I believe I have discovered a bug with the KB5051989 update

Hi,

We have a Windows 11 23H2 (OS Build 22631.4890) HP desktop machine that we have configured as a multi app Kiosk (https://learn.microsoft.com/en-us/windows/configuration/assigned-access/quickstart-restricted-user-experience?tabs=intune&pivots=windows-11) and since installing the February CU KB5051989 the applocker rules don't appear to be working as designed. Before the update, if I copied cmd.exe to a user area and renamed it to msedge.exe it would still be blocked. However, after applying the update and doing the above, cmd.exe will be launched when it should be blocked. Similar to what is described here - https://infosecwriteups.com/how-i-broke-out-of-kiosk-machine-to-get-admin-access-eb7beb8ed169 (I realise this example is old, but we are seeing the same behaviour now). We believe this to be a bug with the KB5051989 update. We can replicate the behaviour consistently. We also tested downloading the latest Windows 11 media with the same update already slip streamed in and this bug is still present.

With the update applied everything is blocked (except msedge.exe) as expected. If just trying to run any other executable such as cmd.exe as normal it is blocked, but if you rename cmd.exe to msedge.exe then it is allowed to run. This wasn't the behaviour before applying the KB5051989 update, before applying the update, if cmd.exe was renamed to msedge.exe it would still be blocked, which is the expected and desired behaviour.

I have been trying to report this bug to Microsoft via multiple different channels but have not had any success yet.

Note: I don't really need an answer/support to fix the issue, rather I am trying to report a bug that Microsoft should probably take a look at.

https://learn.microsoft.com/en-us/answers/questions/2200421/i-believe-i-have-discovered-a-bug-with-the-kb50519