UnsafePaths... now offers four levels of granularity for generated publisher rules; can just create rules for publisher or publisher+product instead of one rule per file. See comments and updated Word doc for details and the special handling for Microsoft-signed files.
UnsafePaths... - called out in rule name and description when hash rule is created for a signed file that doesn't have version information needed for a publisher rule;
Used new lower-granularity rules for provided OneDrive XML rules; dramatically reduces number of rules required.
Small difference in inert timestamp rule so that Compare-Policies shows it as a rule change instead of an added rule + a deleted rule
Scan-Directories.ps1 - fixed bug in -SearchAllUsersProfiles
Scan-Directories.ps1 also outputs BinaryName and BinaryVersion
Exe files to blacklist: added Microsoft.Workflow.Compiler.exe
Changes include: