I want to employ AppLocker + UAC as a defensive layer over locally administrative accounts. My desired behavior: local administrators must elevate (UAC) to run an application; the default rule for local administrators must not activate to allow launch of un-elevated applications for local administrators. However, because un-elevated applications launched by local administrators are silently allowed, I cannot utilize AppLocker to protect administrative accounts from malicious applications. While I have seen it suggested that the default local admin app rule be deleted and replaced with one only allowing specific locations for local administrators - this would negatively impact the workflow of my locally administrative users and is not suitable for my organization. Lastly, it is bizarre that the default local admin script rule behaves as expected (un-elevated = not allowed), but the default local admin application rule does not.
born to learn!