Applocker / WDAC Issue

Hello everyone,

I've been using AppLocker for a while now with a set of policies that have been working well for our environment. Recently, I decided to integrate Microsoft's example policies for managed installers into my existing AppLocker policy. I followed the guidelines provided here: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer

However, post-integration, I'm facing a peculiar issue that I hope someone might have insights on.

For each executable running, I'm observing two conflicting logs:

EXE Policy Log:

EventID: 8002

PolicyName: EXE

RuleName: All files located in the Windows folder

FilePath: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE

FullFilePath: C:\WINDOWS\system32\SearchProtocolHost.exe

This log suggests that the executable %SYSTEM32%\SEARCHPROTOCOLHOST.EXE was permitted to run based on my existing AppLocker policy named "EXE", which allows all files located in the Windows folder.

ManagedInstaller Policy Log:

EventID: 8003

PolicyName: MANAGEDINSTALLER

FilePath: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE

FullFilePath: C:\WINDOWS\system32\SearchProtocolHost.exe

This log indicates that the same executable %SYSTEM32%\SEARCHPROTOCOLHOST.EXE would have been blocked if the AppLocker policy for the managed installer was enforced.

It's perplexing to see the same executable being both allowed and then flagged as potentially blocked, especially after merging the Microsoft managed installer rules. Has anyone else encountered this kind of conflict between the EXE and ManagedInstaller policies in AppLocker, especially after integrating Microsoft's guidelines? Any advice or solutions would be greatly appreciated.

Thanks in advance for your help!