Option 13 — Enabled Installer#

Policy Rule Option: 13 Rule Name: Enabled:Managed Installer Applies to Supplemental Policies: Yes

Table of Contents#

What It Does
Why It Exists
The Kernel EA Mechanism — Deep Dive
AppLockerFltr.sys — The Bridge Between AppLocker and App Control
Visual Anatomy — Policy Evaluation Stack
How to Set It (PowerShell)
XML Representation
Interaction With Other Options
When to Enable vs Disable
Real-World Scenario — End-to-End Walkthrough
What Happens If You Get It Wrong
Valid for Supplemental Policies?
OS Version Requirements
Security Considerations and Limitations
Summary Table

What It Does#

Enabled Installer is one of the most powerful App Control policy options. When active, it creates an automated trust channel: any file written to disk by a designated managed installer process (such as Microsoft Endpoint Configuration Manager, Intune Win32 app installs, or any custom-designated process) is automatically trusted by App Control and allowed to execute — without requiring an explicit signer rule or hash rule in the policy.

In plain terms: once you designate your software deployment tool as a “managed installer,” all software it deploys becomes implicitly trusted, dramatically reducing the ongoing rule management overhead of running App Control in enforcement mode.

The trust grant works through a kernel-level extended attribute (EA) tag written to each file at install time. When a user or process later tries to execute that file, the Code Integrity module (ci.dll) checks for this EA tag and, if found (with the correct byte value for MI), allows the execution without requiring an explicit policy rule.

Why It Exists#

The core tension in App Control deployment is between security (only known-good files execute) and operational agility (IT continuously deploys new software). Without Managed Installer:

Every application deployed by IT must be covered by an explicit signer rule or hash rule
New software deployments require policy updates, which require testing and redeployment
Hash-based rules are fragile — every version bump requires a new rule
Signer-based rules require verifying the publisher chain for every new application
The IT team becomes a bottleneck — policy updates must precede every software deployment

Managed Installer solves this by delegating the trust decision to the deployment tool itself. The logic is: if your MDM/SCCM system installed it, it was approved through your change management process. App Control honors that process-level trust, converting administrative approval (the act of deploying software) into technical enforcement (the kernel allows that specific file to run).

The Kernel EA Mechanism — Deep Dive#

This is the beating heart of Managed Installer. Understanding it is essential for troubleshooting and security analysis.

What Is an Extended Attribute (EA)?#

Windows NTFS extended attributes are metadata fields attached to a file that live in the NTFS master file table (MFT) alongside the file’s standard attributes (name, size, timestamps). They are key-value pairs that applications and the kernel can read and write. Most user-space tools don’t expose them, but they are accessible via the NtQueryEaFile / NtSetEaFile NT native API calls and the fsutil command.

The KERNEL.SMARTLOCKER.ORIGINCLAIM EA#

When a managed installer process writes a file to disk, the AppLocker kernel driver (AppLockerFltr.sys) intercepts the write operation and attaches a special extended attribute to the written file:

1
EA Name:  KERNEL.SMARTLOCKER.ORIGINCLAIM
2
EA Value: Binary blob (variable length)
3
          ├── Header fields (version, flags)
4
          └── byte[4] = 0x00  ← This byte identifies the claim as "Managed Installer"

The critical discriminator is byte[4] of the EA value:

byte[4] value	Meaning	Source
`0x00`	File was written by a Managed Installer	Option 13 (AppLockerFltr.sys)
`0x01`	File has known-good ISG reputation	Option 14 (cloud lookup)

