Set-AppLockerPolicy

Applies To: Windows 7, Windows Server 2008 R2

This topic for the IT professional describes how to use Windows PowerShell to set an AppLocker policy within a Group Policy object (GPO) in Windows Server 2008 R2 and Windows 7.

The Set-AppLockerPolicy cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. If the Merge parameter is not specified, the existing AppLocker policy in the target GPO will be overwritten by the new policy.

Syntax

Set-AppLockerPolicy [-XMLPolicy] <String> [-LDAP <String>] [-Merge <Boolean>] [-Confirm] [-WhatIf] [<CommonParameters>]

Set-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-LDAP <String>] [-Merge <Boolean>] [-Confirm] [-WhatIf] [<CommonParameters>]

Parameters

Parameter Description

XMLPolicy <String>

Specifies the path where the AppLocker policy XML file is saved.

PolicyObject <AppLockerPolicy>

Specifies the GPO that contains the AppLocker policy. It can be obtained from the Get-AppLockerPolicy or New-AppLockerPolicy cmdlet.

LDAP <String>

Specifies the LDAP path of the GPO. It must specify a unique GPO. If this parameter is not specified, the local policy is set.

Merge <Boolean>

When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.

Confirm <CommonParameters>

Prompts you for confirmation before running the command.

WhatIf <CommonParameters>

Describes what would happen if you ran the command.

Examples

Sets the local AppLocker policy to the policy specified in C:\Policy.xml.

C:\PS>Set-AppLockerPolicy -XMLPolicy C:\Policy.xml

Sets the GPO specified in the LDAP path to contain the local AppLocker policy that is specified in C:\Policy.xml.

C:\PS>Set-AppLockerPolicy -XMLPolicy C:\Policy.xml -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"

Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. See the Merge parameter description for more details about how the two policies are merged.

C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"