Forum Discussion
WDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy ...
Hy
the key problem is that the Supplemental Policy with publisher allow: These are considered, but cannot bypass Managed Installer rules for non-managed-installed apps. If an app is installed outside of your managed channel, it remains blocked.
- Managed Installer is a strict mode: Once this rule is enabled, WDAC limits allowed executables to those deployed by the registered managed installer. Even if your supplemental policy permits the app by publisher, it is overridden by the Managed Installer requirement unless the app was actually installed via that channel.
- This is why manually installed GlobalProtect is still blocked, even with a publisher-allow supplemental policy. Only apps delivered through the Company Portal (the registered managed installer) are permitted to run outside the scope.
What to do 😀
- Option 1: Remove the Managed Installer rule from your base policy, which allows supplemental publisher-based allowance to work on all endpoints.
- Option 2: Ensure all approved apps (e.g., GlobalProtect) are only installed via the Company Portal.
- Option 3: Temporarily disable “Managed Installer” while rolling out exceptions, then re-enable and ensure all future deployments use the managed install path, only to see if it work or not.
Good luck!