When using a command such as
ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User everyone -xml -optimize
I always see it emit "Allow" rule. How can I generate a "Deny" rule (i.e Action="Deny") in the xml that gets generated. MSDN documentation does not say anything about having a deny option. Is XML fiddling the only way?
You could modify the Policy rule objects that New-AppLockerPolicy returns before calling Set-AppLockerPolicy:
$Policy = ls 'C:\Program Files\*.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize
foreach($RuleCollection in $Policy.RuleCollections)
{
foreach($Rule in $RuleCollection)
{
$Rule.Action = 'Deny'
}
}
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "<DN to target policy>"
In PowerShell 4.0 and newer, you can use the ForEach({}) extension method as well:
$Policy = ... | New-AppLockerPolicy
$Policy.RuleCollections.ForEach({ $_.ForEach({ $_.Action = 'Deny' }) })
Set-AppLockerPolicy -PolicyObject $Policy -Ldap ...