Hey ​@Jasper, first thing I’d change on your end is correct the Exact Match on your publisher definition -- there looks to be a typo there: “Micosoft” vs. “Microsoft”.

If that doesn’t help, could you clarify if the goal here is to try and block this from running (or are we building an elevation rule?)

Thanks for that Neil. I updated it with the correct spelling when I realized that. Unfortunately, it still got blocked. My aim is to allow it to run as it cannot find the definition I had put in place above the catch all Default - Any Application (this is generally blocked). I had added the definition on the Passive - Allowed Functions and Apps and is supposed to be allowed but gets triggered only under the catch all. Same thing happens to the other 2 appx
 

Interesting. It’s difficult to say what is happening without looking directly at the logs, have you opened a case with BT support yet by any chance? A PGCapture would hopefully provide a bit more insight into our options here.

One thing that might help isolate which criteria isn’t matching would be to remove the “Windows Store Pkg Name” criteria as a test. This will confirm whether we are at least matching properly against the Publisher. 

I did remove the Windows Store Pkg Name and it got triggered under the Application Publisher. Just wondering why it does not like the Windows Store Pkg Name as it is automatically populated when you add that in based on the analytics logs. Right now, it is working as expected

Please review KB0020374 to ensure the app is the supported type. There is also a quick disclaimer about compatibility in KB0019813 with a link to MS for additional details.