CcmExec.exe is the Host Process for Microsoft Configuration Manager Client and makes changes to the system. If your trust Configuration Manager Software Deployments and Configuration Changes, add CcmExec.exe to your Trusted Updater Policy.
Also search for CcmExec.exe in EMSS > Review > App Control Library > search for all copies of CcmExec.exe and add them to your Trusted Updater Policy.
Before I posted this issue I checked my App Control Library and added all copies of CccmExec.exe to White listed applications policy.
Now I tried to do as you recommended but events about blocked dll still repeats. There are two blocked dlls - GPEDIT.DLL.MUI (parent process AppControlNotification.exe) and GPEdit.dll (parent process CcmExec.exe).
I was trying to add it to Authorised Applications group but it still are blocked. There are no problems with other applications, only with these two dll
1. From the App Control Log Query, add GPEDIT.DLL.MUI and GPEdit.dll to your existing Supplemental Policy. Supplemental Policies only allows a program to load into memory.
2. Add CcmExec.exe to your Trusted Updater Policy because this program will load into memory and drop files on the HDD. If you trust this behavior, Trusted Updater is the only policy that will work for you.
Any software distribution tool that you trust to make changes to the system like installing or updating software, leverage Trusted Updater Policy as much as possible.
sorry for delay, we had a public holidays.
Yesterday I added dlls to Supplemental Policy and CcmExec.exe to Trusted updater policy but this morning the names of endpoints repeats at App Control log query and I have ~1K entries at query. I checked Trusted update policy - there are entries about CcmExec.exe and also GPEDIT.DLL.MUI and GPEdit.dll at Supplemental Policy..
You may want to verify that the files are the exact same hash. The files could have been modified in the time between adding them into the policy in which case they would still be blocked. Also be sure that the policies have successfully reached the endpoint by checking the agent control panel reviewing the date/time stamp for the policy that is being used.
Once you have the root process that is updating, using and changing these files in as a trusted updater any further changes won't need to be managed at this level and will automatically be handled by the trust engine.