- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
Imagine never having to clean another virus from a machine or effortlessly blocking applications based on versions, the publisher, or any other major attribute. AppLocker makes this management possible. PowerShell makes AppLocker easier.
The AppLocker module for PowerShell contains five cmdlets. Don’t let the small number of commands fool you! With the exception of a removal command, they are more than enough to handle the complete policy lifecycle. To start our PowerShell exploration, open PowerShell ISE and type Get-Command -Module AppLocker
Our five AppLocker cmdlets
Path, publisher, or hash
AppLocker can allow or block applications based on three types of criteria. Files can be grouped by their path, their publisher, or their hash. As the Windows AppLocker Guide points out, individual rules should be built in this order and for these reasons:
- Publisher: Uses the least amount of administrative work and is the most flexible.
- Hash: More secure than a path rule, inflexible when a program updates.
- Path: Least desirable. Path locations should not allow standard users to have write access.
By using Get-AppLockerFileInformation, we can scan files or directories to see what rule types will be supported. This command will recursively search a directory: Get-AppLockerFileInformation –Directory “\\SERVER\SHARE\FOLDER” -Recurse
Get-AppLockerFileInformation
Though part of the directory path has been removed, you can still see how useful this cmdlet is for planning. To make sorting easier, we can pipe any output to the Out-GridView cmdlet.
In the top right, note the ability to filter results!
Creating and testing an AppLocker policy
We can quickly create rules by using Get-AppLockerFileInformation and piping the output to New-AppLockerPolicy. Here is an example that searches the MDOP folder and creates a new AppLocker Policy. The results are then exported to the file MDOP.XML.
Get-AppLockerFileInformation -Directory \\SHARE\SERVER\Microsoft\MDOP\ -Recurse | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix MDOP -XML | Out-File .\MDOP.XML
Before applying our AppLocker rules to a machine (or to a GPO), we will want to test them first. Testing allows us to correct mistakes before we accidently block a needed file. Testing can be done by running Test-AppLockerPolicy against specific files. In the example below, I am testing MDOP.XML against a file on a share.
Test-AppLockerPolicy -XMLPath .\MDOP.xml -Path \\SERVER\SHARE\MDOP\UE-VX86.exe
Setting our AppLocker rules
Generating an XML file won’t apply our AppLocker rules. In order to apply this policy, we can either import the rules into the local AppLocker rule set or import the rules into a specific GPO. Both of these methods are handled with the Set-AppLockerPolicy cmdlet.
To apply the MDOP.XML rules locally, we can run:
Set-AppLockerPolicy –XMLPolicy .\MDOP.XML
We can verify that our policy was imported by running:
Get-AppLockerPolicy -Local -Xml | Out-GridView
The GridView output will list any local rules applicable to our system. Though you shouldn’t have many local AppLocker rules in a domain environment, you should at least see the MDOP rule that we applied above.
Filter with Out-GridView cmdlet
Importing rules into a GPO is slightly difficult because you need the GUID for the GPO. For me, getting the GUID is easier in PowerShell than the GPMC, just run Get-GPO –name GPONAME | Select-Object DisplayName,ID
With your GUID, you can now import your rules into a GPO by using the –LDAP parameter in Set-AppLockerPolicy. Here is an example:
Set-AppLockerPolicy –XMLPolicy .\MDOP.XML -LDAP "LDAP://DC-01.TEST.local/CN={GUID},CN=Policies,CN=System,DC=TEST,DC=local"If you have existing rules within this policy, be sure to use the –Merge switch. I made that mistake the first time. Overall though, it is wonderful that technologies this complex can be so easily managed with AppLocker! For those wanting to see a GUI companion to this article, check out this excellent four part series.
Good afternoon Joseph,
Thanks for publishing your excellent article, it has been extremely helpful in my daily AppLocker management tasks.
I’ve recently encountered an error that I can’t seem to solve, I’m hoping you can help in resolving the problem.
The error, “Value does not fall within the expected range”, doesn’t seem to have much information when googling it, same with fully qualified error-id.
I’ve tested a group of ten different computers in an enterprise environment, group policy appears to be functional and current on all computers, I used c:\windows\notepad.exe and c:\windows\explorer.exe as test files.
The following command returned failures on 40% of the machines, see error below:
Test-ApplockerPolicy -path c:\windows\notepad.exe (Get-ApplockerPolicy -effective)
ERROR RESULTS:
Value does not fall within the expected range. + CategoryInfo : NotSpecified: (:) [Test-AppLockerPolicy],ArgumentException + FullyQualifiedErrorId :TestAppLockerPolicyCmdletFailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet + PSComputerName : CON-001
Thanks in advance for your assistance.
I’m not too sure about that one, James. Open a question here: https://4sysops.com/forums/forum/it-administration/ and possibly on the Windows Server Technet forums.
Let me know what you find out though!
I had created a custom csp for applocker to block twitter app on windows 10, now how can i revoke the custom policy? do i need to create a custom csp with a delete tag? if yes how do i do so, or are there any other was to do that.
Thanks in advance
Hello. How do you do if if you want to only block on publisher level, as you can do with the slider in gpo settings?
If you weren’t opposed to using the GUI, you could create the rule there and export it. You could then use PowerShell to import it.
The problem is i want to automate setting applocker policys, but only blocking on publisher, not on Guid or Hash.