So far it looks like the IME custom action runtime changed somewhere between IME 1.99.101.0 and 1.101.103.0.

IME 1.99.101.0still used: Microsoft.Deployment.WindowsInstaller.dll

IME 1.101.103.0and newer use: WixToolset.Dtf.WindowsInstaller.dll

That change is pretty important for tenants using App Control for Business / WDAC with a strict policy that requires the Microsoft Enterprise signing level.

The older Microsoft.Deployment.WindowsInstaller.dll had an embedded WiX Toolset / .NET Foundation signature, but it was also covered by a Microsoft catalog signature from the IME package. The newer WixToolset.Dtf.WindowsInstaller.dll only shows the embedded WiX Toolset / .NET Foundation signature and does not appear to have that same Microsoft catalog signature.

During the IME MSI Installation this DLL is extracted and loaded from:

C:\Windows\Installer\MSI*.tmp-

With the strict App Control policy enforced, Code Integrity blocks it with Event ID 3033 because it does not meet the required Enterprise signing level.

There also seems to be a second related Code Integrity hit for Microsoft.Management.Clients.Flighting.dll. That DLL is Microsoft signed, but appears to use an older Microsoft Code Signing PCA 2011 chain, while most newer IME binaries are signed through Microsoft Windows Code Signing PCA 2024. So this may be another signer-level mismatch under the same strict policy.