group policy - How to Create Deny rules for Applocker using Powershell -
when using command such
ls 'c:\program files\*.exe' | get-applockerfileinformation | new-applockerpolicy -ruletype path -user -xml -optimize i see emit "allow" rule. how can generate "deny" rule (i.e action="deny") in xml gets generated. msdn documentation not having deny option. xml fiddling way?
you modify policy rule objects new-applockerpolicy returns before calling set-applockerpolicy:
$policy = ls 'c:\program files\*.exe' | get-applockerfileinformation | new-applockerpolicy -ruletype path -user -optimize foreach($rulecollection in $policy.rulecollections) { foreach($rule in $rulecollection) { $rule.action = 'deny' } } set-applockerpolicy -policyobject $policy -ldap "<dn target policy>" in powershell 4.0 , newer, can use foreach({}) extension method well:
$policy = ... | new-applockerpolicy $policy.rulecollections.foreach({ $_.foreach({ $_.action = 'deny' }) }) set-applockerpolicy -policyobject $policy -ldap ...
Comments
Post a Comment