Hi, The MSIs' customactions.dll is unsigned and therefore only Hash or FileName rules [1] can be used to allow it in WDAC policies. Can it be signed like the rest so that more reasonable and update-proof policies could be created? A patch is attached. Regards, Alex [1] https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels