Last active
November 9, 2023 13:05
-
-
Save FrankSpierings/ab67d28e858c5003fca4d259cb8a5c2d to your computer and use it in GitHub Desktop.
AppLocker On Windows 10 Pro
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Requires system privileges! | |
| # Thank you: https://github.com/sandytsang/MSIntune/blob/master/Intune-PowerShell/AppLocker/Delete-AppLockerEXE.ps1 | |
| $path = "<PATH TO APPLOCKER XML'S>" | |
| $xmls = (ls -filter '*.xml' $path |% {$_.FullName}) | |
| $Appx, $Dll, $Exe, $Msi, $Script = $null | |
| $xmls |% { | |
| $filename = $_ | |
| [xml]$xml = (gc $filename) | |
| # Appx | |
| $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Appx' -and $_.EnforcementMode -match 'Enabled'} |% { | |
| $node = $_; | |
| if (-not $Appx) { | |
| $merge = New-Object XML | |
| $importnode = $merge.ImportNode($node, $true) | |
| $merge.AppendChild($importnode) | Out-Null | |
| $Appx = $merge | |
| } else { | |
| $node.ChildNodes |% { | |
| $child = $_ | |
| $importnode = $Appx.ImportNode($child, $true) | |
| $Appx.DocumentElement.AppendChild($importnode) | Out-Null | |
| } | |
| } | |
| } | |
| # DLL | |
| $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Dll' -and $_.EnforcementMode -match 'Enabled'} |% { | |
| $node = $_; | |
| if (-not $Dll) { | |
| $merge = New-Object XML | |
| $importnode = $merge.ImportNode($node, $true) | |
| $merge.AppendChild($importnode) | Out-Null | |
| $Dll = $merge | |
| } else { | |
| $node.ChildNodes |% { | |
| $child = $_ | |
| $importnode = $Dll.ImportNode($child, $true) | |
| $Dll.DocumentElement.AppendChild($importnode) | Out-Null | |
| } | |
| } | |
| } | |
| # Exe | |
| $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Exe' -and $_.EnforcementMode -match 'Enabled'} |% { | |
| $node = $_; | |
| if (-not $Exe) { | |
| $merge = New-Object XML | |
| $importnode = $merge.ImportNode($node, $true) | |
| $merge.AppendChild($importnode) | Out-Null | |
| $Exe = $merge | |
| } else { | |
| $node.ChildNodes |% { | |
| $child = $_ | |
| $importnode = $Exe.ImportNode($child, $true) | |
| $Exe.DocumentElement.AppendChild($importnode) | Out-Null | |
| } | |
| } | |
| } | |
| # Msi | |
| $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Msi' -and $_.EnforcementMode -match 'Enabled'} |% { | |
| $node = $_; | |
| if (-not $Msi) { | |
| $merge = New-Object XML | |
| $importnode = $merge.ImportNode($node, $true) | |
| $merge.AppendChild($importnode) | Out-Null | |
| $Msi = $merge | |
| } else { | |
| $node.ChildNodes |% { | |
| $child = $_ | |
| $importnode = $Msi.ImportNode($child, $true) | |
| $Msi.DocumentElement.AppendChild($importnode) | Out-Null | |
| } | |
| } | |
| } | |
| # Script | |
| $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Script' -and $_.EnforcementMode -match 'Enabled'} |% { | |
| $node = $_; | |
| if (-not $Script) { | |
| $merge = New-Object XML | |
| $importnode = $merge.ImportNode($node, $true) | |
| $merge.AppendChild($importnode) | Out-Null | |
| $Script = $merge | |
| } else { | |
| $node.ChildNodes |% { | |
| $child = $_ | |
| $importnode = $Script.ImportNode($child, $true) | |
| $Script.DocumentElement.AppendChild($importnode) | Out-Null | |
| } | |
| } | |
| } | |
| } | |
| Add-Type -AssemblyName System.Web | |
| $GroupName = "AppLocker001" | |
| $namespaceName = "root\cimv2\mdm\dmmap" #Do not change this | |
| $parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName" | |
| # Appx | |
| $className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03" #Do not change this | |
| $obj = [System.Net.WebUtility]::HtmlEncode($Appx.InnerXml) | |
| Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='STOREAPPS'" | Remove-CimInstance | |
| New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="STOREAPPS";Policy=$obj} | |
| # Dll | |
| $className = "MDM_AppLocker_DLL03" #Do not change this | |
| $obj = [System.Net.WebUtility]::HtmlEncode($Dll.InnerXml) | |
| Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance | |
| New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj} | |
| # Exe | |
| $className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this | |
| $obj = [System.Net.WebUtility]::HtmlEncode($Exe.InnerXml) | |
| Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance | |
| New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj} | |
| # Msi | |
| $className = "MDM_AppLocker_MSI03" #Do not change this | |
| $obj = [System.Net.WebUtility]::HtmlEncode($Msi.InnerXml) | |
| Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance | |
| New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj} | |
| # Script | |
| $className = "MDM_AppLocker_Script03" #Do not change this | |
| $obj = [System.Net.WebUtility]::HtmlEncode($Script.InnerXml) | |
| Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='SCRIPT'" | Remove-CimInstance | |
| New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="SCRIPT";Policy=$obj} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment