Welcome
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
Application Control v2.0.0
Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
Administering Application Control v2.0.0
Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
Generating Blocked WDAC Event Logs on Endpoint
Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.

BigFix Documentation Homepage
BigFix 11 Lifecycle Documentation
Welcome to the BigFix Lifecycle documentation, where you can find information about how to install, maintain, and use BigFix Lifecycle.
BigFix Platform
BigFix Query
Lifecycle overview
BigFix Lifecycle is single-agent, single-console technology that provides near real-time visibility into the state of endpoints.
Lifecycle guides in PDF format
Following is a list of links to the BigFix Lifecycle guides in PDF format:
Software Distribution
Use the BigFix Software Distribution applications to deploy software to endpoints across your network from a single location. Maintain control and visibility into software delivery and installation. Device owners can use the Self Service Application to manage software and other BigFix actions that are deployed to them as offers.
OS Deployment
BigFix OS Deployment, which is part of the BigFix Lifecycle Management suite, provides a consolidated, comprehensive solution to quickly deploy new workstations and servers throughout a network from a single, centralized location. This solution saves time and money, enforces a standardized and approved image, and reduces risks associated with non-compliant or insecure configurations.
Remote Control
BigFix Remote Control application helps to communicate between different components, clients, and endpoints within BigFix environment.
Power Management
Use Power Management to control, monitor, and manage conservation policies in your deployment.
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
- Application Control v2.0.0
  Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
  - Overview
    Set a secure environment by using Application Control.
  - What's new in this release
    A summary of new or changed features and enhancements included in BigFix Application Control v2.0.0
  - Features added in previous releases
    In this section, you can find the feature updates from the previous versions.
  - Application Control Persona’s
    This document outlines the various user persona's associated with the BigFix console, including the Security Administrator, IT Administrator, SOC Analyst, and End User.
  - System Architecture
    The system architecture of Application Control.
  - Migrating from Application Control v1.0.0 to v2.0.0
    Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
  - Administering Application Control v2.0.0
    Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
    - Creating & Setting-up Self Signed Certificate on Endpoint
    - Deploying Default Microsoft Base Policy
      Use this task to deploy a signed Windows Defender Application Control (WDAC) Base Policy on the endpoint using a secure and controlled workflow. This policy is selected from a list of Microsoft-recommended baseline policies and are applied as the endpoint’s active base policy.
    - Deploying Custom Base Policy
      Use this task to deploy a Custom Windows Defender Application Control (WDAC) Base Policy on the endpoint. You must provide the raw XML configuration for the policy before taking action.
    - Deploying Supplemental Policy on Endpoint
      Use this task to create and deploy a signed Windows Defender Application Control (WDAC) supplemental policy on the endpoint using a controlled and secure approach. This supplemental policy is generated as a separate policy file and is linked to an existing base policy using the provided base policy GUID.
    - Refreshing Self-Signed Certificate & Updating Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Refreshing Thumbprint of Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Enforcing Secure ACL on BAC Folder on Endpoint
      Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.
    - Generating Blocked WDAC Event Logs on Endpoint
      Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.
    - Removing (Base/Supplemental) Policy from Endpoint
      Use this task to manage Windows Defender Application Control (WDAC) policies on the endpoint by supporting both supplemental policy removal and full base policy reset using a controlled and safe approach.
    - Removing WDAC Components from Endpoint
      Use this task to remove all the associated files and folders related to Windows Defender Application Control (WDAC) from an endpoint.
    - Viewing Endpoint Details using BigFix® Web Reports
      As an administrator, you can utilize BigFix Web Reports to view a comprehensive, read-only overview of all enterprise endpoints with the application installed. This topic outlines the steps to access and navigate the various tabs that display managed devices, blocklisted applications, allowlisted applications, and exception access logs.
- Migrating from Application Control v1.0.0 to Application Control v2.0.0
  Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
- Application Control v1.0.0 (To be deprecated)
  BigFix Application Control v1.0.0 is a lightweight, native enforcement system for managing application execution across enterprise endpoints. It delivers policy-driven application control within BigFix, enabling IT administrators to enforce usage policies with real-time monitoring and streamlined exception management.
Server Automation
Server Automation provides powerful automation. You can use it to sequence automation actions in steps across multiple endpoints.
Virtual Endpoint Manager
HCL BigFix Virtual Endpoint Manager (VEM) enhances BigFix with centralized, unified endpoint management for hybrid cloud and data center environments, spanning virtual machines and physical endpoints. VEM delivers real-time endpoint visibility, policy-driven automation for configuration and compliance remediation, and consistent security controls to streamline IT operations, reduce risk, and strengthen regulatory compliance.
Profile Management
Profile Management is a WebUI-based feature of BigFix Lifecycle. It provides Security Administrators the capability to define and deploy security policies to Windows 10 and macOS devices.
BigFix Remediate
BigFix MCM

Generating Blocked WDAC Event Logs on Endpoint

Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.

About this task

The task performs the following actions:

Collects events from:
- Microsoft-Windows-CodeIntegrity/Operational
- Microsoft-Windows-AppLocker/MSI and Script
Filters for block-related event IDs:
- Audit mode (would be blocked): 3076, 3034, 8028
- Enforced mode (blocked): 3077, 3033, 8029, 8040
Applies a configurable time frame of 1 to 14 days.
Extracts the following key event details:
- Timestamp
- Event ID
- Mode (Audit / Enforced)
- Log source
- Machine name
- User SID
- Event message
Outputs the results as a structured JSON file to BAC\WDAC_Reports\WDAC_Blocked_Events.json file.
Writes the execution logs to the BAC\Logs\WDAC_Blocked_Events.log file.

Refer to the table below to know more about the task's exit code.

Table 1. Exit Codes Table
Exit Code	Meaning
0	Success
10	Invalid time frame
20	BAC path not found
30	Event query failure
40	No events found
50	Report generation failure

Generate Blocked WDAC Event Logs on Endpoint v2.0 — Figure 1. Task: Generate Blocked WDAC Event Logs on Endpoint

Procedure

In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
From the Fixlets and Tasks pane, select Task: Generate Blocked WDAC Event Logs on Endpoint v2.0.

From the Task: Generate Blocked WDAC Event Logs on Endpoint v2.0 pane, under Configuration Options, enter the following information:

Table 2. Task: Generate Blocked WDAC Event Logs on Endpoint v2.0 Configuration Options
Field Name	Description
Timeframe (Days)	Number of days for which the event logs will be generated.

From the Task: Generate Blocked WDAC Event Logs on Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
Click OK.

Results

A successful execution of this task results in the following outcomes:

WDAC block events, both audit and enforced are extracted.
Clean, structured JSON report is generated in the BAC folder.
Data ready for ingestion into dashboards, analysis, or for BigFix® reporting.