PowerShell simplifies everything! When used to manage AppLocker, Administrators can quickly gather file information, create policies, and test their AppLocker configuration.

Imagine never having to clean another virus from a machine or effortlessly blocking applications based on versions, the publisher, or any other major attribute. AppLocker makes this management possible. PowerShell makes AppLocker easier.

The AppLocker module for PowerShell contains five cmdlets. Don’t let the small number of commands fool you! With the exception of a removal command, they are more than enough to handle the complete policy lifecycle. To start our PowerShell exploration, open PowerShell ISE and type Get-Command -Module AppLocker

Our five AppLocker cmdlets

Our five AppLocker cmdlets

Path, publisher, or hash

AppLocker can allow or block applications based on three types of criteria. Files can be grouped by their path, their publisher, or their hash. As the Windows AppLocker Guide points out, individual rules should be built in this order and for these reasons:

  • Publisher: Uses the least amount of administrative work and is the most flexible.
  • Hash: More secure than a path rule, inflexible when a program updates.
  • Path: Least desirable. Path locations should not allow standard users to have write access. 

By using Get-AppLockerFileInformation, we can scan files or directories to see what rule types will be supported. This command will recursively search a directory: Get-AppLockerFileInformation –Directory “\\SERVER\SHARE\FOLDER” -Recurse



Though part of the directory path has been removed, you can still see how useful this cmdlet is for planning. To make sorting easier, we can pipe any output to the Out-GridView cmdlet.

Filter with Out-GridView cmdlet

In the top right, note the ability to filter results!

Creating and testing an AppLocker policy

We can quickly create rules by using Get-AppLockerFileInformation and piping the output to New-AppLockerPolicy. Here is an example that searches the MDOP folder and creates a new AppLocker Policy. The results are then exported to the file MDOP.XML.

Get-AppLockerFileInformation -Directory \\SHARE\SERVER\Microsoft\MDOP\ -Recurse | New-AppLockerPolicy -RuleType Publisher,Hash -User Everyone -RuleNamePrefix MDOP -XML | Out-File .\MDOP.XML

Before applying our AppLocker rules to a machine (or to a GPO), we will want to test them first. Testing allows us to correct mistakes before we accidently block a needed file. Testing can be done by running Test-AppLockerPolicy against specific files. In the example below, I am testing MDOP.XML against a file on a share.

Test-AppLockerPolicy -XMLPath .\MDOP.xml -Path \\SERVER\SHARE\MDOP\UE-VX86.exe

Setting our AppLocker rules

Generating an XML file won’t apply our AppLocker rules. In order to apply this policy, we can either import the rules into the local AppLocker rule set or import the rules into a specific GPO. Both of these methods are handled with the Set-AppLockerPolicy cmdlet.

To apply the MDOP.XML rules locally, we can run:

Set-AppLockerPolicy –XMLPolicy .\MDOP.XML

We can verify that our policy was imported by running:

Get-AppLockerPolicy -Local -Xml | Out-GridView

The GridView output will list any local rules applicable to our system. Though you shouldn’t have many local AppLocker rules in a domain environment, you should at least see the MDOP rule that we applied above.

Filter with Out-GridView cmdlet

Filter with Out-GridView cmdlet

Importing rules into a GPO is slightly difficult because you need the GUID for the GPO. For me, getting the GUID is easier in PowerShell than the GPMC, just run Get-GPO –name GPONAME | Select-Object DisplayName,ID

With your GUID, you can now import your rules into a GPO by using the –LDAP parameter in Set-AppLockerPolicy. Here is an example:

Set-AppLockerPolicy –XMLPolicy .\MDOP.XML -LDAP "LDAP://DC-01.TEST.local/CN={GUID},CN=Policies,CN=System,DC=TEST,DC=local"

If you have existing rules within this policy, be sure to use the –Merge switch. I made that mistake the first time. Overall though, it is wonderful that technologies this complex can be so easily managed with AppLocker! For those wanting to see a GUI companion to this article, check out this excellent four part series.

  1. James 7 years ago

    Good afternoon Joseph,

    Thanks for publishing your excellent article, it has been extremely helpful in my daily AppLocker management tasks.

    I’ve recently encountered an error that I can’t seem to solve, I’m hoping you can help in resolving the problem.

    The error, “Value does not fall within the expected range”, doesn’t seem to have much information when googling it, same with fully qualified error-id.

    I’ve tested a group of ten different computers in an enterprise environment, group policy appears to be functional and current on all computers, I used c:\windows\notepad.exe and c:\windows\explorer.exe as test files.

    The following command returned failures on 40% of the machines, see error below:

    Test-ApplockerPolicy -path c:\windows\notepad.exe (Get-ApplockerPolicy -effective)


    Value does not fall within the expected range.    + CategoryInfo          : NotSpecified: (:) [Test-AppLockerPolicy],ArgumentException    + FullyQualifiedErrorId :TestAppLockerPolicyCmdletFailedProcessingFile,Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.TestAppLockerPolicyCmdlet    + PSComputerName        : CON-001

    Thanks in advance for your assistance.

  2. Author

    I’m not too sure about that one, James. Open a question here: https://4sysops.com/forums/forum/it-administration/ and possibly on the Windows Server Technet forums.

    Let me know what you find out though!

  3. Mayur 7 years ago

    I had created a custom csp for applocker to block twitter app on windows 10, now how can i revoke the custom policy? do i need to create a custom csp with a delete tag? if yes how do i do so, or are there any other was to do that.

    Thanks in advance

  4. John 6 years ago

    Hello. How do you do if  if you want to only block on publisher level, as you can do with the slider in gpo settings?

  5. Author

    If you weren’t opposed to using the GUI, you could create the rule there and export it. You could then use PowerShell to import it.

    • John 6 years ago

      The problem is i want to automate setting applocker policys, but only blocking on publisher, not on Guid or Hash.

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account