![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 91%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 54%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Hi TryingNotToBeLikeABullInAChinaShop
Thank you for reaching out to Microsoft Q&A forum
Based on your description, you’re concerned about AppLocker guidance recommending publisher rules, but certain updater executables (like update.exe for Microsoft Teams) are unsigned. This makes publisher rules ineffective, while path rules seem risky and hash rules require frequent updates and you’re asking whether these files can be signed in the future and what Microsoft’s official advice is for handling them.
As stated in AppLocker application control policies in Microsoft Teams. AppLocker is designed to enforce application control through conditions such as publisher, path, and file hash. Publisher rules are preferred because they remain valid across updates and provide stronger security than path or hash rules. However, unsigned executables cannot use publisher conditions, which creates a challenge for components like update.exe in Teams.
Unsigned files pose a higher security risk because:
- Path rules can be exploited if the directory is user-writable.
- Hash rules break after every update, requiring constant maintenance.
Currently, Microsoft temporary does not guarantee that all updater components will be signed in future releases. Therefore, organizations must plan for scenarios where unsigned files exist.
That said, in order to maintain security and operational continuity, you should consider these steps:
- Use Publisher Rules for Signed Components Apply publisher conditions for the main Teams executables and other signed binaries.
- Apply Hash Rules for Unsigned Updaters If the updater must run, create hash-based rules for those files. Test in audit mode before enforcement to avoid breaking updates.
- Avoid Broad Path Rules Do not allow entire user-writable directories. If path rules are unavoidable, lock down permissions to reduce exploitation risk.
- Evaluate WDAC (Windows Defender Application Control) For stronger enforcement, WDAC ensures only signed code runs and offers better protection than AppLocker.
- Monitor and Review Regularly Reassess rules after updates and maintain a change management process for hash-based exceptions.
For more information:
Please feel free to leave a comment below if you require any additional help.
Best regards
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.