How ci.dll Uses the EA at Execution Time#

flowchart TD
    Exec([User/process calls CreateProcess or LoadLibrary])
    --> KernelCheck[Windows kernel\ncalls into ci.dll for code integrity check]
    KernelCheck --> PolicyCheck{Does file match\nany explicit policy rule?\nSigner / Hash / Path}
    PolicyCheck -- Yes --> Allow([File execution allowed])
    PolicyCheck -- No --> O13Check{Option 13\nEnabled in policy?}
    O13Check -- No --> Block([File execution blocked])
    O13Check -- Yes --> EARead[ci.dll calls NtQueryEaFile\non the file being executed]
    EARead --> EAExists{EA name\nKERNEL.SMARTLOCKER.ORIGINCLAIM\npresent?}
    EAExists -- No --> Block
    EAExists -- Yes --> EAByte{byte[4] of EA value\n== 0x00?}
    EAByte -- No --> O14Path([Route to ISG check\nsee Option 14])
    EAByte -- Yes --> ValidateClaim[ci.dll validates EA integrity\nChecks claim is not spoofed]
    ValidateClaim --> ClaimValid{EA claim\ncryptographically valid?}
    ClaimValid -- No --> Block
    ClaimValid -- Yes --> Allow

    style Exec fill:#162032,color:#58a6ff
    style KernelCheck fill:#162032,color:#58a6ff
    style PolicyCheck fill:#1a1a0d,color:#fde68a
    style Allow fill:#0d1f12,color:#86efac
    style O13Check fill:#1a1a0d,color:#fde68a
    style Block fill:#1f0d0d,color:#fca5a5
    style EARead fill:#162032,color:#58a6ff
    style EAExists fill:#1a1a0d,color:#fde68a
    style EAByte fill:#1a1a0d,color:#fde68a
    style O14Path fill:#1c1c2e,color:#a5b4fc
    style ValidateClaim fill:#162032,color:#58a6ff
    style ClaimValid fill:#1a1a0d,color:#fde68a

Inspecting the EA on a File#

1
# Check if a file has the Managed Installer EA
2
# Using fsutil (requires admin)
3
fsutil file queryEA "C:\Program Files\MyApp\myapp.exe"
4

5
# PowerShell alternative using P/Invoke to NtQueryEaFile
6
# (No built-in cmdlet; requires low-level API call)
7
# The presence of KERNEL.SMARTLOCKER.ORIGINCLAIM indicates MI-stamped file

1
REM From elevated command prompt:
2
fsutil file queryEA "C:\Program Files\MyApp\myapp.exe"
3
REM Output will show: KERNEL.SMARTLOCKER.ORIGINCLAIM if MI-stamped

EA Persistence and Inheritance#

The EA is written to the file’s NTFS metadata at write time
It persists as long as the file is on an NTFS volume
It is NOT inherited by child files or copies made to non-NTFS volumes (FAT32, exFAT)
If a file is copied to a FAT32 USB drive and back, the EA is lost — the copy will not be trusted
File overwrites by non-MI processes do NOT re-stamp the EA; the original EA remains
If a file is overwritten by a malicious process (not the MI), the overwritten content runs under the original EA — this is a known attack surface (see Security Considerations)

AppLockerFltr.sys — The Bridge Between AppLocker and App Control#

Architecture Overview#

The Managed Installer feature requires two separate but tightly integrated subsystems:

flowchart TD
    subgraph UserSpace["User Space"]
        SCCM([SCCM / Intune Agent\nor designated MI process])
        AppMgmt([Application Install\nFile writes to disk])
    end

    subgraph KernelSpace["Kernel Space"]
        AppLockerFltr([AppLockerFltr.sys\nKernel driver])
        FSFilter([File System Mini-filter\nIntercepts file writes])
        CIModule([ci.dll / Code Integrity\nEvaluates execution])
        NTFS([NTFS Volume\nEA storage in MFT])
    end

    subgraph Policy["Policy Layer"]
        AppLockerPolicy([AppLocker Policy\nManagedInstaller rule collection\nDesignates which processes are MIs])
        WDACPolicy([App Control Policy\nOption 13 enabled\nHonors MI claims])
    end

    SCCM --> AppMgmt
    AppMgmt -->|"CreateFile / WriteFile"| FSFilter
    FSFilter --> AppLockerFltr
    AppLockerFltr -->|"Is writing process designated\nas MI in AppLocker policy?"| AppLockerPolicy
    AppLockerPolicy -->|"Yes: write EA to file"| NTFS
    AppLockerPolicy -->|"No: do not stamp EA"| NTFS

    CIModule -->|"At execution time:\nread EA from MFT"| NTFS
    CIModule -->|"Option 13 check"| WDACPolicy

    style SCCM fill:#0d1f12,color:#86efac
    style AppMgmt fill:#162032,color:#58a6ff
    style AppLockerFltr fill:#1c1c2e,color:#a5b4fc
    style FSFilter fill:#1c1c2e,color:#a5b4fc
    style CIModule fill:#1c1c2e,color:#a5b4fc
    style NTFS fill:#162032,color:#58a6ff
    style AppLockerPolicy fill:#1a1a0d,color:#fde68a
    style WDACPolicy fill:#0d1f12,color:#86efac

What AppLockerFltr.sys Does#

AppLockerFltr.sys is a file system mini-filter driver loaded by the AppLocker service. Its responsibilities in the Managed Installer flow:

Intercepts all file write operations at the file system layer
Checks the writing process against the AppLocker ManagedInstaller rule collection
Stamps the EA (KERNEL.SMARTLOCKER.ORIGINCLAIM with byte[4]=0x00) on files written by designated MI processes
Propagates the stamp to extracted archives (if the installer extracts a ZIP/CAB, the extracted files are also stamped)

Verifying AppLockerFltr.sys is Loaded#

1
# Verify the AppLocker filter driver is loaded
2
Get-Service -Name AppIDSvc | Select-Object Status, StartType
3
# Should be: Running, Automatic
4

5
# Check the kernel module directly
6
fltMC | Where-Object { $_ -match "AppLocker" }
7
# or
8
Get-WmiObject Win32_SystemDriver | Where-Object Name -eq "AppLockerFltr"

1
REM From elevated command prompt:
2
fltMC
3
REM Look for "AppLockerFltr" in the output with an altitude number
4
REM Altitude ~130000 range for AppLocker

AppLocker ManagedInstaller Rule Collection#

The AppLocker ManagedInstaller rule collection is separate from the standard AppLocker Executable, Script, DLL, and Packaged Apps rule collections. It designates which processes have MI privileges.

1
<AppLockerPolicy Version="1">
2
  <RuleCollection Type="ManagedInstaller" EnforcementMode="Enabled">
3

4
    <FilePublisherRule Id="6CC9B840-B4A0-49B1-A9B0-1358E4F4173F"
5
                       Name="CCM Client - Managed Installer"
6
                       Description="Microsoft SCCM client as managed installer"
7
                       UserOrGroupSid="S-1-1-0"
8
                       Action="Allow">
9
      <Conditions>
10
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US"
11
                                ProductName="*"
12
                                BinaryName="CCMEXEC.EXE"
13
                                FileVersionRange>
14
          <BinaryVersionRange LowSection="*" HighSection="*" />
15
        </FilePublisherCondition>
16
      </Conditions>
17
    </FilePublisherRule>
18

19
    <FilePublisherRule Id="...">
20
      <Conditions>
21
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, ..."
22
                                BinaryName="INTUNEMANAGEMENTEXTENSION.EXE"
23
                                .../>
24
      </Conditions>
25
    </FilePublisherRule>
26

27
  </RuleCollection>
28
</AppLockerPolicy>

Configuring AppLocker Managed Installer via PowerShell#

1
# Get current AppLocker policy
2
$Policy = Get-AppLockerPolicy -Local
3

4
# Create a new ManagedInstaller rule for SCCM
5
$Rule = New-AppLockerPolicy -FileInformation (
6
    Get-AppLockerFileInformation -Path "C:\Windows\CCM\CcmExec.exe"
7
) -RuleType Publisher -User Everyone -RuleNamePrefix "MI_SCCM"
8

9
# Note: AppLocker ManagedInstaller rules require manual XML editing
10
# as PowerShell cmdlets don't directly expose the ManagedInstaller collection type.
11
# Use Set-AppLockerPolicy with a manually crafted XML:
12
Set-AppLockerPolicy -XmlPolicy "C:\Policies\AppLockerMI.xml" -Merge
13

14
# Verify the AppID service is running (required for MI stamping)
15
Start-Service AppIDSvc
16
Set-Service AppIDSvc -StartupType Automatic

