How to configure a local installer as a managed installer in WDAC policy

Hello Andrew, I am Henry and I want to share my insight about your issue.

The relationship between AppLocker and WDAC is key. In this scenario, AppLocker is not used for enforcement. Its only job is to provide a list of trusted installers to the WDAC engine.

1. You create an AppLocker rule that identifies your specific installer (e.g., YourInstaller.exe) based on its publisher signature.
2. The Application Identity service (AppIDSvc) reads this rule and begins tracking your installer process when it runs.
3. You enable the "Managed Installer" option in your WDAC policy.
4. When WDAC sees a new file being created on disk (like a DLL or a PowerShell script), it checks if the parent process is being tracked by AppIDSvc.
5. If it is, WDAC automatically trusts the new file without needing an explicit rule for it in your policy.

To answer why Your Initial Attempts Failed

• "Disabled: Script Enforcement" and "Making msiexec.exe a Managed Installer" are insecure workarounds that create large security holes. You were right to question them. Your goal is to trust your installer, not to disable script protection or trust every MSI on the system.

Hello Andrew, I am Henry and I want to share my insight about your issue.

Here is the step-by-step process you can refer to.

Step 1: Ensure the Application Identity Service is Running

The entire process depends on this service. Use a GPO or Intune to set the AppIDSvc service to Automatic startup on your workstations.

Step 2: Create a Targeted AppLocker Policy for Your Installer

1. Open PowerShell as an Administrator on a machine with the installer.
2. Run the following command to generate an AppLocker policy based on your installer's signature and merge it into the local policy. (Replace the path with your installer's location.)

Get-AppLockerFileInformation -Path "C:\Path\To\YourInstaller.exe" | New-AppLockerPolicy -RuleType Exe -User Everyone -RuleName "Allow My Medical App Installer as a Managed Installer" -Optimize | Set-AppLockerPolicy -PolicyObject $_ -Merge

3. You can then export this policy (Get-AppLockerPolicy -Local | Export-Clixml C:\Path\To\AppLocker.xml) to deploy it via GPO or Intune.

Step 3: Enable the Managed Installer Option in Your WDAC Policy

1. Run this command against your WDAC policy XML file: Set-RuleOption -FilePath "C:\Path\To\Your_WDAC_Policy.xml" -Option 13
2. Verify that Rule Option 3 ("Disabled: Script Enforcement") is not enabled in your policy.

Step 4: Deploy the new AppLocker policy and your updated WDAC policy (.cip file) to your workstations.

I hope you’ll give my recommendation a try and let me know how it goes. And if this answer helps, feel free to hit “Accept Answer” so others can benefit too.Hello Andrew, I am Henry and I want to share my insight about your issue.

Hello Andrew, I am Henry and I want to share my insight about your issue.

The relationship between AppLocker and WDAC is key. In this scenario, AppLocker is not used for enforcement. Its only job is to provide a list of trusted installers to the WDAC engine.

1. You create an AppLocker rule that identifies your specific installer (e.g., YourInstaller.exe) based on its publisher signature.
2. The Application Identity service (AppIDSvc) reads this rule and begins tracking your installer process when it runs.
3. You enable the "Managed Installer" option in your WDAC policy.
4. When WDAC sees a new file being created on disk (like a DLL or a PowerShell script), it checks if the parent process is being tracked by AppIDSvc.
5. If it is, WDAC automatically trusts the new file without needing an explicit rule for it in your policy.

To answer why Your Initial Attempts Failed

• "Disabled: Script Enforcement" and "Making msiexec.exe a Managed Installer" are insecure workarounds that create large security holes. You were right to question them. Your goal is to trust your installer, not to disable script protection or trust every MSI on the system.

Here is the step-by-step process you can refer to.

Step 1: The entire process depends on this service. Use a GPO or Intune to set the AppIDSvc service to Automatic startup on your workstations.

Step 2: Create a Targeted AppLocker Policy for Your Installer

1. Open PowerShell as an Administrator on a machine with the installer.
2. Run the following command to generate an AppLocker policy based on your installer's signature and merge it into the local policy. (Replace the path with your installer's location.) Get-AppLockerFileInformation -Path "C:\Path\To\YourInstaller.exe" | New-AppLockerPolicy -RuleType Exe -User Everyone -RuleName "Allow My Medical App Installer as a Managed Installer" -Optimize | Set-AppLockerPolicy -PolicyObject $_ -Merge
3. You can then export this policy (Get-AppLockerPolicy -Local | Export-Clixml C:\Path\To\AppLocker.xml) to deploy it via GPO or Intune.

Step 3: Enable the Managed Installer Option in Your WDAC Policy

1. Run this command against your WDAC policy XML file: Set-RuleOption -FilePath "C:\Path\To\Your_WDAC_Policy.xml" -Option 13
2. Verify that Rule Option 3 ("Disabled: Script Enforcement") is not enabled in your policy.

Step 4: Deploy the new AppLocker policy and your updated WDAC policy (.cip file) to your workstations.

I hope you’ll give my recommendation a try and let me know how it goes. And if this answer helps, feel free to hit “Accept Answer” so others can benefit too.Hello Andrew, I am Henry and I want to share my insight about your issue.