Hi admin_mike​, To the best of my knowledge, this is correct. There are a handful of approaches you can use here to account for this although keep in mind that GPOs contain a lot of metadata and thus that 8MB is probably not truly indicative of the size of the policy. Also, note that from memory, the limit is a policy size limit for OMA-URI and not directly related to AppLocker.

Options to consider:

1. Break up the policy into more granular policies and individually target them.
2. Review the rules and get rid of stale/outdated ones and/or duplicate ones.
3. Move from hash rules (which take up the most space) to publisher-based rules.
4. Move to Application Control for Business (fka WDAC). This is probably the recommended approach here as Application Control for Business provides a much stronger level of protection.

Another possibility here is to review your strategy for rules. The general recommendation is to use an allow listing approach instead of a block listing approach. This may reduce the number of rules needed in an environment. This recommendation goes for both AppLocker and Application Control for Business.