WDAC blocking some MSI''s

Hi all.

I have recently implemented WDAC in my organisation on W10 22H2

The use case was to block a fixed number of executables so enduser are not able to start them, and allow all the rest.

So I started of with using the AllowAll.xml template and using the WDAC wizard to add blocks for the exe's. All going well so far. After applying the policy to the device by copying the cip file to C:\Windows\System32\CodeIntegrity\CiPolicies\Active, policy is blocking the exe's.

Policy is setup with ISG disabled and UMCI enabled.

However some time later I found that this policy is also blocking the installation of a couple of MSI's. Windows reports "The system administrator has set policies to prevent this installation" together with EventID 8029 "*.msi was prevented from running due to Config CI policy". The msi's being blocked have an expired code signing certificate.

When the cip file is removed from the system and rebooted, the msi's can be installed.

Although one could say that the vendor should take care of proper code signing for software they publish, in this case the blocked msi is part of a larger exe from a different vendor, and is not easily resolved.

However, I was not expecting any blocks from WDAC when I use the AllowAll.xml as the starting point.

Is anyone having the same issue and found a solution/workaround for this. Only resolution for now is to remove the WDAC policy for the system completely.

Regards,

Pascal