Problems with WDAC and apps blocked

Question

Problems with WDAC and apps blocked

David Rivera 10

We have WDAC configured and applications deployed through Managed Installer (Intune) and signed by Microsoft are being blocked by Application Control for Business (such as Visual Studio, Docker Desktop, and SQL Server Management Studio). We have reviewed the WDAC configuration and everything appears to be correct, but we do not know the source of the application blocking.

David Rivera 10 Reputation points

2026-04-02T11:06:47.1233333+00:00

The current configuration of WDAC / Application Control for Business is intentional and complies with our core security standards.

Please note that, for security reasons, code integrity cannot be disabled in our environment. This control is mandatory to ensure compliance with our internal security policies.

We have verified the following aspects:

The behaviour of applications that are not explicitly trusted.

The trust settings for managed installers deployed via Intune.

Additional trust options and the interaction between core and supplementary policies.

The correct linking, assignment and deployment of policies on target devices.

Any further relaxation of the policy would require a security exception, which is not currently approved. If certain applications remain blocked, we can review them individually and assess whether they can be explicitly permitted via a controlled supplementary policy.

Please let us know if you require details regarding the current policy configuration or logs to analyse a specific blocked executable.
David Rivera 10 Reputation points

2026-04-02T11:17:40.2466667+00:00

We are observing that Visual Studio, Docker Desktop, and SQL Server Management Studio are being blocked by WDAC because some DLL files installed by the applications themselves are not trusted by the effective policy.

Although these applications are Microsoft‑signed and deployed through Intune, WDAC evaluates each executable and DLL at runtime. If the DLLs installed during or after the initial installation are not explicitly covered by the trust rules defined in the base policy and its supplemental policies, they are blocked by design.

This behavior is expected when User Mode Code Integrity (UMCI) and Hypervisor‑protected Code Integrity (HVCI) are enforced, and when the policy operates in enforced mode rather than audit mode. WDAC does not implicitly trust all binaries dropped by an installer unless trust is explicitly extended (for example, via managed installer trust, publisher rules, or supplemental allow rules).

As a result, some application‑installed DLLs, despite being legitimate and required for normal operation, can be blocked if they fall outside the defined trust scope. The supported remediation is to explicitly allow these components using tightly scoped supplemental policies, rather than disabling or weakening Code Integrity controls.
David Rivera 10 Reputation points

2026-04-02T11:20:55.77+00:00

this is our base policy (APP control policy wizzard)
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Josh Weigner 1 Reputation point

2026-04-09T14:11:20.08+00:00

WDAC is terrible and absolutely useless. Without any changes to our policy it has just started hosing our AutoPilot deployments by blocking the Intune Management Extension. Intune is enabled as a managed installer AND was added by signature as an exclusion. Our team is ready to give up and move to ThreatLocker.

2 answers

Your answer

David Rivera 10 Reputation points

2026-04-02T11:06:47.1233333+00:00

The current configuration of WDAC / Application Control for Business is intentional and complies with our core security standards.

Please note that, for security reasons, code integrity cannot be disabled in our environment. This control is mandatory to ensure compliance with our internal security policies.

We have verified the following aspects:

The behaviour of applications that are not explicitly trusted.

The trust settings for managed installers deployed via Intune.

Additional trust options and the interaction between core and supplementary policies.

The correct linking, assignment and deployment of policies on target devices.

Any further relaxation of the policy would require a security exception, which is not currently approved. If certain applications remain blocked, we can review them individually and assess whether they can be explicitly permitted via a controlled supplementary policy.

Please let us know if you require details regarding the current policy configuration or logs to analyse a specific blocked executable.
David Rivera 10 Reputation points

2026-04-02T11:17:40.2466667+00:00

We are observing that Visual Studio, Docker Desktop, and SQL Server Management Studio are being blocked by WDAC because some DLL files installed by the applications themselves are not trusted by the effective policy.

Although these applications are Microsoft‑signed and deployed through Intune, WDAC evaluates each executable and DLL at runtime. If the DLLs installed during or after the initial installation are not explicitly covered by the trust rules defined in the base policy and its supplemental policies, they are blocked by design.

This behavior is expected when User Mode Code Integrity (UMCI) and Hypervisor‑protected Code Integrity (HVCI) are enforced, and when the policy operates in enforced mode rather than audit mode. WDAC does not implicitly trust all binaries dropped by an installer unless trust is explicitly extended (for example, via managed installer trust, publisher rules, or supplemental allow rules).

As a result, some application‑installed DLLs, despite being legitimate and required for normal operation, can be blocked if they fall outside the defined trust scope. The supported remediation is to explicitly allow these components using tightly scoped supplemental policies, rather than disabling or weakening Code Integrity controls.
David Rivera 10 Reputation points

2026-04-02T11:20:55.77+00:00

this is our base policy (APP control policy wizzard)
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Josh Weigner 1 Reputation point

2026-04-09T14:11:20.08+00:00

WDAC is terrible and absolutely useless. Without any changes to our policy it has just started hosing our AutoPilot deployments by blocking the Intune Management Extension. Intune is enabled as a managed installer AND was added by signature as an exclusion. Our team is ready to give up and move to ThreatLocker.

