I’d like to request a feature enhancement around application deployment in Nerdio, specifically to support Windows Defender Application Control Managed Installer scenarios.
When deploying applications to AVD hosts using the Nerdio Shell Apps feature, installations are executed through PowerShell.exe, which then launches installers such as MSI or EXE packages. This aligns with Nerdio’s documentation, where Shell Apps rely on native PowerShell scripts for installation logic.
However, in WDAC environments, PowerShell.exe cannot safely be designated as a Managed Installer. Microsoft’s Managed Installer model only works when the installation is performed by a stable, dedicated, trusted executable, which is then referenced in an AppLocker ManagedInstaller rule.
By comparison:
- Intune uses the Intune Management Extension (IME.exe) as its installer engine.
- ConfigMgr/SCCM uses CCMExec.exe and its deployment handler processes.
These executables can be safely designated as Managed Installer binaries, which allows WDAC to automatically trust applications deployed through Intune or SCCM without requiring separate allow rules.
In AVD environments not managed by Intune or SCCM, Nerdio currently does not provide an equivalent dedicated deployment engine executable. This means WDAC cannot automatically trust applications deployed via Nerdio Shell Apps, leading to WDAC blocks unless we manually create supplemental allow rules for every application.
Feature Request:
It would be extremely valuable if Nerdio provided a dedicated, signed Nerdio deployment engine executable that Shell Apps could use to perform installations. This would allow administrators to designate that executable as a Managed Installer in WDAC, enabling applications deployed via Nerdio to be automatically trusted similar to Intune and SCCM without requiring ongoing manual WDAC rule maintenance.
This enhancement would greatly streamline secure application delivery for AVD environments using Nerdio as their primary management platform.
Thank you for considering this request.
Comments (0 comments)