Visual Anatomy — Policy Evaluation Stack#

flowchart TD
    subgraph DeployPhase["Software Deployment Phase"]
        MDM([MDM / SCCM / Intune\nDesignated Managed Installer])
        FileWrite([Files written to disk\ne.g., C:\Program Files\MyApp\])
        AppLockerFltr([AppLockerFltr.sys intercepts write])
        EAStamp([EA stamped on each file\nKERNEL.SMARTLOCKER.ORIGINCLAIM\nbyte[4]=0x00])
    end

    subgraph ExecutionPhase["Execution Phase"]
        UserRun([User launches application])
        KernelCI([ci.dll invoked by kernel])
        PolicyRules{Explicit policy\nrule match?}
        OptionCheck{Option 13\nenabled?}
        EACheck{EA present\nand byte[4]==0x00?}
        IntegrityCheck{EA claim\ncryptographically valid?}
        Allow([Allow execution])
        Deny([Block execution])
    end

    MDM --> FileWrite
    FileWrite --> AppLockerFltr
    AppLockerFltr --> EAStamp
    EAStamp -.->|"EA persists in NTFS MFT"| UserRun

    UserRun --> KernelCI
    KernelCI --> PolicyRules
    PolicyRules -- Match found --> Allow
    PolicyRules -- No match --> OptionCheck
    OptionCheck -- Disabled --> Deny
    OptionCheck -- Enabled --> EACheck
    EACheck -- No EA --> Deny
    EACheck -- EA found --> IntegrityCheck
    IntegrityCheck -- Invalid --> Deny
    IntegrityCheck -- Valid --> Allow

    style MDM fill:#0d1f12,color:#86efac
    style FileWrite fill:#162032,color:#58a6ff
    style AppLockerFltr fill:#1c1c2e,color:#a5b4fc
    style EAStamp fill:#1c1c2e,color:#a5b4fc
    style UserRun fill:#162032,color:#58a6ff
    style KernelCI fill:#162032,color:#58a6ff
    style PolicyRules fill:#1a1a0d,color:#fde68a
    style OptionCheck fill:#1a1a0d,color:#fde68a
    style EACheck fill:#1a1a0d,color:#fde68a
    style IntegrityCheck fill:#1a1a0d,color:#fde68a
    style Allow fill:#0d1f12,color:#86efac
    style Deny fill:#1f0d0d,color:#fca5a5

How to Set It (PowerShell)#

Step 1: Configure AppLocker Managed Installer Rule#

Before enabling Option 13 in your WDAC policy, you must configure the AppLocker ManagedInstaller rule collection and ensure AppLockerFltr.sys is active.

1
# Step 1: Enable the AppID Service (required for AppLockerFltr.sys)
2
Set-Service -Name AppIDSvc -StartupType Automatic
3
Start-Service -Name AppIDSvc
4

5
# Step 2: Verify AppLockerFltr is loaded as a file system filter
6
fltMC  # Look for AppLockerFltr in the output
7

8
# Step 3: Create and apply AppLocker ManagedInstaller policy
9
# (must be done via XML — no direct PS cmdlet for ManagedInstaller collection)
10
$AppLockerXml = @"
11
<AppLockerPolicy Version="1">
12
  <RuleCollection Type="ManagedInstaller" EnforcementMode="Enabled">
13
    <FilePublisherRule Id="6CC9B840-B4A0-49B1-A9B0-1358E4F4173F"
14
                       Name="SCCM Client"
15
                       Description="ConfigMgr managed installer"
16
                       UserOrGroupSid="S-1-1-0"
17
                       Action="Allow">
18
      <Conditions>
19
        <FilePublisherCondition
20
            PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US"
21
            ProductName="*"
22
            BinaryName="CCMEXEC.EXE">
23
          <BinaryVersionRange LowSection="*" HighSection="*" />
24
        </FilePublisherCondition>
25
      </Conditions>
26
    </FilePublisherRule>
27
  </RuleCollection>
28
</AppLockerPolicy>
29
"@
30
$AppLockerXml | Out-File "C:\Policies\AppLockerMI.xml" -Encoding UTF8
31
Set-AppLockerPolicy -XmlPolicy "C:\Policies\AppLockerMI.xml" -Merge

