Deploying Custom Base Policy

Use this task to deploy a Custom Windows Defender Application Control (WDAC) Base Policy on the endpoint. You must provide the raw XML configuration for the policy before taking action.

About this task

This deployment ensures that the custom policy is trusted, enforced, and persists at the firmware level by placing it in the EFI partition. The script also automatically handles version increments and injects necessary rules to ensure the BigFix client and deployment tools remain operational.
The task performs the following actions:
  • Reads the user-provided Custom XML configuration.
  • Dynamically bumps the policy version (if an older version already exists).
  • Injects mandatory publisher rules (BigFix Client, Refresh Tool, SignTool).
  • Configures rule options (adds 16, 17, 18 and removes 6).
  • Converts the policy from XML format to binary *.cip format.
  • Signs the policy using a trusted code-signing certificate.
  • Validates the signed output to ensure integrity.
  • Mounts the EFI system partition.
  • Deploys the signed policy to EFI\Microsoft\Boot\CiPolicies\Active loaction.
  • Triggers a policy refresh and safely dismounts the EFI partition.
  • Logs all execution details (success/failure) to the BAC\Logs\Deploy_WDAC_CustomBase.log location.
Refer to the table below to know more about the task's exit code.
Table 1. Exit Codes Table
Exit Code Meaning Description
0 Success The WDAC base policy was successfully processed, signed, and deployed.
10 Working directory creation failed The BAC working directory could not be created or accessed.
11 Log directory creation failed The logging directory could not be created, preventing execution tracking.
12 Policy directory creation failed The policy storage directory could not be initialized.
30 Policy processing failure Error occurred during policy preparation, version bumping, or rule injection.
40 Binary conversion failure Failed to convert the WDAC policy from XML format to binary (.cip).
50 Signing failure The policy signing process failed or generated an invalid signature.
60 Deployment failure Failed to mount the EFI partition or copy the policy to the target location.
70 Policy refresh failure The policy refresh process or EFI dismount failed.
Figure 1. Task: Deploy Custom Base Policy

Deploy Custom Base Policy v2.0

Procedure

  1. In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
  2. From the Fixlets and Tasks pane, select Task: Deploy Custom Base Policy v2.0.
  3. From the Task: Deploy Custom Base Policy v2.0 pane, under Configuration Options, paste the raw XML configuration for your base policy into the provided text area.


  4. From the Task: Deploy Custom Base Policy v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
  5. Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
  6. Click OK.

Results

A successful execution of this task results in the following outcomes:
  • The custom WDAC base policy is successfully deployed to the system.
  • The system enforces or audits applications based on the provided XML logic.
  • The policy persists across reboots via EFI deployment
  • Execution logs become available for audit and troubleshooting.