Share via

WDAC / App Control for Business filepath rules not honored on Windows Server 2019 (SPF .p7b) — same policy works on Server 2022 (MPF .cip)

Ruben Faustinita 100 Reputation points
2026-04-27T20:24:10.41+00:00

Good afternoon,

I would like to open this thread to discuss a specific behavior we are observing with the legacy WDAC — now App Control for Business — when deploying policies to Windows Server 2019.

Scenario

We are currently rolling out App Control for Business policies across both Windows Server 2022 and Windows Server 2019 environments.

  • On Server 2022, we deployed a policy in Multiple Policy Format (MPF, .cip) with a few allow exclusions using macros and wildcards (for example, %OSDRIVE%\Program Files\*). This is working as expected — nothing inside the allowed paths is being blocked.
  • On Server 2019, we attempted the same approach, but using Single Policy Format (SPF, .p7b) since MPF is not supported on this OS version. The exclusions in the XML are exactly the same as the ones working on Server 2022. The policy was deployed in audit mode.

The Issue

When reviewing the CodeIntegrity event logs on the 2019 servers, we are seeing block events (3076 in audit mode, 3077 once we briefly tested enforcement) for files that are clearly inside the paths covered by our allow rules — including binaries under C:\Program Files\ such as 7-Zip and several DLLs/executables under C:\Program Files\ManageEngine\ADAudit Plus\.

In other words, the filepath allow rules do not appear to be honored on Server 2019, even though the exact same rule syntax works perfectly on Server 2022.

Additional Context

  • The policy was created using the official Microsoft App Control Policy Wizard.
  • It was deployed directly to the 2019 machine (copied to C:\Windows\System32\CodeIntegrity\SiPolicy.p7b and activated via PS_UpdateAndCompareCIPolicy).
  • Option 18 (Disabled:Runtime FilePath Rule Protection) is set in the policy.
  • We initially suspected this could be related to the syntax that the Wizard generates when producing policies for older OS versions.

Questions

  1. Could this behavior be caused by the policy syntax produced by the App Control Policy Wizard (e.g., MPF-style structure being unintentionally retained when targeting an SPF deployment)?
  2. Does Windows Server 2019 fully support filepath rules with macros and wildcards (e.g., %OSDRIVE%\Program Files\*) within an App Control for Business policy, the same way Server 2022 does?

Has anyone in the community come across this same issue or found a reliable workaround?

Thank you in advance for your time and input.

Best regards, Ruben Faustinita

Microsoft Security | Intune | Security
0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.