How to Create Deny rules for Applocker using Powershell

3.2k Views Asked by Antony Thomas At 04 April 2025 at 14:02

When using a command such as

ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User everyone -xml -optimize

I always see it emit "Allow" rule. How can I generate a "Deny" rule (i.e Action="Deny") in the xml that gets generated. MSDN documentation does not say anything about having a deny option. Is XML fiddling the only way?

Original Q&A

There are 1 best solutions below

Mathias R. Jessen On 03 February 2016 at 07:46 BEST ANSWER

You could modify the Policy rule objects that New-AppLockerPolicy returns before calling Set-AppLockerPolicy:

$Policy = ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize
foreach($RuleCollection in $Policy.RuleCollections)
{
    foreach($Rule in $RuleCollection)
    {
        $Rule.Action = 'Deny'
    }
}
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "<DN to target policy>"

In PowerShell 4.0 and newer, you can use the ForEach({}) extension method as well:

$Policy = ... | New-AppLockerPolicy
$Policy.RuleCollections.ForEach({ $_.ForEach({ $_.Action = 'Deny' }) })
Set-AppLockerPolicy -PolicyObject $Policy -Ldap ...

How to Create Deny rules for Applocker using Powershell

There are 1 best solutions below

Related Questions in POWERSHELL

Related Questions in GROUP-POLICY

Related Questions in GPO

Related Questions in APPLOCKER

Trending Questions

Popular # Hahtags

Popular Questions