0

I need to remove AppLocker rules filtered by name. First of all i want to understand how i can delete rules.

I can get current AppLocker rules and i can see, that RuleCollections has method "Delete"

$local:Policy = Get-AppLockerPolicy -Local
$Policy.RuleCollections | gm

I can delete rules from categories where only one rule

$Policy.RuleCollections | Where {$_.Count -eq 1} | foreach {$_.Delete($_.Id)}

How can i delete rules from categories where more than one rule?

Vovsla
  • 1
  • Just curious. Why are you scoping the variable as local? Why are you not just using the ```Remove-AppLockerPolicy``` AppLocker cmdlet to do this vs this delete method? – postanote Dec 20 '22 at 04:30
  • local - becouse i do it on a local machine. My system hasn't Remove-AppLockerPolicy cmdlet. Windows 11 22H2 Enterprise – Vovsla Dec 20 '22 at 07:35

2 Answers2

0

As per my comment.

# Remove all applocker policies for the specified rule type.
Get-AppLockerPolicy -Effective | 
Remove-AppLockerPolicy -RuleType Executable
postanote
  • 15,138
  • 2
  • 14
  • 25
  • Result of run this commant is "Remove-AppLockerPolicy : The term 'Remove-AppLockerPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.' – Vovsla Dec 20 '22 at 07:27
0
$LocalAppLockerPolicy = Get-AppLockerPolicy -Local
$RuleCollection = $LocalAppLockerPolicy.GetRuleCollection('exe')
$AppLockerRule = $RuleCollection | ? {$_.PathConditions.Path.Path -eq $PathName}
$RuleCollection.Delete($AppLockerRule.Id)
Set-AppLockerPolicy -PolicyObject $LocalAppLockerPolicy
Nicklas
  • 1