diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
index 3203610df6..3f07cd2b87 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md
@@ -45,6 +45,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars
 
 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly.
 
+> [!NOTE]
+> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. More details can be found [here](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph?source=docs#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work).
+
 ## Interaction with Existing Policies
 
 ### Adding Allow Rules