Deploying Supplemental Policy on Endpoint

Use this task to create and deploy a signed Windows Defender Application Control (WDAC) supplemental policy on the endpoint using a controlled and secure approach. This supplemental policy is generated as a separate policy file and is linked to an existing base policy using the provided base policy GUID.

About this task

The task performs the following actions:
  • Accepts the rule input in either Single-Level or Multi-Level (CSV) format.
  • Generates WDAC rules based on file attributes such as hash, publisher, file path or file name.
  • Creates a new supplemental policy using multiple policy format.
  • Links the newly created supplemental policy to the specified base policy GUID.
  • Supports enforced and audit execution modes.
  • Converts the policy from XML to binary *.cip format.
  • Signs the policy using a trusted code-signing certificate.
  • Mounts the EFI system partition to deploy the policy.
  • Copies the signed policy to the EFI\Microsoft\Boot\CiPolicies\Active location.
  • Ensures each execution creates a new unique supplemental policy without modifying existing policies.
  • Logs execution details (success/failure) to the BAC\Logs\Deploy_WDAC_SuppPolicy.log location.
Refer to the table below to know more about the task's exit code.
Table 1. Exit Codes Table
Exit Code Meaning
0 Success
20 Missing base policy GUID
30 No valid rules generated
40 Signing failure or invalid signed output
Figure 1. Task: Deploy Supplemental Policy on Endpoint

Deploy Supplemental Policy on Endpoint v2.0

Procedure

  1. In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
  2. From the Fixlets and Tasks pane, select Task: Deploy Supplemental Policy on Endpoint v2.0.
  3. From the Task: Deploy Supplemental Policy on Endpoint v2.0 pane, under Configuration Options, paste the raw XML configuration for your base policy into the provided text area.


    Table 2. Task: Deploy Supplemental Policy on Endpoint v2.0 Configuration Options
    Field Name Options Description
    Rule Definition Type Single-Level Same rule level applied to all paths
    Multi-Level Rules defined via CSV (path, level)
    Execution Mode Enforced Policy is enforced
    Audit Policy is applied in audit mode
    Rule Level Hash Applicable only in Single-Level mode (Hash, Publisher, FilePath, FileName)
    Publisher
    FilePath
    FileName
    Application Paths N/A Text box. List of file paths (newline or comma separated) for Single-Level mode only
    CSV Rules N/A Text box. CSV input for Multi-Level mode in the format: Path, Rule Level
    Base Policy GUID N/A Text field. Required. Specifies the GUID of the base policy to be supplemented.
  4. From the Task: Deploy Supplemental Policy on Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
  5. Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
  6. Click OK.

Results

A successful execution of this task results in the following outcomes:
  • A new WDAC supplemental policy is created and deployed.
  • The policy is linked to the specified base policy.
  • Existing policies remain unchanged.
  • The endpoint enforces or audits rules based on the selected mode.