Step 2: Enable Option 13 in WDAC Policy#

1
# Enable Managed Installer in the WDAC policy
2
Set-RuleOption -FilePath "C:\Policies\MyPolicy.xml" -Option 13
3

4
# Verify
5
[xml]$xml = Get-Content "C:\Policies\MyPolicy.xml"
6
$xml.SiPolicy.Rules.Rule | Where-Object { $_.Option -eq "Enabled:Managed Installer" }
7

8
# Convert to binary and deploy
9
ConvertFrom-CIPolicy -XmlFilePath "C:\Policies\MyPolicy.xml" `
10
                     -BinaryFilePath "C:\Policies\MyPolicy.p7b"

Step 3: Verify MI Stamping is Working#

1
# After deploying software via the designated MI tool,
2
# verify the EA stamp was written
3

4
# Method 1: fsutil (requires admin)
5
fsutil file queryEA "C:\Program Files\DeployedApp\app.exe"
6

7
# Method 2: Check Code Integrity event log for MI authorization events
8
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
9
    Where-Object { $_.Id -in @(3090, 3091, 3092) } |
10
    Select-Object TimeCreated, Id, Message |
11
    Format-Table -Wrap

Disable Option 13#

1
# Remove Managed Installer from WDAC policy
2
Remove-RuleOption -FilePath "C:\Policies\MyPolicy.xml" -Option 13

XML Representation#

1
<?xml version="1.0" encoding="utf-8"?>
2
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
3
  <VersionEx>10.0.0.0</VersionEx>
4
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
5
  <PlatformID>{2E07F7E4-194C-4D20-B96C-134CA31A5C3F}</PlatformID>
6
  <Rules>
7

8
    <Rule>
9
      <Option>Enabled:Managed Installer</Option>
10
    </Rule>
11

12

13
  </Rules>
14

15
  <!-- No explicit rule is needed for MI-installed files.
16
       Trust is derived from the KERNEL.SMARTLOCKER.ORIGINCLAIM EA at runtime.
17
       However, you still need rules for:
18
       - Pre-existing files installed before MI was configured
19
       - Files on non-NTFS volumes (where EA is not preserved)
20
       - Executables launched from network shares
21
  -->
22

23
</SiPolicy>

Note for supplemental policies: Option 13 is one of the few options valid in supplemental policies. A supplemental policy can enable Managed Installer trust even if the base policy does not have Option 13. This allows selective MI trust extension without modifying the base policy.

Interaction With Other Options#

flowchart LR
    subgraph Core["Core Interactions"]
        O13([Option 13\nManaged Installer])
        O14([Option 14\nISG Authorization])
        O3([Option 3\nAudit Mode])
        O6([Option 6\nUnsigned System\nIntegrity Policy])
    end

    subgraph External["External Dependencies"]
        AppLocker([AppLocker\nManagedInstaller collection])
        AppIDSvc([AppID Service\nAppLockerFltr.sys])
        NTFS([NTFS Volume\nEA storage])
    end

    O13 -->|"Requires both to\nbe active"| AppLocker
    O13 -->|"Requires driver loaded"| AppIDSvc
    O13 -->|"EA persisted here"| NTFS

    O13 <-->|"Share same EA mechanism\nbut different byte[4] values"| O14
    O13 -->|"In audit mode:\nMI-authorized files logged\nnot blocked"| O3

    O13 -->|"If policy is unsigned,\nattacker could modify\npolicy to add O13 to\nmalicious process"| O6

    style O13 fill:#0d1f12,color:#86efac
    style O14 fill:#1c1c2e,color:#a5b4fc
    style O3 fill:#1a1a0d,color:#fde68a
    style O6 fill:#1f0d0d,color:#fca5a5
    style AppLocker fill:#162032,color:#58a6ff
    style AppIDSvc fill:#162032,color:#58a6ff
    style NTFS fill:#162032,color:#58a6ff

