Welcome
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
Application Control v2.0.0
Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
Administering Application Control v2.0.0
Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
Creating & Setting-up Self Signed Certificate on Endpoint

BigFix Documentation Homepage
BigFix 11 Lifecycle Documentation
Welcome to the BigFix Lifecycle documentation, where you can find information about how to install, maintain, and use BigFix Lifecycle.
BigFix Platform
BigFix Query
Lifecycle overview
BigFix Lifecycle is single-agent, single-console technology that provides near real-time visibility into the state of endpoints.
Lifecycle guides in PDF format
Following is a list of links to the BigFix Lifecycle guides in PDF format:
Software Distribution
Use the BigFix Software Distribution applications to deploy software to endpoints across your network from a single location. Maintain control and visibility into software delivery and installation. Device owners can use the Self Service Application to manage software and other BigFix actions that are deployed to them as offers.
OS Deployment
BigFix OS Deployment, which is part of the BigFix Lifecycle Management suite, provides a consolidated, comprehensive solution to quickly deploy new workstations and servers throughout a network from a single, centralized location. This solution saves time and money, enforces a standardized and approved image, and reduces risks associated with non-compliant or insecure configurations.
Remote Control
BigFix Remote Control application helps to communicate between different components, clients, and endpoints within BigFix environment.
Power Management
Use Power Management to control, monitor, and manage conservation policies in your deployment.
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
- Application Control v2.0.0
  Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
  - Overview
    Set a secure environment by using Application Control.
  - What's new in this release
    A summary of new or changed features and enhancements included in BigFix Application Control v2.0.0
  - Features added in previous releases
    In this section, you can find the feature updates from the previous versions.
  - Application Control Persona’s
    This document outlines the various user persona's associated with the BigFix console, including the Security Administrator, IT Administrator, SOC Analyst, and End User.
  - System Architecture
    The system architecture of Application Control.
  - Migrating from Application Control v1.0.0 to v2.0.0
    Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
  - Administering Application Control v2.0.0
    Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
    - Creating & Setting-up Self Signed Certificate on Endpoint
    - Deploying Default Microsoft Base Policy
      Use this task to deploy a signed Windows Defender Application Control (WDAC) Base Policy on the endpoint using a secure and controlled workflow. This policy is selected from a list of Microsoft-recommended baseline policies and are applied as the endpoint’s active base policy.
    - Deploying Custom Base Policy
      Use this task to deploy a Custom Windows Defender Application Control (WDAC) Base Policy on the endpoint. You must provide the raw XML configuration for the policy before taking action.
    - Deploying Supplemental Policy on Endpoint
      Use this task to create and deploy a signed Windows Defender Application Control (WDAC) supplemental policy on the endpoint using a controlled and secure approach. This supplemental policy is generated as a separate policy file and is linked to an existing base policy using the provided base policy GUID.
    - Refreshing Self-Signed Certificate & Updating Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Refreshing Thumbprint of Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Enforcing Secure ACL on BAC Folder on Endpoint
      Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.
    - Generating Blocked WDAC Event Logs on Endpoint
      Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.
    - Removing (Base/Supplemental) Policy from Endpoint
      Use this task to manage Windows Defender Application Control (WDAC) policies on the endpoint by supporting both supplemental policy removal and full base policy reset using a controlled and safe approach.
    - Removing WDAC Components from Endpoint
      Use this task to remove all the associated files and folders related to Windows Defender Application Control (WDAC) from an endpoint.
    - Viewing Endpoint Details using BigFix® Web Reports
      As an administrator, you can utilize BigFix Web Reports to view a comprehensive, read-only overview of all enterprise endpoints with the application installed. This topic outlines the steps to access and navigate the various tabs that display managed devices, blocklisted applications, allowlisted applications, and exception access logs.
- Migrating from Application Control v1.0.0 to Application Control v2.0.0
  Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
- Application Control v1.0.0 (To be deprecated)
  BigFix Application Control v1.0.0 is a lightweight, native enforcement system for managing application execution across enterprise endpoints. It delivers policy-driven application control within BigFix, enabling IT administrators to enforce usage policies with real-time monitoring and streamlined exception management.
Server Automation
Server Automation provides powerful automation. You can use it to sequence automation actions in steps across multiple endpoints.
Virtual Endpoint Manager
HCL BigFix Virtual Endpoint Manager (VEM) enhances BigFix with centralized, unified endpoint management for hybrid cloud and data center environments, spanning virtual machines and physical endpoints. VEM delivers real-time endpoint visibility, policy-driven automation for configuration and compliance remediation, and consistent security controls to streamline IT operations, reduce risk, and strengthen regulatory compliance.
Profile Management
Profile Management is a WebUI-based feature of BigFix Lifecycle. It provides Security Administrators the capability to define and deploy security policies to Windows 10 and macOS devices.
BigFix Remediate
BigFix MCM

Creating & Setting-up Self Signed Certificate on Endpoint

About this task

Use this task to generate and configure a self-signed code-signing certificate on the endpoint for use with Windows Defender Application Control (WDAC).

The task performs the following:

Creates the following required BAC directories if they do not exist:
- BAC\Certs
- BAC\Logs
Generates a self-signed code-signing certificate with:
- RSA 4096-bit key
- SHA256 hashing
- Digital Signature usage
- Validity based on user input
Stores the certificate at the Cert:\LocalMachine\My location.
Exports the public certificate to the BAC\Certs\WDAC_SigningCert.cer folder.
Logs errors (if any) to the BAC\Logs\Create_WDAC_SigningCert.log location.

Refer to the table below to know more about the task's exit code.

Table 1. Exit Codes Table
Exit Code	Meaning
0	Success
10	BAC directory creation failure
11	Certificate directory creation failure
12	Log directory creation failure
20	Certificate creation failure
30	Certificate export failure

Setup and Create Self-Signed Certificate on Endpoint v2.0 — Figure 1. Task: Setup and Create Self-Signed Certificate

Procedure

In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
From the Fixlets and Tasks pane, select Task: Setup and Create Self-Signed Certificate on Endpoint v2.0.

From the Task: Setup and Create Self-Signed Certificate on Endpoint v2.0 pane, under Configuration Options, enter the following information:

Table 2. Task: Setup and Create Self-Signed Certificate on Endpoint v2.0 Configuration Options
Field Name	Description
Certificate Validity (Years)	Number of years for which the newly generated certificate will be valid.

From the Task: Setup and Create Self-Signed Certificate on Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
Click OK.

Results

A successful execution of this task results in the following outcomes:

A self-signed WDAC certificate is created on the endpoint.
The certificate is available in the LocalMachine store.
The public certificate is exported to the BAC folder.
A certificate is ready for WDAC policy signing and deployment.