Removing (Base/Supplemental) Policy from Endpoint

Use this task to manage Windows Defender Application Control (WDAC) policies on the endpoint by supporting both supplemental policy removal and full base policy reset using a controlled and safe approach.

About this task

The task performs the following actions:
  • Mounts the EFI system partition to access the boot-level WDAC policies.
  • Supports the following two operational modes:
    • Supplemental Mode: Removes a specific WDAC supplemental policy using the provided Policy GUID.
    • Base Mode:
      • Removes all the existing WDAC policies (base as well as supplemental) from System and EFI locations.
      • Deploys a clean AllowAll policy to ensure no application blocking exists.
      • Ensures only AllowAll.cip exists post this task execution.
  • Handles both the WDAC storage locations:
    • C:\Windows\System32\CodeIntegrity
    • EFI\Microsoft\Boot
  • Removes legacy single-policy files (like SiPolicy.p7b) if present.
  • Converts the AllowAll.xml to binary *.cip and deploys it to the active policy locations.
  • Logs all the operations (success, warning, failure) in the BAC\Logs\WDAC_Policy_Removal.log file.
Refer to the table below to know more about the task's exit code.
Table 1. Exit Codes Table
Exit Code Meaning
0 Success
10 Invalid input parameters
20 BAC path not found
30 EFI mount failure
40 Policy removal failure
50 AllowAll.xml not found
60 AllowAll deployment failure
Figure 1. Task: Remove (Base/Supplemental) Policy from Endpoint

Remove (Base/Supplemental) Policy from Endpoint v2.0

Procedure

  1. In the BigFix Console, navigate to All Content > BigFix Application Control > Fixlets and Tasks.
  2. From the Fixlets and Tasks pane, select Task: Remove (Base/Supplemental) Policy from Endpoint v2.0.
  3. From the Task: Remove (Base/Supplemental) Policy from Endpoint v2.0 pane, under Configuration Options, enter the following information:


    Table 2. Task: Remove (Base/Supplemental) Policy from Endpoint v2.0 Configuration Options
    Field Name Options Description
    Policy Type Base Performs full reset and deploys AllowAll (default).
    Supplemental Removes only a specific supplemental policy.
    PolicyId Required only when the policy type is Supplemental. Specifies the GUID of the policy to be removed.
  4. From the Task: Remove (Base/Supplemental) Policy from Endpoint v2.0 pane, click the Applicable Computers(n) tab and view the endpoints on which you want to run the task.
  5. Select the Take Actions tab and select the endpoints on which you want to apply this installer task.
  6. Click OK.

Results

A successful execution of this task results in the following outcomes:
  • In Supplemental mode, only the specified policy is removed.
  • In Base mode, all WDAC policies are removed and replaced with AllowAll.
  • System remains stable with a valid WDAC configuration.
  • A system reboot is required for changes to take effect.