How to Configure Intune Management Extension as a Managed Installer for Windows Defender Application Control (WDAC)

---

Easily Getting Started with Intune Management Extension as a Managed Installer

The Intune Management Extension (IME) is a powerful component in Microsoft Intune that extends management capabilities beyond the built-in MDM (Mobile Device Management) channel. It’s what allows admins to deploy Win32 apps, PowerShell scripts, and custom configuration tasks to Windows devices.

When used as a Managed Installer, IME also works hand-in-hand with Windows Defender Application Control (WDAC) to automatically trust and run Intune-deployed applications — without the need for manual whitelisting.

This guide explains what the Intune Management Extension does, how to configure it as a managed installer, and why it’s key to securing enterprise devices.

---

What Is the Intune Management Extension (IME)?

The Intune Management Extension is a Windows service (IntuneManagementExtension.exe) installed automatically on devices managed by Intune.

It enhances MDM by:

• Deploying Win32 apps (.intunewin packages)
• Running PowerShell scripts during policy enforcement
• Checking in regularly with the Intune service for new assignments
• Handling custom compliance or remediation tasks

By default, it’s installed automatically on Windows 10 and Windows 11 devices when:

• A Win32 app is targeted to the device or user.
• A PowerShell script is assigned.
• Or when Remote Help or Endpoint Privilege Management are in use.

---

What Is a Managed Installer in Intune?

A Managed Installer (MI) is part of Windows Defender Application Control (WDAC). It’s a trusted process or installer that Windows automatically allows to install or update applications.

When the Intune Management Extension is marked as a Managed Installer, any software it deploys is treated as trusted code by WDAC.

This means:

• Apps deployed through Intune don’t get blocked by WDAC.
• You don’t have to manually whitelist every app or update.
• It helps maintain a Zero Trust Application Control environment while ensuring flexibility for IT operations.

---

How It Works

Here’s a simplified breakdown:

1. You enable WDAC and define a policy that recognizes “Intune Management Extension” as a Managed Installer.
2. When IME installs a Win32 app, that app automatically inherits trust from the MI.
3. WDAC verifies that the installation was performed by IME and permits it.
4. The app can now run normally without requiring an explicit allow rule.

So instead of having to sign or manually approve every single application, you rely on IME as the trusted deployment engine.

---

How to Enable Intune Management Extension as a Managed Installer

Step 1. Enable Windows Defender Application Control (WDAC)

You can create a WDAC policy using Intune:

1. Open the Intune Admin Center
2. Go to Endpoint security → Attack surface reduction → App control for Business (preview)
3. Click Create Policy
4. Choose Windows 10 and later
5. Under Assignments, select your target device group

This WDAC policy ensures only trusted code runs on endpoints.

---

Step 2. Add the Intune Management Extension as a Managed Installer

1. In the WDAC policy creation wizard, under Managed Installers, check the box for:
   ✅ Enable Managed Installer
2. Apply the policy to your devices.
3. On the client device, open an elevated Command Prompt and run: Get-CimInstance -Namespace root\Microsoft\Windows\CI -ClassName Win32_ManagedInstaller You should see: Name: Microsoft Intune Management Extension ManagedInstaller: True
4. This confirms the Intune Management Extension is now registered as a Managed Installer.

---

Step 3. Verify IME Deployment Behavior

To confirm everything is working:

• Deploy a test Win32 app (e.g., Notepad++) through Intune.
• Check WDAC logs via Event Viewer → Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational.
• Look for entries showing the app trusted by a Managed Installer.

If you see those entries, your setup is correct.

---

Benefits of Using IME as a Managed Installer

Benefit	Description
Seamless Trust for Intune Apps	WDAC automatically allows Intune-deployed software
Less Administrative Overhead	No need to manually whitelist or sign each installer
Better Security Posture	Reduces the attack surface by blocking unapproved executables
Fewer Helpdesk Tickets	Users won’t see blocked or untrusted app prompts
Supports Zero Trust Strategy	Maintains strong security while enabling flexibility

---

Troubleshooting Tips

If apps still get blocked:

• Ensure your WDAC policy is in Enforced mode (not Audit).
• Confirm IntuneManagementExtension.exe is listed as a Managed Installer.
• Check that the Intune Management Extension service is running.
• Review Event ID 3076 or 3077 in CodeIntegrity logs for policy mismatches.

---

Conclusion

The Intune Management Extension is more than just an app deployment engine — it’s the bridge between modern management and enterprise-grade application control.

When configured as a Managed Installer, it allows Intune-deployed applications to run seamlessly within a WDAC-protected environment, reducing risk and simplifying management.

By combining Intune, WDAC, and Managed Installers, organizations can implement Zero Trust app security with minimal friction — all powered by Microsoft’s endpoint management stack.

---