Welcome
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
Application Control v2.0.0
Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
Administering Application Control v2.0.0
Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
Enforcing Secure ACL on BAC Folder on Endpoint
Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.

BigFix Documentation Homepage
BigFix 11 Lifecycle Documentation
Welcome to the BigFix Lifecycle documentation, where you can find information about how to install, maintain, and use BigFix Lifecycle.
BigFix Platform
BigFix Query
Lifecycle overview
BigFix Lifecycle is single-agent, single-console technology that provides near real-time visibility into the state of endpoints.
Lifecycle guides in PDF format
Following is a list of links to the BigFix Lifecycle guides in PDF format:
Software Distribution
Use the BigFix Software Distribution applications to deploy software to endpoints across your network from a single location. Maintain control and visibility into software delivery and installation. Device owners can use the Self Service Application to manage software and other BigFix actions that are deployed to them as offers.
OS Deployment
BigFix OS Deployment, which is part of the BigFix Lifecycle Management suite, provides a consolidated, comprehensive solution to quickly deploy new workstations and servers throughout a network from a single, centralized location. This solution saves time and money, enforces a standardized and approved image, and reduces risks associated with non-compliant or insecure configurations.
Remote Control
BigFix Remote Control application helps to communicate between different components, clients, and endpoints within BigFix environment.
Power Management
Use Power Management to control, monitor, and manage conservation policies in your deployment.
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
- Application Control v2.0.0
  Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
  - Overview
    Set a secure environment by using Application Control.
  - What's new in this release
    A summary of new or changed features and enhancements included in BigFix Application Control v2.0.0
  - Features added in previous releases
    In this section, you can find the feature updates from the previous versions.
  - Application Control Persona’s
    This document outlines the various user persona's associated with the BigFix console, including the Security Administrator, IT Administrator, SOC Analyst, and End User.
  - System Architecture
    The system architecture of Application Control.
  - Migrating from Application Control v1.0.0 to v2.0.0
    Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
  - Administering Application Control v2.0.0
    Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
    - Creating & Setting-up Self Signed Certificate on Endpoint
    - Deploying Default Microsoft Base Policy
      Use this task to deploy a signed Windows Defender Application Control (WDAC) Base Policy on the endpoint using a secure and controlled workflow. This policy is selected from a list of Microsoft-recommended baseline policies and are applied as the endpoint’s active base policy.
    - Deploying Custom Base Policy
      Use this task to deploy a Custom Windows Defender Application Control (WDAC) Base Policy on the endpoint. You must provide the raw XML configuration for the policy before taking action.
    - Deploying Supplemental Policy on Endpoint
      Use this task to create and deploy a signed Windows Defender Application Control (WDAC) supplemental policy on the endpoint using a controlled and secure approach. This supplemental policy is generated as a separate policy file and is linked to an existing base policy using the provided base policy GUID.
    - Refreshing Self-Signed Certificate & Updating Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Refreshing Thumbprint of Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Enforcing Secure ACL on BAC Folder on Endpoint
      Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.
    - Generating Blocked WDAC Event Logs on Endpoint
      Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.
    - Removing (Base/Supplemental) Policy from Endpoint
      Use this task to manage Windows Defender Application Control (WDAC) policies on the endpoint by supporting both supplemental policy removal and full base policy reset using a controlled and safe approach.
    - Removing WDAC Components from Endpoint
      Use this task to remove all the associated files and folders related to Windows Defender Application Control (WDAC) from an endpoint.
    - Viewing Endpoint Details using BigFix® Web Reports
      As an administrator, you can utilize BigFix Web Reports to view a comprehensive, read-only overview of all enterprise endpoints with the application installed. This topic outlines the steps to access and navigate the various tabs that display managed devices, blocklisted applications, allowlisted applications, and exception access logs.
- Migrating from Application Control v1.0.0 to Application Control v2.0.0
  Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
- Application Control v1.0.0 (To be deprecated)
  BigFix Application Control v1.0.0 is a lightweight, native enforcement system for managing application execution across enterprise endpoints. It delivers policy-driven application control within BigFix, enabling IT administrators to enforce usage policies with real-time monitoring and streamlined exception management.
Server Automation
Server Automation provides powerful automation. You can use it to sequence automation actions in steps across multiple endpoints.
Virtual Endpoint Manager
HCL BigFix Virtual Endpoint Manager (VEM) enhances BigFix with centralized, unified endpoint management for hybrid cloud and data center environments, spanning virtual machines and physical endpoints. VEM delivers real-time endpoint visibility, policy-driven automation for configuration and compliance remediation, and consistent security controls to streamline IT operations, reduce risk, and strengthen regulatory compliance.
Profile Management
Profile Management is a WebUI-based feature of BigFix Lifecycle. It provides Security Administrators the capability to define and deploy security policies to Windows 10 and macOS devices.
BigFix Remediate
BigFix MCM

Enforcing Secure ACL on BAC Folder on Endpoint

Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.

About this task

The task performs the following actions:

Validates the existence of the BAC directory at the \Program Files (x86)\BigFix Enterprise\BES Client\BAC location. If the directory is missing, the task exits with a failure code.
Ensures the logging directory exists and writes execution logs to the BAC\Logs\Secure_BAC_Permissions.log location.
Updates Access Control Lists (ACLs):
- Disables inheritance on the BAC directory.
- Removes any existing inherited permissions.
- Grants full control explicitly to NT AUTHORITY\SYSTEM.
Applies the updated ACL to the BAC directory.
Sets ownership of the BAC directory and all child objects recursively to NT AUTHORITY\SYSTEM.
Logs all actions (success/failure) with timestamps for audit and troubleshooting.

Refer to the table below to know more about the task's exit code.

Table 1. Exit Codes Table
Exit Code	Meaning
0	Success
10	BAC directory not found
20	Failed to apply ACL permissions
30	Failed to set ownership

Enforce Secure ACL on BAC Folder on Endpoint v2.0 — Figure 1. Task: Enforce Secure ACL on BAC Folder on Endpoint

Procedure

In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
From the Fixlets and Tasks pane, select Task: Enforce Secure ACL on BAC Folder on Endpoint v2.0.
From the Task: Enforce Secure ACL on BAC Folder on Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
Click OK.

Note: Once this task is triggered, it remains as an open action and runs on the system whenever the system becomes relevant. Only an administrator can stop this task.

Results

A successful execution of this task results in the following outcomes:

The BAC directory is fully secured.
Only the SYSTEM account has full control.
Ownership is standardized across all files and sub folders.
Unauthorized or inherited permissions are removed.