Funfacts when restoring images
For fun I wanted to see whether my quadruple whitelist security layers impacted the startup for a few programs and decided to test the startup delay with AppTimer with no security enabled. I noticed that Edge could not be tested anymore with AppTimer, because AppTimer was denied launching Edge (on both my Windows10 desktop without security and my wife's Windows 11 laptop with Avira Free). So it seems that security mechanisms are being added by Microsoft silently.
Another thing I noticed. When I decided to go back to my previous image, I promoted my standard user to admin again. Until @AndyFull mentioned the scoop about AppLockerHome, I was playing with the setup I mentioned at
@Gandalf_The_Grey security setup (using Windows WDAC Intelligent Security Graph in stead of Smart App Control). So I buckled up that image (WDAC with ISG) and installed Avira Free (because that is what I installed on my wife's laptop after Defender eating up icons). I always used the unsigned AppTimer to check whether ISG was working.
As I advised
@Gandalf_The_Grey I ran WDAC in Audit mode, next round wiith Audit on boot-failure, than fully enabled. As expected WDAC ISG allowed AppTimer in Audit, Blocked it when with the safety net "Audit on boot failure" enabled. To my surprise when I ran WDAC all enabled, it allowed AppTimer to run. I thought something was messed up, so I made a specific deny rule for AppTimer and this blocked AppTimer from running.
Conclusion: during the 30 minutes playing with WDAC ISG, the Intelligent Security Graph had decided that the unsigned AppTimer was harmless and changed its policy from block to allow.
So ISG really seems to learn now that Microsoft is sharing this backbone for SAC (and SmartScreen) also. This is a change (I used AppTimer since 2019 to test whether my WDAC is working, so this is definitely a change for the better).