Answer 1

Hello David Rivera, thank you for posting in the Microsoft Q&A community.

I understand that Microsoft-signed applications like Visual Studio, Docker Desktop, and SQL Server Management Studio are being blocked by WDAC despite being deployed via Intune as a Managed Installer.

This behavior often occurs because Managed Installer trust relies on Extended Attributes (EA) being written to the file at the time of creation; however, complex installers like Visual Studio often extract binaries via sub-processes or perform post-install updates that may not inherit the "Managed" token. Additionally, while these apps are Microsoft-signed, your base policy may not explicitly trust the specific certificates used by these developer tools if you are using a restrictive template.

To resolve this, please verify that the Intune Management Extension is correctly configured as a Managed Installer and check if the blocked files possess the required Extended Attributes by running the following command in a CMD:


fsutil file queryea "C:\Path\To\Blocked\File.dll"

If the EA is missing, you should consider implementing a Supplemental Policy specifically for the Microsoft Publisher or enabling the Intelligent Security Graph (ISG) to allow reputable Microsoft-signed binaries that fall outside the Managed Installer's scope.

To provide a more precise recommendation, please share the details from Event ID 3077 or 3076 found under Applications and Services Logs > Microsoft > Windows > CodeIntegrity > Operational, specifically the FileName and Requested Signing Level.

I will follow up on this thread to ensure your issue is resolved. If this helps, please consider "Accepting" the answer to assist the community.

Official Documentation:

Understanding Application Control for Business policy rules and file rules

Manage Windows Defender Application Control with Managed Installers

Answer 2

Application Control for Business (WDAC) will block any executable that is not within the trust scope defined by the active base policy plus any supplemental policies. Even when apps are:

Deployed via Intune as a managed installer, and
Signed by Microsoft (for example Visual Studio, Docker Desktop, SQL Server Management Studio),

they are still blocked if the WDAC/App Control for Business configuration does not actually grant trust from those sources.

Key areas to verify in the current configuration:

Behavior for apps not explicitly trusted
In the App Control for Business policy, the behavior for all other apps and files that are not covered by rules is controlled by Enable trust of Windows components and store apps:
- If this setting is Enabled, then anything not explicitly trusted by the policy is blocked from running.
- If this setting is set to Audit only, then those apps are only logged and not blocked. If this is set to Enabled and the additional trust options are not configured correctly, Microsoft‑signed apps like Visual Studio or SSMS can be blocked.
Trust from managed installers
For apps deployed through Intune to be automatically allowed, the policy must explicitly trust the managed installer:
- In the App Control for Business policy using Built‑in controls, under Select additional options for trusting apps, ensure Trust apps from managed installers is selected. This allows apps deployed through Intune (after the Intune Management Extension is configured as a managed installer) to run.
- If using custom XML, the WDAC policy must include the managed installer configuration as described in the managed installer guidance. Without this, Intune‑deployed apps are treated like any other untrusted code and can be blocked.
Additional trust options
Still under Built‑in controls, consider enabling Trust apps with a good reputation. This uses the Microsoft Intelligent Security Graph to allow reputable apps that are otherwise not explicitly covered by the policy. If this is not enabled and the base policy is restrictive, some Microsoft‑signed desktop apps can be blocked.
Base vs supplemental policies
WDAC/App Control for Business evaluates the combination of the base policy and any supplemental policies, and the most restrictive result wins. To expand what is allowed:
- Use one or more supplemental policies to extend the trust defined by the base policy. A supplemental policy can only expand a single base policy, but multiple supplementals can target the same base policy.
- Ensure each supplemental policy is in XML format and references the correct PolicyID of the base policy. If the supplemental policy is not correctly linked, its allow rules will not apply and the base policy’s more restrictive behavior will continue to block apps like Visual Studio, Docker Desktop, and SSMS.
Confirm policy type and deployment
- If the App Control for Business policy is configured with Enter xml data and the XML is incomplete or overly restrictive (for example, only allowing a narrow set of publishers or paths), then Microsoft‑signed desktop apps can be blocked even though they are legitimate.
- Verify that the correct policy (base plus any supplementals) is actually assigned to the device groups in Intune and that devices have received and applied the latest version. WDAC policies apply at the device scope.
Temporarily removing blocks while investigating
If it is necessary to ensure nothing is blocked while identifying the exact cause:
- Deploy an updated WDAC/App Control for Business policy that effectively allows everything (for example, modeled on the AllowAll.xml example at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml with rules that Allow /*).
- After this updated policy is deployed and applied, delete the policy from the Intune portal. As documented, policies deleted from Intune remain in effect until the next reboot; after the reboot, with an allow‑all policy removed, no WDAC blocks remain.

By checking these specific settings—especially Enable trust of Windows components and store apps, Trust apps from managed installers, and the linkage and content of any supplemental policies—it is possible to identify why Microsoft‑signed, Intune‑deployed apps are still being blocked and adjust the configuration so they are allowed.

References:

Share via

Problems with WDAC and apps blocked

2 answers

Your answer