Welcome
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
Application Control v2.0.0
Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
System Architecture
The system architecture of Application Control.

BigFix Documentation Homepage
BigFix 11 Lifecycle Documentation
Welcome to the BigFix Lifecycle documentation, where you can find information about how to install, maintain, and use BigFix Lifecycle.
BigFix Platform
BigFix Query
Lifecycle overview
BigFix Lifecycle is single-agent, single-console technology that provides near real-time visibility into the state of endpoints.
Lifecycle guides in PDF format
Following is a list of links to the BigFix Lifecycle guides in PDF format:
Software Distribution
Use the BigFix Software Distribution applications to deploy software to endpoints across your network from a single location. Maintain control and visibility into software delivery and installation. Device owners can use the Self Service Application to manage software and other BigFix actions that are deployed to them as offers.
OS Deployment
BigFix OS Deployment, which is part of the BigFix Lifecycle Management suite, provides a consolidated, comprehensive solution to quickly deploy new workstations and servers throughout a network from a single, centralized location. This solution saves time and money, enforces a standardized and approved image, and reduces risks associated with non-compliant or insecure configurations.
Remote Control
BigFix Remote Control application helps to communicate between different components, clients, and endpoints within BigFix environment.
Power Management
Use Power Management to control, monitor, and manage conservation policies in your deployment.
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
- Application Control v2.0.0
  Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
  - Overview
    Set a secure environment by using Application Control.
  - What's new in this release
    A summary of new or changed features and enhancements included in BigFix Application Control v2.0.0
  - Features added in previous releases
    In this section, you can find the feature updates from the previous versions.
  - Application Control Persona’s
    This document outlines the various user persona's associated with the BigFix console, including the Security Administrator, IT Administrator, SOC Analyst, and End User.
  - System Architecture
    The system architecture of Application Control.
  - Migrating from Application Control v1.0.0 to v2.0.0
    Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
  - Administering Application Control v2.0.0
    Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
- Migrating from Application Control v1.0.0 to Application Control v2.0.0
  Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
- Application Control v1.0.0 (To be deprecated)
  BigFix Application Control v1.0.0 is a lightweight, native enforcement system for managing application execution across enterprise endpoints. It delivers policy-driven application control within BigFix, enabling IT administrators to enforce usage policies with real-time monitoring and streamlined exception management.
Server Automation
Server Automation provides powerful automation. You can use it to sequence automation actions in steps across multiple endpoints.
Virtual Endpoint Manager
HCL BigFix Virtual Endpoint Manager (VEM) enhances BigFix with centralized, unified endpoint management for hybrid cloud and data center environments, spanning virtual machines and physical endpoints. VEM delivers real-time endpoint visibility, policy-driven automation for configuration and compliance remediation, and consistent security controls to streamline IT operations, reduce risk, and strengthen regulatory compliance.
Profile Management
Profile Management is a WebUI-based feature of BigFix Lifecycle. It provides Security Administrators the capability to define and deploy security policies to Windows 10 and macOS devices.
BigFix Remediate
BigFix MCM

System Architecture

The system architecture of Application Control.

For a better understanding of BigFix Application Control refer to its system architecture diagram below:

Figure 1. BigFix Application Control Architecture

The above diagram shows how the BigFix Server components interact with BigFix endpoints and other components.

The system architecture diagram illustrates the interaction between BigFix Server components and BigFix endpoints. This visual representation aids in understanding the structure and functionality of the BigFix Application Control system.

For Application Control to work properly, we need the following three components:

BigFix Server Components
Application Control mainly utilizes the following three BigFix® Server Components:
- BigFix® Core Server
  
  This is the central processing component for this solution. It manages all communications with the BigFix clients (agents), distributes content (like Fixlets, tasks, and analysis), and enforces policies.
- BigFix® Console
  
  The console is the primary administrative interface for BigFix Application Control. It is a key part of the server-side infrastructure used to manage all aspects of the environment, including creating content and deploying actions. All BigFix Console integrations will be in the External Site.
- BigFix® Web Reports
  
  It provides a web-based interface for reporting and data visualization. The BigFix Agent on the endpoint runs an analysis and sends the result to the BigFix server. Below administrative report(s) that are shown for Application Control:
  
  Effective Policy on Endpoint
Endpoints

On the endpoints the BigFix agent is installed which communicates with Application Control Layer to enforce allowlisting or blocklisting of applications using kernel-based WDAC.

WDAC Enforcement Model: The Application Control policy is authored in XML, then compiled to binary, and then is digitally signed. The digitally signed certificate is then deployed to <EFI System Partition>\EFI\Microsoft\Boot\CiPolicies\Active\. The OS kernel validates the policy and only the allowlisted applications are allowed to execute.