1

When using a command such as 

ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User everyone -xml -optimize

I always see it emit "Allow" rule. How can I generate a "Deny" rule (i.e Action="Deny") in the xml that gets generated. MSDN documentation does not say anything about having a deny option. Is XML fiddling the only way?

Antony Thomas
  • 3,576
  • 2
  • 34
  • 40

1 Answers1

1

You could modify the Policy rule objects that New-AppLockerPolicy returns before calling Set-AppLockerPolicy:

$Policy = ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize
foreach($RuleCollection in $Policy.RuleCollections)
{
    foreach($Rule in $RuleCollection)
    {
        $Rule.Action = 'Deny'
    }
}
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "<DN to target policy>"

In PowerShell 4.0 and newer, you can use the ForEach({}) extension method as well:

$Policy = ... | New-AppLockerPolicy
$Policy.RuleCollections.ForEach({ $_.ForEach({ $_.Action = 'Deny' }) })
Set-AppLockerPolicy -PolicyObject $Policy -Ldap ...
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
  • I tried this earlier but I don't think the Action property is settable. In your script try `$policy.RuleCollections[0].Action="Deny"` and then print `$policy.RuleCollections[0]` – Antony Thomas Feb 03 '16 at 23:32
  • My bad. you are right!! I did not see it was a double collection(RuleCollections & RuleCollection) and hence I was wrong. – Antony Thomas Feb 03 '16 at 23:35
  • btw. you may want to remove the -xml from your script. – Antony Thomas Feb 03 '16 at 23:35
  • 1
    @AntonyThomas Your doing it wrong - `RuleCollections` contains collections each containing rules - it's a nested array - `$policy.RuleCollections[0][0].Action` is what you want to be probing at – Mathias R. Jessen Feb 03 '16 at 23:36