AppLocker - whitelisting signed MSI files

Under Windows Installer Rules, the default setting is to allow running all digitally signed MSI files, signed by any publisher.

I've deleted this rule, because I don't see why I'd make an exception for MSI files (there's no such rule for EXE files).

But I wonder if this default whitelisting is there for a reason, if perhaps such files are used for Windows updates or whatever... I guess I'll see when the next updates come, but if anyone has more info let me know.

 

This is pretty close to the ruleset that I've been using for a few years: https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7. Windows Update works fine for me with this ruleset, although I don't allow automatic updates.

 

Good to know, thanks.