From 2cd9238f1838a7d5e4d910f6ef6ae6c60eba76fc Mon Sep 17 00:00:00 2001
From: NathanJepson <61210670+NathanJepson@users.noreply.github.com>
Date: Fri, 9 Aug 2024 12:20:18 -0600
Subject: [PATCH] Update deploy-wdac-policies-with-script.md

Removed a stipulation which implies that signed WDAC policies have to be placed within System32 and EFI locations.
In many cases they should ONLY be placed in the EFI partition. (NOT the System32 location.)
This updated wording matches the behavior of the CiTool (when using `CiTool --update-policies` to deploy a new signed policy).

NOTE: It's recommended that the wording be refined even further to emphasize that you **SHOULDN'T** place a signed policy in both locations. We are aware of blue-screens affecting Windows 11 devices which have signed policies in both locations. (Affected models: Dell Precision 3680, Dell Precision 3650 Tower, Dell OptiPlex Micro 7010, Dell Inspiron 15 3511.) It's possible others could be affected.
---
 .../deployment/deploy-wdac-policies-with-script.md              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 6910b03b040..9f260132e01 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -83,7 +83,7 @@ Use WMI to apply policies on all other versions of Windows and Windows Server.
 
 ## Deploying signed policies
 
-If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
+If you're using [signed WDAC policies](/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering), the policies must be deployed into your device's EFI partition. Unsigned WDAC policies don't need to be present in the EFI partition. <!-- Deploying your policy via [Microsoft Intune](/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) or the Application Control CSP will handle this step automatically. -->
 
 1. Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt: