RemoveApplockerRule.psm1

#Requires -RunAsAdministrator
#Requires -Version 3.0
#Requires -PSEdition Desktop

Function Remove-LocalApplockerPolicyRule {
[CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
Param(
[ValidateSet('Exe','Script','Msi','Appx','Dll')]
[Parameter(Mandatory)]
[String]$Type
)
DynamicParam {

    $Dictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary

    #region helper function
    Function New-ParameterAttributCollection {
    [CmdletBinding()]
    Param(
        [Switch]$Mandatory,
        [Switch]$ValueFromPipeline,
        [Switch]$ValueFromPipelineByPropertyName,
        [String]$ParameterSetName,

        [Parameter()]
        [ValidateSet(
        'Arguments','Count','Drive','EnumeratedArguments','Length','NotNull',
        'NotNullOrEmpty','Pattern','Range','Script','Set','UserDrive'
        )][string]$ValidateType,

        [Parameter()]
        $ValidationContent

    )
    Begin {
    }Process {
        $c = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
        $a = New-Object System.Management.Automation.ParameterAttribute
        if ($Mandatory) { 
            $a.Mandatory = $true
        }
        if ($ValueFromPipeline) {
            $a.ValueFromPipeline = $true
        }
        if ($ValueFromPipelineByPropertyName) { 
            $a.ValueFromPipelineByPropertyName=$true
        }
        if ($ParameterSetName) {
            $a.ParameterSetName = $ParameterSetName
        }
        $c.Add($a)

        if ($ValidateType -and $ValidationContent) {
            try {
                $c.Add((New-Object "System.Management.Automation.Validate$($ValidateType)Attribute"(
                    $ValidationContent
                )))
            } catch {
                Throw $_
            }
        }
        $c
    }
    End {}
    }
    
    #endregion

    try {
        $LocalApplockerPolicyXml = [xml](Get-AppLockerPolicy -Local -Xml -ErrorAction Stop)
    } catch {
        Throw 'Failed to read the local Applocker policy into XML'
    }

    #region param Rule
    $Dictionary.Add(
        'Rule',
        (New-Object System.Management.Automation.RuntimeDefinedParameter(
            'Rule',
            [string], 
            (New-ParameterAttributCollection -Mandatory -ValidateType Set -ValidationContent (
               $LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").ChildNodes| ForEach-Object { $_.Name }
            ))
        ))
    )

    $Dictionary

}
Begin {

}
Process {

    Write-Verbose -Message "Dealing with Rule Collection type: $($PSBoundParameters['Type'])"
    Write-Verbose -Message "Dealing with Rule Name: $($PSBoundParameters['Rule'])"

    # Select node
    $n = $LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").ChildNodes | 
    Where { $_.Name -eq "$($PSBoundParameters['Rule'])" }

    if ($pscmdlet.ShouldProcess("$($n.OuterXml)", 'Remove rule')) {

        try {
            # Remove rule from xml
            $null = $LocalApplockerPolicyXml.SelectNodes("/AppLockerPolicy/RuleCollection[@Type='$($PSBoundParameters['Type'])']").RemoveChild($n)

            # Re-apply/import all rules except the removed rule
            [Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]::FromXml($LocalApplockerPolicyXml.outerXML) | 
            Set-AppLockerPolicy -ErrorAction Stop

            Write-Verbose -Message 'Successfully removed rule, a group policies refresh is required to see the impact of the removed rule'

        } catch {
            Throw "Something went wrong while trying to remove the applocker rule: $($_.Exception.Message)"
        }
    }
}
End {
}
} # endof Remove-LocalApplockerPolicyRule

Export-ModuleMember -Function 'Remove-LocalApplockerPolicyRule'