New-AppLockerPolicy
Applies To: Windows 7, Windows Server 2008 R2
This topic for the IT professional describes how to use Windows PowerShell to create an AppLocker policy in Windows Server 2008 R2 and Windows 7.
The New-AppLockerPolicy cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use the Get-AppLockerFileInformation cmdlet to create the list of file information.
Syntax
New-AppLockerPolicy [-FileInformation <FileInformation[]>] [-RuleType <RuleType[]>] [-RuleNamePrefix <String>] [-User <String>] [-Optimize <Boolean>]
[-IgnoreMissingFileInformation <Boolean>] [-XML <Boolean>] [<CommonParameters>]
Parameters
| Parameter | Description |
|---|---|
FileInformation <FileInformation[]> |
A file can contain publisher, path, and hash information. Some information may be missing, such as publisher information for an unsigned file. |
RuleType <RuleType[]> |
Specifies the type of rules to create from the file information. Publisher, path, or hash rules can be created from the file information. Multiple rule types may be specified so that there are backup rule types if the necessary file information is not available. For example, you can specify |
RuleNamePrefix <String> |
Specifies a name to add as a prefix to each rule that is created. |
User <String> |
Defines the user or group that the rules are applied to. You must provide one of the following property values:
|
Optimize <Boolean> |
Instructs similar rules to be grouped together. |
IgnoreMissingFileInformation <Boolean> |
Instructs a cmdlet to continue to run if a rule cannot be created for a file because file information is missing. A warning log of the files skipped is generated. |
XML <Boolean> |
Specifies the output of the new AppLocker policy as an XML-formatted string. |
Examples
Creates an AppLocker policy containing allow rules for all executable files in C:\Windows\System32. The policy contains publisher rules for those files with publisher information and hash rules for those without publisher information. The rules are prefixed with "System32:" and the rules apply to the Everyone group.
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
Creates an XML-formatted AppLocker policy for all executable files in C:\Windows\System32. The policy contains only path rules. The Optimize parameter indicates that similar rules are grouped together where possible.
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -Optimize -XML
Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log. All rules will be applied to the domain\FinanceGroup group. Publisher rules are created when the publisher information is available, and hash rules are created if the publisher information is not available. If only path information is available for a file, the file is skipped because the IgnoreMissingFileInformation parameter is specified, and the file is included in the warning log. If the IgnoreMissingFileInformation parameter is not specified, when file information is missing, the cmdlet exits because it cannot create the specified rule type. After the new AppLocker policy is created, the AppLocker policy of the specified Group Policy object (GPO) is set. The existing AppLocker policy in the specified GPO will be overwritten.
C:\PS>Get-AppLockerFileInformation -EventLog –LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash –User domain\FinanceGroup
-IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP "LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=TailspinToys,DC=com"