group policy - How to Create Deny rules for Applocker using Powershell -

when using command such

ls 'c:\program files\*.exe' | get-applockerfileinformation | new-applockerpolicy -ruletype path -user -xml -optimize 

i see emit "allow" rule. how can generate "deny" rule (i.e action="deny") in xml gets generated. msdn documentation not having deny option. xml fiddling way?

you modify policy rule objects new-applockerpolicy returns before calling set-applockerpolicy:

$policy = ls 'c:\program files\*.exe' | get-applockerfileinformation | new-applockerpolicy -ruletype path -user -optimize foreach($rulecollection in $policy.rulecollections) {     foreach($rule in $rulecollection)     {         $rule.action = 'deny'     } } set-applockerpolicy -policyobject $policy -ldap "<dn target policy>" 

in powershell 4.0 , newer, can use foreach({}) extension method well:

$policy = ... | new-applockerpolicy $policy.rulecollections.foreach({ $_.foreach({ $_.action = 'deny' }) }) set-applockerpolicy -policyobject $policy -ldap ...