powershellscripts.com

Tutorials  PowerShell Cmdlet Help for New-AppLockerPolicy



NAME
New-AppLockerPolicy

SYNOPSIS
Creates a new AppLocker policy from a list of file information and other rule-creation options.

SYNTAX
New-AppLockerPolicy [-FileInformation] [-RuleType ] [-RuleNamePrefix ] [-Us
er ] [-Optimize ] [-IgnoreMissingFileInformation ] [-XML ] []


DESCRIPTION
The New-AppLockerPolicy cmdlet uses a list of file information to automatically generate rules for a given user or
group. It can generate rules based on publisher, hash, or path information. Use Get-AppLockerFileInformation to cre
ate the list of file information.


PARAMETERS
-FileInformation
A file can contain publisher, path, and hash information. Some information may be missing, such as publisher in
formation for an unsigned file.

Required? true
Position? 0
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false

-RuleType
Specifies the type of rules to create from the file information. Publisher, path, or hash rules can be created
from the file information. Multiple rule types may be specified so that there are backup rule types if the nec
essary file information is not available. For example, you can specify -RuleType Publisher, Hash so that hash r
ules are applied when publisher information is not available. Publisher, Hash is the default value.

Required? false
Position? named
Default value Publisher, Hash
Accept pipeline input? false
Accept wildcard characters? false

-RuleNamePrefix
Specifies a name to add as a prefix to each rule that is created.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-User
Defines the user or group that the rules are applied to. You must provide the value in one of the following for
mats:
DNS user name (domain\username)
User Principal Name (username@domain.com)
SAM user name (username)
Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

Required? false
Position? named
Default value Everyone
Accept pipeline input? false
Accept wildcard characters? false

-Optimize
Instructs similar rules to be grouped together.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-IgnoreMissingFileInformation
Instructs the cmdlet to continue to execute if a rule cannot be created for a file because file information is
missing. A warning log of the files skipped is generated.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-XML
Specifies the output of the new AppLocker policy as an XML-formatted string.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".

INPUTS



OUTPUTS
By default, New-AppLockerPolicy returns an AppLockerPolicy object. If you use the XML parameter, it will return the
AppLocker policy as an XML string.


NOTES





-------------------------- EXAMPLE 1 --------------------------

C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publis
her, Hash -User Everyone -RuleNamePrefix System32


Creates an AppLocker policy containing allow rules for all of the executable files in C:\Windows\System32. The poli
cy contains publisher rules for those files with publisher information and hash rules for those that do not. The r
ules are prefixed with "System32:" and the rules apply to the Everyone group.





-------------------------- EXAMPLE 2 --------------------------

C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -
User Everyone -Optimize -XML


Creates an XML-formatted AppLocker policy for all of the executable files in C:\Windows\System32. The policy contai
ns only path rules, the rules are applied to the Everyone group, and the Optimize parameter indicates that similar
rules are grouped together where possible.





-------------------------- EXAMPLE 3 --------------------------

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited
| New-AppLockerPolicy -RuleType Publisher,Hash -User domain\FinanceGroup -IgnoreMissingFileInformation | Set-AppLoc
kerPolicy -LDAP "LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Wi
ngTipToys,DC=com"


Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event l
og. All of the rules will be applied to the domain\FinanceGroup group. Publisher rules are created when the publish
er information is available, and hash rules are created if the publisher information is not available. If only path
information is available for a file, the file is skipped because the IgnoreMissingFileInformation parameter is spe
cified, and the file is included in the warning log. If the IgnoreMissingFileInformation parameter is not specified
, when file information is missing, the cmdlet exits because it cannot create the specified rule type. After the ne
w AppLocker policy is created, the AppLocker policy of the specified Group Policy Object (GPO) is set. The existing
AppLocker policy in the specified GPO will be overwritten.






RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=144112
Get-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
Get-AppLockerFileInformation