Option / Component	Relationship	Notes
AppLocker ManagedInstaller	Hard dependency	Without AppLocker MI rules, no processes are designated as MI. No EA stamps will be written.
AppLockerFltr.sys (AppIDSvc)	Hard dependency	The AppID service must be running. Without it, the file system filter driver is unloaded and no EA stamps are written.
Option 14 — ISG	Complementary	Options 13 and 14 share the same EA field (`KERNEL.SMARTLOCKER.ORIGINCLAIM`) but use different byte[4] values (0x00 vs 0x01). They are additive — a policy can have both active simultaneously.
Option 3 — Audit Mode	Compatible	In audit mode, MI-authorized files are logged but not blocked. Use audit mode to validate MI coverage before enforcement.
Option 6 — Unsigned Policy	Security risk	If Option 13 is used with an unsigned policy, an attacker with admin rights could modify the AppLocker MI designation to elevate a malicious tool to MI status. Use signed policies when using Option 13.
NTFS volumes	Hard dependency	EA storage requires NTFS. FAT32/exFAT volumes cannot store the MI stamp. Files installed to non-NTFS paths (rare) will not be trusted by MI.

When to Enable vs Disable#

flowchart TD
    Start([Evaluating Option 13]) --> Q1{Do you use MDM,\nSCCM, or Intune\nfor software deployment?}
    Q1 -- Yes --> Q2{Is AppLockerFltr.sys\nloaded and AppIDSvc\nrunning on endpoints?}
    Q1 -- No --> ManualDeploy([Manual deployment workflow:\nConsider catalog signing instead])
    Q2 -- No --> ConfigFirst([Configure AppID service first\nthen reconsider])
    Q2 -- Yes --> Q3{Is your App Control\npolicy signed?}
    Q3 -- No --> Q4{Are endpoints\nhigh-security /\nadmin-restricted?}
    Q3 -- Yes --> Enable([Enable Option 13\nHigh confidence])
    Q4 -- Yes --> Enable2([Enable Option 13\nDocument risk of unsigned policy])
    Q4 -- No --> Caution([Caution: Unsigned policy +\nOption 13 = high risk\nSign policy first])

    style Start fill:#162032,color:#58a6ff
    style Q1 fill:#1a1a0d,color:#fde68a
    style Q2 fill:#1a1a0d,color:#fde68a
    style Q3 fill:#1a1a0d,color:#fde68a
    style Q4 fill:#1a1a0d,color:#fde68a
    style ManualDeploy fill:#1c1c2e,color:#a5b4fc
    style ConfigFirst fill:#1a1a0d,color:#fde68a
    style Enable fill:#0d1f12,color:#86efac
    style Enable2 fill:#0d1f12,color:#86efac
    style Caution fill:#1f0d0d,color:#fca5a5

Real-World Scenario — End-to-End Walkthrough#

Scenario: Contoso uses Microsoft Endpoint Configuration Manager (SCCM) to deploy software to 10,000 endpoints. App Control is in enforcement mode. The security team wants to avoid managing explicit hash rules for every deployed application. Option 13 is enabled, with SCCM’s CcmExec.exe designated as the managed installer.

sequenceDiagram
    actor Admin as IT Administrator
    participant SCCM as SCCM Server
    participant Agent as SCCM Client (CcmExec.exe)
    participant Fltr as AppLockerFltr.sys
    participant NTFS as NTFS File System
    participant CI as Code Integrity (ci.dll)
    participant User as End User

    Admin->>SCCM: Create application deployment: AdobeReader.msi
    Admin->>SCCM: Assign deployment to "All Windows 10 Devices" collection

    Note over Agent: SCCM deployment window reached
    SCCM->>Agent: Notify: install AdobeReader.msi
    Agent->>Agent: CcmExec.exe (designated MI) begins installation
    Agent->>NTFS: Write C:\Program Files\Adobe\Acrobat Reader DC\AcroRd32.exe

