Hi,

I have a question about the allow and deny wdac rules.
The documentation states that:

The WDAC Allow and Deny policies can be deployed together or separately based on your specific enforcement requirements.

In my opinion, both types of policies should be deployed to get the maximum protection. Actually ms has there own block rules. Those should definitly be honored.
That means that both policies get deployed to the devices as base policies.
According to the ms documentation, if there are multiple base policies:

If two base policies exist on a device, an application has to be allowed by both to run

The deny-policy contains a "allow everything" rule (also see #28)
The allow-policy contains specific allow rules.
The combination of both will allow all applications to run that are allowed by the allow-policy (because the deny-policy allows all of them, too). And block all other applications because they are either not whitelisted by the allow-policy or denied by the deny policy.

Is that right?

Best regards

Yes, that's correct.