the "circle-of-trust" for lightly-managed devices
 Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices:
 - All clients are running Windows 10 version 1903 or above;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
 > [!NOTE]
 > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
 - Some, but not all, apps are deployed using MEMCM;
 - Most users are local administrators on their devices;
 - Some teams may need additional rules to authorize specific apps that don't apply generally to all other users.
 Based on the above, Alice defines the pseudo-rules for the policy:
 1. **“Windows works”** rules which authorizes:
   - Windows
   - WHQL (3rd party kernel drivers)
   - Windows Store signed apps
 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
 3. **Allow Managed Installer** (MEMCM configured as a managed installer)
 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
 5. **Admin-only path rules** for the following locations:
   - C:\Program Files\*
   - C:\Program Files (x86)\*
   - %windir%\*
 ## Create a custom base policy using an example WDAC base policy
 Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
 Alice follows these steps to complete this task:
 > [!NOTE]
 > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
 1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
      ```powershell
      $PolicyName= "Lamna_LightlyManagedClients_Audit"
      $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
      $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
      ```
 3. Copy the policy created by MEMCM to the desktop:
      ```powershell
      cp $MEMCMPolicy $LamnaPolicy
      ```
 4. Give the new policy a unique ID, descriptive name, and initial version number:
      ```powershell
      Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
      Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
      ```
 5. Modify the copied policy to set policy rules:
      ```powershell
      Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
      Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
      Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
      Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
      Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
      Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
      Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
      Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
      Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
      ```
 6. Add rules to allow windir and Program Files directories:
      ```powershell
      $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
      $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
      Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
      ```
 7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
 8. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
    > [!NOTE]
    > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
   ```powershell
   $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
   ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
   ```
 9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 ## Security considerations of this lightly-managed policy
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
 - **Users with administrative access**<br>
    By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
    Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
  - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
 - **Unsigned policies**<br>
    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
    Possible mitigations:
  - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
  - Limit who can elevate to administrator on the device.
 - **Managed installer**<br>
    See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer)
    Possible mitigations:
  - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
  - Limit who can elevate to administrator on the device.
 - **Intelligent Security Graph (ISG)**<br>
    See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
    Possible mitigations:
  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules.
  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **Supplemental policies**<br>
    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
    Possible mitigations:
  - Use signed WDAC policies which allow authorized signed supplemental policies only.
  - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **FilePath rules**<br>
    See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
    Possible mitigations:
  - Limit who can elevate to administrator on the device.
  - Migrate from filepath rules to managed installer or signature-based rules.
 ## Up next
 - [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
 - [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@ -1,5 +1,5 @@
 ---
-title: Deploy multiple Windows Defender Application Control Policies  (Windows 10)
+title: Use multiple Windows Defender Application Control Policies  (Windows 10)
 description: Windows Defender Application Control supports multiple code integrity policies for one device.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -17,7 +17,7 @@ manager: dansimp
 ms.date: 05/17/2019
 ---
-# Deploy multiple Windows Defender Application Control Policies 
+# Use multiple Windows Defender Application Control Policies
 **Applies to:**
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@ -0,0 +1,39 @@
 ---
 title: Example WDAC base policies (Windows 10)
 description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
 keywords: whitelisting, security, malware
 ms.topic: article
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 audience: ITPro
 ms.collection: M365-security-compliance
 author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
 ms.date: 11/15/2019
 ---
 # Windows Defender Application Control example base policies
 **Applies to**
 -   Windows 10
 -   Windows Server 2016 and above
 When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used, or organizations which use the Device Guard Signing Service can download a starter policy from that service.
 ## Example Base Policies
 | **Example Base Policy** | **Description** | **Where it can be found** |
 |----------------------------|---------------------------------------------------------------|--------|
 | **DefaultWindows.xml** | This example policy is available in either audit or enforce mode. It includes the rules necessary to ensure that Windows, 3rd party hardware and software kernel drivers, and Windows Store apps will run. Used as the basis for all [Microsoft Endpoint Manager(MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **AllowAll.xml** | This example policy is useful when creating a block list policy. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **DenyAllAudit.xml** | This example policy should only be deployed in audit mode and can be used to audit all binaries running on critical systems or to comply with regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
 | **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [DGSS in the Microsoft Store for Business](https://businessstore.microsoft.com/manage/settings/devices) |
 | **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM), formerly known as System Center Configuration Manager, can deploy a policy to a device using MEMCM's built-in integration with WDAC and then copy the resulting policy XML to use as a custom base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@ -54,7 +54,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
 | **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
 | **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
-| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
+| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. |
 | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
 | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
 | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@ -1,5 +1,5 @@
 ---
-title: Types of devices (Windows 10)
+title: Common WDAC deployment scenarios (Windows 10)
 description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -21,21 +21,32 @@ ms.date: 03/01/2018
 **Applies to**
 -   Windows 10
-   Windows Server 2016
+-   Windows Server 2016 and above
-Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization.
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
 ## Types of devices
 | **Type of device**                 | **How WDAC relates to this type of device**  | 
 |------------------------------------|------------------------------------------------------|
 | **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
 | **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | 
 | **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | 
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | 
+| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | 
 | **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
 | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | 
 ## An introduction to Lamna Healthcare Company
-## Related topics
+In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company.
- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
+Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
 - [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
 Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response.
 > [!NOTE]
 > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) 
 Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
 ## Up next
 - [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@ -1,5 +1,5 @@
 ---
-title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10)
+title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10)
 description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -17,12 +17,12 @@ manager: dansimp
 ms.date: 06/14/2018
 ---
-# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph 
+# Authorize reputable apps with the Intelligent Security Graph (ISG) 
 **Applies to:**
 -   Windows 10
-   Windows Server 2016
+-   Windows Server 2016 and above
 Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. 
 In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.  
@ -89,7 +89,7 @@ appidtel start
 For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required.   
-## Security considerations with using the Intelligent Security Graph 
+## Security considerations with the Intelligent Security Graph 
 Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. 
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@ -1,5 +1,5 @@
 ---
-title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10)
+title: Authorize apps deployed with a WDAC managed installer (Windows 10)
 description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. 
 keywords: whitelisting, security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@ -17,12 +17,12 @@ manager: dansimp
 ms.date: 06/13/2018
 ---
-# Deploy Managed Installer for Windows Defender Application Control
+# Authorize apps deployed with a WDAC managed installer
 **Applies to:**
 -   Windows 10
-   Windows Server 2016
+-   Windows Server 2016 and above
 Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). 
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@ -41,8 +41,8 @@ Once these business factors are in place, you are ready to begin planning your W
 | Topic | Description |
 | - | - |
 | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
 | [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
 | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
 | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
 | [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
 After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.