![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Windows Defender Application Control (WDAC) Support
When you deploy software to a device through Intune, the Windows Defender Application Control (WDAC) policy is not automatically modified to authorize that software. WDAC enforces execution rules based on its defined allow/deny lists and doesn’t dynamically adapt to new deployments from Intune.
That said, if WDAC is configured with Managed Installer (which is our recommended approach), applications deployed via Intune become inherently trusted. This is because the Intune Management Extension, when marked as a managed installer, effectively tells WDAC that any application installed through it should be allowed to run. This gives you strong security control without needing to manually update WDAC policy rules for each new deployment.
Looking ahead, as part of our continued application pipeline development, we’re planning a future phase where application testing happens in a sandbox environment before rollout. During this testing, we’ll harvest all the binary information from the deployed applications. That metadata could then either:
- Be made available to clients as a reference, or
- Be consumed directly to update applications control (especially WDAC) rules in a more automated way.
This would close the gap between software deployment and policy enforcement, reducing manual overhead while keeping execution controls tight.
So today, the key point is: Intune by itself won’t modify WDAC policies, but with Managed Installer enabled, deployments through Intune are trusted. And longer-term, we’re building towards more automation in how WDAC rules can adapt to what you deploy.