Migrating from Application Control v1.0.0 to Application Control v2.0.0

Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.

About this task

As BigFix Application Control v2.0.0 is the only currently supported version of Application Control, it is strongly recommended that you migrate to Application Control v2.0.0. This migration replaces the Application Control v1.0.0 custom BAC rule engine with Application Control v2.0.0 WDAC based enforcement. Existing allow rules are recreated as Supplemental Policies. This migration is a one-time, non-reversible per endpoint without redeployment process.

Attention: BigFix Application Control v2.0.0 is the only currently supported version of Application Control. See its documentation here.
CAUTION: As BigFix Application Control v2.0.0 is the only supported version of Application Control, the installation of BigFix Application Control v1.0.0 is disabled.
Tip: To continue using Application Control, we strongly recommend that BigFix Application Control v1.0.0 users migrate to BigFix Application Control v2.0.0.
Warning: BigFix Application Control v1.0.0 is planned to be deprecated in a future release.

Procedure

  1. First, export the existing Application Control v1.0.0 rules by using the Web Reports to export the currently configured rules. This will capture the rules for reference. These captured rules (only allowlist ones) will be recreated as Supplemental Policies in Application Control v2.0.0.
  2. Next, remove Application Control v1.0.0 from the endpoints. To do so, run Remove BAC Components from Endpoint task. This removes the BESBAC service, bes_bac.pol, the v1 rule engine, and the BAC binaries and folders. After the task execution completes successfully, the endpoint becomes ready for WDAC deployment. Refer to Remove BigFix Application Control from an Endpoint topic for more details.
  3. Create and setup a self-signed certificate on the endpoint. Refer to Creating & Setting-up Self Signed Certificate on Endpoint topic for more details.
  4. Deploy Application Control v2.0.0 Base Policy. You can deploy only one base policy, either the Default Microsoft Base Policy or the Custom Base Policy. This will enable the WDAC enforcement model on the endpoint. Refer to Deploying Default Microsoft Base Policy or Deploying Custom Base Policy topics for more details.
    Note:
    • Base policy is fixed once deployed.
    • No switching or mode change is allowed once the base policy is set.
  5. Recreate the exported rules from step 1 as the Supplemental Policies. The exported rules are used as reference. Create Supplemental Policies. The Supplemental policies only extends the allowlist. No block rules are required (WDAC enforces a default deny policy). Refer to Deploying Supplemental Policy on Endpoint topic for more details.
  6. Lastly, monitor the policy activation by using the Web Reports/Analyses (to monitor policy and rule inventory, and the blocked events). Verify the required applications allowed, policies activated, and ensure there are no unexpected blocks. Refer to Viewing Endpoint Details using BigFix Web Reports topic for more details.