This policy setting allows you to specify if RAM-installed unsigned applications are allowed to run as privileged applications ...

This policy setting allows you to specify if RAM-installed unsigned applications are allowed to run as privileged applications by default.  Note: If an application is signed, but the certificate that is needed to verify the signature cannot be found on the device, then the application is treated as an unsigned application and the privilege level is defined by the certificate. This policy does not affect how application signing or the application revocation policy is applied to applications.  If you enable this policy, then all RAM-installed unsigned applications specified in this policy are allowed to run as privileged applications by default. It is recommended that you also enable the "Block unsigned applications from running on devices" policy in order to prevent the user from being able to decide whether an unsigned application is allowed to run. To specify an unsigned application that you want to allow to run, click Show, then Add, then enter the application hash value in the name field and the file name in the value field, and then click OK.  If you disable or do not configure this policy, then only the "Block unsigned applications from running on devices" policy, and the "Turn off user prompts on unsigned .cab file installation" policy are used to determine whether a specific RAM-installed unsigned application is allowed to run.