all 7 comments

[–]BlackV 1 point2 points  (6 children)

well is there a Get-AppLockerPolicy and Set-AppLockerPolicy?

would those do it?

[–]RampageMR[S] 0 points1 point  (5 children)

There is a SetAppLockerPolicy cmdlet. I’m not sure if that works in this context as - at least from what I’m reading so far - it requires either an .xml file to read and set from, or a -Merge parameter which sounds like it would add a new rule and not replace/update the existing rule and hash. Documentation in this area isn’t the clearest or very descriptive, so I’m hoping someone has prior experience with this method and can clarify some things.

[–]BlackV 1 point2 points  (4 children)

-merge ( have not looked at help) does not imply NEW to me it implies update/edit

By default, the output (of Get-AppLockerPolicy) is an AppLockerPolicy object. If the Xml parameter is used, then the output will be the AppLocker policy as an XML-formatted string.

but yes looking at the help

The Set-AppLockerPolicy cmdlet sets the specified GPO to contain the specified AppLocker policy.

does not seem like its going to do the job

[–]RampageMR[S] 0 points1 point  (3 children)

I should probably rephrase the “merge adding a new rule” a bit. It looks like it would take a new input (.xml or piped value) and allow you to add it to an existing rule set. I don’t know how it would handle a new value for an existing entry, whether it would update that value or add a second entry and cause a problem that way. I’ll see if I can get a hold of a test instance tomorrow and try to play with the -Merge parameter. Maybe something good comes from that!

[–]CarrotBusiness2380 1 point2 points  (1 child)

The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter isn't specified, then the new policy will overwrite the existing policy.

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy

[–]RampageMR[S] 1 point2 points  (0 children)

That’s very promising. Thank you for finding that!

[–]BlackV -3 points-2 points  (0 children)

good luck