Windows defender application control policies would block windows apps even though i used the wizard

Larry Brandt 1 Reputation point
2025-01-28T22:39:39.21+00:00

I am attempting to test out Windows defender application control. I have downloaded the WDAC deployment wizard and used the signed and reputable mode, then added our needed apps. I'm implementing as a single policy as I need to use GPO to deploy these to virtual desktops. I also enabled the merge with recommended user and kernel blocks.

After enabling and rebooting, I am getting a number of messages in the logs of files that would have been blocked. All are Microsoft apps, or windows files and dlls. I have attempted to add the signer for those files, but this causes the wizard to fail to create the binary file. I found that in the xml I now have duplicate signer IDs, and that seems to be what is failing.

Is it possible that these are false positives errors, or is there something I am missing? Im nervous to enable blocking with the massive number of events in the log.

Sample of files that would have been blocked.

User's image

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
42,031 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.