diff --git a/.gitignore b/.gitignore
index e221a63e0a..278ae8ad0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 tools/genpolicy.cache/*
+tools/genpolicy-msft.json
+data/*
 !tools/genpolicy.cache/.gitkeep
 *.bin
 edgcoco
diff --git a/cli/generate.go b/cli/generate.go
index 351a5091d7..84459ceb59 100644
--- a/cli/generate.go
+++ b/cli/generate.go
@@ -52,6 +52,9 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if err := createDefaultFileIfNotExist(filepath.Join(flags.policyPath, flags.settingsPath), manifest.DefaultGenpolicyMSFT); err != nil {
+		return fmt.Errorf("failed to create default policy file: %w", err)
+	}
 	if err := generatePolicies(cmd.Context(), flags.policyPath, flags.settingsPath, paths, logger); err != nil {
 		return fmt.Errorf("failed to generate policies: %w", err)
 	}
@@ -65,7 +68,7 @@ func runGenerate(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to create policy map: %w", err)
 	}
 
-	manifestData, err := os.ReadFile(flags.manifestPath)
+	manifestData, err := readOrCreateDefault(flags.manifestPath, manifest.DefaultManifestJSON)
 	if err != nil {
 		return fmt.Errorf("failed to read manifest file: %w", err)
 	}
@@ -202,3 +205,30 @@ func parseGenerateFlags(cmd *cobra.Command) (*generateFlags, error) {
 		manifestPath: manifestPath,
 	}, nil
 }
+
+// readOrCreateDefault reads the file at path,
+// or creates it with the default value if it doesn't exist.
+func readOrCreateDefault(path string, deflt []byte) ([]byte, error) {
+	data, err := os.ReadFile(path)
+	if err == nil {
+		return data, nil
+	}
+	if !os.IsNotExist(err) {
+		return nil, err
+	}
+	if err := os.WriteFile(path, deflt, 0o644); err != nil {
+		return nil, err
+	}
+	return deflt, nil
+}
+
+func createDefaultFileIfNotExist(path string, deflt []byte) error {
+	_, err := os.Stat(path)
+	if err == nil {
+		return nil
+	}
+	if !os.IsNotExist(err) {
+		return err
+	}
+	return os.WriteFile(path, deflt, 0o644)
+}
diff --git a/data/.gitkeep b/data/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/internal/manifest/constants.go b/internal/manifest/constants.go
new file mode 100644
index 0000000000..019d9f9591
--- /dev/null
+++ b/internal/manifest/constants.go
@@ -0,0 +1,11 @@
+package manifest
+
+import (
+	_ "embed"
+)
+
+//go:embed genpolicy-msft.json
+var DefaultGenpolicyMSFT []byte
+
+//go:embed manifest.json
+var DefaultManifestJSON []byte
diff --git a/tools/genpolicy-msft.json b/internal/manifest/genpolicy-msft.json
similarity index 100%
rename from tools/genpolicy-msft.json
rename to internal/manifest/genpolicy-msft.json
diff --git a/data/manifest.json b/internal/manifest/manifest.json
similarity index 100%
rename from data/manifest.json
rename to internal/manifest/manifest.json
diff --git a/justfile b/justfile
index 3e38c10642..22ee067001 100644
--- a/justfile
+++ b/justfile
@@ -24,7 +24,6 @@ generate target=default_deploy_target:
     mkdir -p ./{{worspace_dir}}
     rm -rf ./{{worspace_dir}}/deployment
     cp -R ./deployments/{{target}} ./{{worspace_dir}}/deployment
-    cp ./data/manifest.json ./{{worspace_dir}}/manifest.json
     nix run .#yq-go -- -i ". \
         | with(select(.spec.template.spec.containers[].image | contains(\"nunki/coordinator\")); \
         .spec.template.spec.containers[0].image = \"${container_registry}/nunki/coordinator:latest\")" \
diff --git a/packages/default.nix b/packages/default.nix
index 8b5f0dac2b..1b602137d2 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -12,6 +12,7 @@ let
     fileset = lib.fileset.unions [
       ../go.mod
       ../go.sum
+      (lib.fileset.fileFilter (file: lib.hasSuffix ".json" file.name) ../internal/manifest) # go embed
       (lib.fileset.fileFilter (file: lib.hasSuffix ".go" file.name) ../.)
     ];
   };