...
Stage 2 Processing
Designed to be used for "Ketch Catch All" policies, or another words the policy that is to be applicable for any application that did not was not applicable by the more targeted 1st stage policies. When a application is executed, the ACS service evaluates that process against each of the ACS policies one by one starting with the 1st Stage policies. 1st Stage policies first evaluate the application and then are re-evaluated to see if the parent process has an applicable action for its children processes. In most cases 1st Stage policies are configured to not continue evaluating policies so once an application is applicable to a 1st Stage policy, it will cease to evaluate any other ACS policies. Once both the new application and the parent process that owns that application have been evaluated through all 1st Stage policies and has not been applicable to any of the policies with a no continue, then the ACS service evaluates all of the 2nd Stage policies, again starting with the application itself and then checking the application's parent process. The 2nd Stage policies then becomes applicable by only applications that make it past all of the previous filters without ever being applicable and so are typically configured with an action that will either removed admin rights or a deny execution. It is also typical that these "Ketch Catch All" policies will use an exclusion filter like "Local System and Service Applications" to make sure that core OS applications don't get stopped due to a missed whitelist item.
...