    Note over Fltr: AppLockerFltr.sys intercepts the write
    Fltr->>Fltr: Writing process = CcmExec.exe
    Fltr->>Fltr: AppLocker MI policy check: CcmExec.exe IS a Managed Installer
    Fltr->>NTFS: Attach EA: KERNEL.SMARTLOCKER.ORIGINCLAIM\nbyte[4] = 0x00 (Managed Installer)
    NTFS-->>Agent: File write complete (with EA stamp)

    Note over Agent: All files in the MSI are similarly stamped
    Agent-->>SCCM: Deployment success: AdobeReader installed

    Note over User: User opens Adobe Reader
    User->>CI: CreateProcess("AcroRd32.exe") — kernel calls ci.dll
    CI->>CI: Check policy rules: No explicit signer/hash rule for AcroRd32.exe
    CI->>CI: Option 13 enabled: check EA
    CI->>NTFS: NtQueryEaFile on AcroRd32.exe
    NTFS-->>CI: EA found: KERNEL.SMARTLOCKER.ORIGINCLAIM\nbyte[4] = 0x00

    CI->>CI: Validate EA claim integrity
    CI-->>User: AcroRd32.exe ALLOWED (Managed Installer trust)
    User->>User: Adobe Reader opens successfully

    Note over Admin: Adobe Reader updated (new version)
    SCCM->>Agent: Deploy AdobeReader 2024.x update
    Agent->>NTFS: Overwrite AcroRd32.exe with new version
    Fltr->>NTFS: Re-stamp EA on updated file (CcmExec.exe is still the writer)
    Note over User: User opens updated Adobe Reader
    CI-->>User: Still ALLOWED via MI EA (no policy update needed)

Key value demonstrated: Adobe Reader was deployed, updated, and re-deployed — all without a single policy rule change. The MI mechanism handled trust automatically.

What Happens If You Get It Wrong#

Scenario A: Option 13 enabled but AppIDSvc not running#

AppLockerFltr.sys is NOT loaded as a file system filter
Files written by the designated MI process are NOT stamped with the EA
When users try to execute deployed applications, ci.dll finds no EA and no policy rule
Result: All applications deployed via MDM/SCCM are blocked at execution time
Symptoms: Event ID 3077 floods the CodeIntegrity log for every application
Recovery: Start AppIDSvc, ensure it is set to Automatic, redeploy applications via MI to re-stamp files

Scenario B: AppLocker MI rules not configured (only Option 13 in WDAC policy)#

AppLockerFltr.sys is loaded, but no process is designated as a managed installer
No EA stamps are ever written (there is no MI process to trigger them)
Same result as Scenario A: all MDM-deployed apps are blocked
Recovery: Create AppLocker ManagedInstaller rule collection, designate the deployment agent

Scenario C: File copied from NTFS to FAT32 and back#

The EA (KERNEL.SMARTLOCKER.ORIGINCLAIM) is lost during the FAT32 step
The copy does not have MI trust
Result: The file is blocked even though it was originally MI-installed
Recommendation: Always deploy from the MI tool directly; do not copy from external media

Scenario D: Attacker exploits an MI-designated process#

If an attacker compromises the SCCM client (CcmExec.exe) or the SCCM server
They can deploy malicious files that receive the MI EA stamp
Those files will be trusted by App Control even without policy rules
Mitigation: Use signed WDAC policies, protect the SCCM infrastructure with strong access controls, monitor for unexpected SCCM deployments via audit logs
Severity: Critical — MI trust is only as secure as the designated installer process

Scenario E: Pre-existing files (installed before MI was configured)#

Files installed before MI was enabled do NOT have the EA stamp
They are not retroactively trusted
Resolution: Redeploy applications via the MI tool after MI is configured, OR add explicit policy rules for pre-existing applications

Event IDs to Monitor#

Event ID	Log	Meaning
3090	Microsoft-Windows-CodeIntegrity/Operational	Managed Installer audit event — file would be allowed by MI
3091	Microsoft-Windows-CodeIntegrity/Operational	Managed Installer audit event — file blocked despite MI check
3092	Microsoft-Windows-CodeIntegrity/Operational	MI claim found and honored — file allowed by MI trust
3076	Microsoft-Windows-CodeIntegrity/Operational	Audit-mode block (would be blocked in enforcement)
3077	Microsoft-Windows-CodeIntegrity/Operational	Enforcement-mode block

Valid for Supplemental Policies?#

Yes. Option 13 is one of the few rule options valid in both base and supplemental policies.

