Welcome
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
Application Control v2.0.0
Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
Administering Application Control v2.0.0
Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
Refreshing Thumbprint of Deployed Policies Signers on Endpoint
Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.

BigFix Documentation Homepage
BigFix 11 Lifecycle Documentation
Welcome to the BigFix Lifecycle documentation, where you can find information about how to install, maintain, and use BigFix Lifecycle.
BigFix Platform
BigFix Query
Lifecycle overview
BigFix Lifecycle is single-agent, single-console technology that provides near real-time visibility into the state of endpoints.
Lifecycle guides in PDF format
Following is a list of links to the BigFix Lifecycle guides in PDF format:
Software Distribution
Use the BigFix Software Distribution applications to deploy software to endpoints across your network from a single location. Maintain control and visibility into software delivery and installation. Device owners can use the Self Service Application to manage software and other BigFix actions that are deployed to them as offers.
OS Deployment
BigFix OS Deployment, which is part of the BigFix Lifecycle Management suite, provides a consolidated, comprehensive solution to quickly deploy new workstations and servers throughout a network from a single, centralized location. This solution saves time and money, enforces a standardized and approved image, and reduces risks associated with non-compliant or insecure configurations.
Remote Control
BigFix Remote Control application helps to communicate between different components, clients, and endpoints within BigFix environment.
Power Management
Use Power Management to control, monitor, and manage conservation policies in your deployment.
Application Control
BigFix Application Control provides a robust framework for managing application usage within an organization. It allows administrators to define policies that dictate which applications can or can not be run on endpoints, thereby enhancing security and compliance.
- Application Control v2.0.0
  Application Control v2.0.0 leverages Windows Defender Application Control (WDAC) for kernel-level policy enforcement to prevent unauthorized software execution.
  - Overview
    Set a secure environment by using Application Control.
  - What's new in this release
    A summary of new or changed features and enhancements included in BigFix Application Control v2.0.0
  - Features added in previous releases
    In this section, you can find the feature updates from the previous versions.
  - Application Control Persona’s
    This document outlines the various user persona's associated with the BigFix console, including the Security Administrator, IT Administrator, SOC Analyst, and End User.
  - System Architecture
    The system architecture of Application Control.
  - Migrating from Application Control v1.0.0 to v2.0.0
    Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
  - Administering Application Control v2.0.0
    Users with an administrator persona can perform the tasks mentioned in this chapter in Application Control v2.0.0.
    - Creating & Setting-up Self Signed Certificate on Endpoint
    - Deploying Default Microsoft Base Policy
      Use this task to deploy a signed Windows Defender Application Control (WDAC) Base Policy on the endpoint using a secure and controlled workflow. This policy is selected from a list of Microsoft-recommended baseline policies and are applied as the endpoint’s active base policy.
    - Deploying Custom Base Policy
      Use this task to deploy a Custom Windows Defender Application Control (WDAC) Base Policy on the endpoint. You must provide the raw XML configuration for the policy before taking action.
    - Deploying Supplemental Policy on Endpoint
      Use this task to create and deploy a signed Windows Defender Application Control (WDAC) supplemental policy on the endpoint using a controlled and secure approach. This supplemental policy is generated as a separate policy file and is linked to an existing base policy using the provided base policy GUID.
    - Refreshing Self-Signed Certificate & Updating Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Refreshing Thumbprint of Deployed Policies Signers on Endpoint
      Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.
    - Enforcing Secure ACL on BAC Folder on Endpoint
      Use this task to secure the BigFix Application Control (BAC) directory by enforcing strict access control and ownership settings.
    - Generating Blocked WDAC Event Logs on Endpoint
      Use this task to extract Windows Defender Application Control (WDAC) / App Control block events from the endpoint's event logs for both audit and enforced modes and generate a structured JSON report for analysis.
    - Removing (Base/Supplemental) Policy from Endpoint
      Use this task to manage Windows Defender Application Control (WDAC) policies on the endpoint by supporting both supplemental policy removal and full base policy reset using a controlled and safe approach.
    - Removing WDAC Components from Endpoint
      Use this task to remove all the associated files and folders related to Windows Defender Application Control (WDAC) from an endpoint.
    - Viewing Endpoint Details using BigFix® Web Reports
      As an administrator, you can utilize BigFix Web Reports to view a comprehensive, read-only overview of all enterprise endpoints with the application installed. This topic outlines the steps to access and navigate the various tabs that display managed devices, blocklisted applications, allowlisted applications, and exception access logs.
- Migrating from Application Control v1.0.0 to Application Control v2.0.0
  Learn how to migrate from Application Control v1.0.0 to Application Control v2.0.0.
- Application Control v1.0.0 (To be deprecated)
  BigFix Application Control v1.0.0 is a lightweight, native enforcement system for managing application execution across enterprise endpoints. It delivers policy-driven application control within BigFix, enabling IT administrators to enforce usage policies with real-time monitoring and streamlined exception management.
Server Automation
Server Automation provides powerful automation. You can use it to sequence automation actions in steps across multiple endpoints.
Virtual Endpoint Manager
HCL BigFix Virtual Endpoint Manager (VEM) enhances BigFix with centralized, unified endpoint management for hybrid cloud and data center environments, spanning virtual machines and physical endpoints. VEM delivers real-time endpoint visibility, policy-driven automation for configuration and compliance remediation, and consistent security controls to streamline IT operations, reduce risk, and strengthen regulatory compliance.
Profile Management
Profile Management is a WebUI-based feature of BigFix Lifecycle. It provides Security Administrators the capability to define and deploy security policies to Windows 10 and macOS devices.
BigFix Remediate
BigFix MCM

Refreshing Thumbprint of Deployed Policies Signers on Endpoint

Use this task to automate the end-to-end renewal, signing, and deployment of Windows Defender Application Control (WDAC) policies to ensure policies remain active and securely signed.

About this task

The task follows the below listed workflow:

Setup: Initializes the logging and ensures that the required BAC directories exist.
XML Processing: Scans for the XML policies, automatically increments their version numbers, and updates the signer rules to trust the current certificate.
Conversion & Signing: Converts the XML to a binary (*.cip) file and cryptographically signs it using signtool.exe.
EFI Deployment: Temporarily mounts the system's hidden EFI partition and deploys the signed policy directly to the boot manager's Active CiPolicies directory.
Refresh: Invokes the local refresh utility to apply the policy immediately without a reboot.

Refer to the table below to know more about the task's exit code.

Table 1. Exit Codes Table
Exit Code	Meaning
0	Success
10	Directory setup failure
20	Certificate creation or export failure
30	XML processing or version bumping failure
40	Binary conversion failure
50	Signtool signing failure
60	EFI mount or deployment failure
70	Policy refresh tool failure
80	Thumbprint rotation failure

Refresh Thumbprint of Deployed Policies Signers on Endpoint v2.0 — Figure 1. Task: Refresh Thumbprint of Deployed Policies Signers on Endpoint

Procedure

In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
From the Fixlets and Tasks pane, select Task: Refresh Thumbprint of Deployed Policies Signers on Endpoint v2.0.
From the Task: Refresh Thumbprint of Deployed Policies Signers on Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
Click OK.

Note: Once this task is triggered, it remains as an open action and runs on the system whenever the system becomes relevant. Only an administrator can stop this task.

Results

A successful execution of this task results in the following outcomes:

Local XML policies are updated with incremented version numbers and new signer rules.
Cryptographically signed binary (*.cip) policies are successfully deployed to the EFI partition.
System application control policies are immediately refreshed and enforced.