Site icon TOSS

New-AppLockerPolicy

powershell

New-AppLockerPolicy is accessible with the help of AppLocker module. To configure AppLocker, go through this link.

Synopsis

Creates a new AppLocker policy from a list of file information and other rule creation options.

Description

The New-AppLockerPolicy cmdlet uses a list of file information to automatically generate a list of rules for a given user or group. Rules can be generated based on publisher, hash, or path information.

Run the Get-AppLockerFileInformation cmdlet to create the list of file information.

By default, the output is an AppLockerPolicy object. If the Xml parameter is specified, the output will be the AppLocker policy as an XML-formatted string.

Parameters

-FileInformation >
Specifies a file that can contain publisher, path, and hash information. Some information may be missing, such as publisher information for an unsigned file.

    Required?                    true
    Position?                    1
    Default value                none
    Accept pipeline input?       true (ByValue, ByPropertyName)
    Accept wildcard characters?  false

-IgnoreMissingFileInformation <SwitchParameter>
    Specifies that, if a rule cannot be created for a file because of missing file information, then evaluation of the remaining file information will continue and a warning log of the files skipped will be generated.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-InformationAction <System.Management.Automation.ActionPreference>
    Specifies how this cmdlet responds to an information event. The acceptable values for this parameter are:

    -- SilentlyContinue
    -- Stop
    -- Continue
    -- Inquire
    -- Ignore
    -- Suspend

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-InformationVariable <System.String>
    Specifies a variable in which to store an information event message.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-Optimize <SwitchParameter>
    Specifies that similar rules will be grouped together.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-RuleNamePrefix <String>
    Specifies a name to add as the prefix for each rule that is created.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-RuleType <List<RuleType>>
    Specifies the type of rules to create from the file information. Publisher, path, or hash rules can be created from the file information. Multiple rule types may be specified. Therefore, that there are backup rule types if the necessary file information is not available. 

    For example, if Publisher, Hash is specified for this parameter, then the hash rules are applied when publisher information is not available.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-ServiceEnforcement <System.String>
    Specifies whether the AppLocker policy for EXE and DLL rule collections applies to non-interactive processes. The acceptable values for this parameter are:

    -- NotConfigured
    -- Enabled
    -- ServicesOnly

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-User <String>
    Specifies the user or group to which the rules are applied. The acceptable values for this parameter are:

     -- DNS user name (domain\username) 
     -- User Principal Name (username@domain.com) 
     -- SAM user name (username) 
     -- Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

-Xml <SwitchParameter>
    Specifies that the output of the AppLocker policy be as an XML-formatted string.

    Required?                    false
    Position?                    named
    Default value                none
    Accept pipeline input?       false
    Accept wildcard characters?  false

Syntax

New-AppLockerPolicy [-FileInformation] <System.Collections.Generic.List`1[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FileInformation]> [-RuleType <System.Collections.Generic.List`1[Microsoft.Security.ApplicationId.PolicyManagement.RuleType]>] [-RuleNamePrefix <String>] [-User <String>] [-Optimize] [-IgnoreMissingFileInformation] [-Xml] [-ServiceEnforcement <String>] [<CommonParameters>]

——————EXAMPLE 1——————
C:\PS>Get-ChildItem C:\Windows\System32*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
Version RuleCollections RuleCollectionTypes
——- ————— ——————-
1 {Microsoft.Security.ApplicationId.Po… {Exe}
This example creates an AppLocker policy that contains allow rules for all of the executable files in C:\Windows\System32. The policy contains publisher rules for those files with publisher information and hash rules for those that do not. The rules are prefixed with System32: and the rules apply to the Everyone group.

——————EXAMPLE 2——————
C:\PS>Get-ChildItem C:\Windows\System32*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize -XML
This example creates an XML-formatted AppLocker policy for all of the executable files in C:\Windows\System32. The policy contains only path rules, the rules are applied to the Everyone group, and the Optimize parameter indicates that similar rules are grouped together where possible.

You can check the Version, CommandType and Source of this cmdlet by giving below command.

Get-Command New-AppLockerPolicy

You can also read about

To know more PowerShell cmdlets(Commands) on AppLocker click here

Click on this Link for an Single place where you get all the PowerShell cmdlet sorted based on the modules.

You can also refer other blogs on PowerShell at link

You can also refer other blogs on Microsoft at link

And also if you required any technology you want to learn, let us know below we will publish them in our site http://tossolution.com/

Like our page in Facebook and follow us for New technical information.

References are taken from Microsoft

Exit mobile version