This is intentional: organizations may want to enable Managed Installer trust for a specific subset of machines or organizational units without modifying the enterprise base policy. A supplemental policy covering a specific OU can enable Option 13 for that group while the base policy remains unchanged.

When Option 13 appears in a supplemental policy, it extends the trust decision to the supplemental policy’s scope. The base policy does not need to have Option 13 for the supplemental policy’s MI trust to be honored.

OS Version Requirements#

Platform	Minimum Version	Notes
Windows 10	1703	Managed Installer first introduced
Windows 10	1709+	Recommended minimum; improved EA validation
Windows 11	All versions	Fully supported
Windows Server 2019	All versions	Fully supported
Windows Server 2022	All versions	Fully supported
Windows Server 2016	Limited	AppLocker available but MI integration may have limitations

The AppLockerFltr.sys driver and the ManagedInstaller rule collection type require the AppLocker service infrastructure, available in Windows 10 and Windows Server 2016+. The NTFS EA mechanism is available on all NTFS-formatted volumes.

Security Considerations and Limitations#

Trust Chain Security#

The security of Managed Installer is entirely dependent on the security of the designated installer process. If that process is compromised, it becomes an unrestricted application deployment channel. Security recommendations:

Sign the WDAC policy (use a hardware-backed certificate). An unsigned policy can be replaced by an admin-level attacker who could designate any process as MI.
Protect the MI process (SCCM/Intune). Use privileged access workstations for SCCM administration. Enable MFA and PIM for Intune admin roles.
Monitor MI deployment events in SCCM/Intune. Unexpected deployments to production machines should trigger alerts.
Limit who can designate MI processes. AppLocker MI policy changes require GPO admin privileges.

Known Limitations#

No file provenance after copy: EA is lost when copying to non-NTFS volumes
No retrospective stamping: Files installed before MI was configured are not trusted retroactively
Network shares: Files on SMB shares do not receive local NTFS EA stamps (the EA would be on the share server, not evaluated by the local ci.dll)
Container workloads: Docker/Windows containers have their own file system layers; MI EA behavior in container contexts requires validation
In-place upgrades: Windows OS upgrades may reset or alter AppLocker configuration; verify MI designation post-upgrade

EA Spoofing Defense#

ci.dll does not simply trust the presence of the EA byte value. The EA includes a cryptographic claim structure that ci.dll validates against the current AppLocker MI policy configuration. An attacker cannot manually write a fake KERNEL.SMARTLOCKER.ORIGINCLAIM EA to an arbitrary file and have it trusted — the claim must be consistent with the active MI policy as validated by the kernel. This prevents trivial EA injection attacks.

Summary Table#

Attribute	Value
Option Number	13
XML String	`Enabled:Managed Installer`
Policy Type	Base and supplemental policies
Default State	Not set — no MI trust
PowerShell Enable	`Set-RuleOption -FilePath <xml> -Option 13`
PowerShell Remove	`Remove-RuleOption -FilePath <xml> -Option 13`
Kernel Mechanism	NTFS EA: `KERNEL.SMARTLOCKER.ORIGINCLAIM` with byte[4]=0x00
Required Driver	`AppLockerFltr.sys` (loaded by AppIDSvc)
Required AppLocker Config	ManagedInstaller rule collection designating MI processes
Trust Persists	In NTFS EA; lost on non-NTFS copy
Retroactive Stamping	No — only files written after MI is configured
Risk if MI process compromised	Unlimited trusted execution of malicious files
Supplemental Policy	Valid — Yes
Key Event IDs	3090, 3091, 3092 (CodeIntegrity/Operational)
Works With	Option 14 (ISG), Option 3 (Audit), supplemental policies
Security Recommendation	Use signed policy when Option 13 is active