new-applockerpolicy for single exe

Saksham Garg 1 Reputation point
2021-01-21T15:13:17.977+00:00

Hi

I am trying to create a new Applocker policy for particular executables using Powershell commands. I want to create a Path rule for a particular group. I am following this link: https://learn.microsoft.com/en-us/powershell/module/applocker/new-applockerpolicy?view=win10-ps. Using this link, I am trying to create a Powershell script to create a Deny AppLocker rule for attrib.exe file for all users in "Domain Users".

$Policy = Get-ChildItem C:\Windows\System32\attrib.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User "Domain Users" -Optimize -RuleNamePrefix "Block attrib1"
foreach($RuleCollection in $Policy.RuleCollections)
{
foreach($Rule in $RuleCollection)
{
$Rule.Action = 'Deny'
}
}
$GPO_ID = (Get-GPO -Name "SampleGPO").Id
Set-AppLockerPolicy -PolicyObject $Policy -Ldap "LDAP://cn={$GPO_ID},cn=policies,cn=system,DC=addc,DC=altairone,DC=com"

But when I see the path in the properties of this rule, I see the rule is being created for all the files under %SYSTEM32% as shown in the picture.

59186-deny-rule.png

Can someone guide to create rule just for single file?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,845 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,400 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,994 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 31,166 Reputation points Microsoft Vendor
    2021-01-22T07:06:08.06+00:00

    Hi,

    You can specify the path by setting the PathConditions property like this

    $Rule.PathConditions.Path.Path="C:\Windows\System32\notepad.exe"  
    

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.