new-applockerpolicy for single exe

Question

Hi

I am trying to create a new Applocker policy for particular executables using Powershell commands. I want to create a Path rule for a particular group. I am following this link: https://learn.microsoft.com/en-us/powershell/module/applocker/new-applockerpolicy?view=win10-ps. Using this link, I am trying to create a Powershell script to create a Deny AppLocker rule for attrib.exe file for all users in "Domain Users".

$Policy = Get-ChildItem C:\Windows\System32\attrib.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User "Domain Users" -Optimize -RuleNamePrefix "Block attrib1"
foreach($RuleCollection in $Policy.RuleCollections)
{
foreach($Rule in $RuleCollection)
{
$Rule.Action = 'Deny'
}
}
$GPO_ID = (Get-GPO -Name "SampleGPO").Id
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "LDAP://cn={$GPO_ID},cn=policies,cn=system,DC=addc,DC=altairone,DC=com"

But when I see the path in the properties of this rule, I see the rule is being created for all the files under %SYSTEM32% as shown in the picture.

Can someone guide to create rule just for single file?

Answer 1

Hi,

You can specify the path by setting the PathConditions property like this

$Rule.PathConditions.Path.Path="C:\Windows\System32\notepad.exe"  

Best Regards，
Ian Xue

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.