Update deploy-wdac-policies-with-script.md

Removed a stipulation which implies that signed WDAC policies have to be placed within System32 and EFI locations. In many cases they should ONLY be placed in the EFI partition. (NOT the System32 location.) This updated wording matches the behavior of the CiTool (when using `CiTool --update-policies` to deploy a new signed policy). NOTE: It's recommended that the wording be refined even further to emphasize that you **SHOULDN'T** place a signed policy in both locations. We are aware of blue-screens affecting Windows 11 devices which have signed policies in both locations. (Affected models: Dell Precision 3680, Dell Precision 3650 Tower, Dell OptiPlex Micro 7010, Dell Inspiron 15 3511.) It's possible others could be affected.
MicrosoftDocs · Aug 9, 2024 · 2cd9238 · 2cd9238
1 parent 609baba
commit 2cd9238
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/...ows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -83,7 +83,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
 
 ## Deploying signed policies
 
-If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
+If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
 
 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: