Thank you for your input. Containment will allow files(installers) that are digitally signed or files(installers) that have been manually whitelisted by our AV LAB team. Unrecognized files(installers) will be virtualized and block the ones that have malicious ratings. We can suggest creating a specific exclusion folder for your specific applications.
I recommend you clone the policy and make a separate one for each company. Even split it down to workstation and servers etc. Allows for more granular and far greater control. Don’t use the default for all devices.