How to view an Applocker policy enforcement

When you edit an Applocker Group Policy either a local one or one stored in Active Directrory, you can view and configure what collections are active and what these should do.

Rule collections can be “not configured” or when they are “configured”, they can be set to “enforced” or “audit only”.

I’ve created a function to view the above settings.
Let’s see it in action first:

It can be used without parameters and will display the Effective policy

Get-AppLockerPolicyInfo | ft -AutoSize

You can also use the Local switch to view the local policy configuration:

Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize

It accepts also a policy object sent into the pipeline.
In other words it can be bound with the built-in Applocker cmdlets:

Get-AppLockerPolicy -Local | 
Get-AppLockerPolicyInfo -Verbose | 
ft -AutoSize

It can be used to view the configuration in an Active Directory based Applocker policy.
In this case, I’ll use the cmdlets from the GroupPolicy module.

$gpo = Get-GPO -All | Out-GridView -OutputMode Single
Get-AppLockerPolicy -Ldap "LDAP://$(($gpo).path)" -Domain | 
Get-AppLockerPolicyInfo | ft -AutoSize

There’s another use for this function.
Using both the Effective and Local switches, it can help you diagnose how enforcement is configured if you’ve more than a local policy.
Here’s an example when there’s an overlap on Applocker policies:

In the above specific example, we can see the local policy is Enforced with a few rules (probably default rules) and is stricter than the AD policy that is set to Audit Only. If we want to keep to local policy to apply, an explicit deny can be set to so that the computer stops applying the Audit only GPO.

Here’s the code of this function:

#Requires -Module Applocker
#Requires -PSEdition Desktop
Function Get-AppLockerPolicyInfo {
<#
.SYNOPSIS
Display the rule collections info: type, enforcement mode, rules count...
.DESCRIPTION
Get the exetended info that applies to rule collections
.PARAMETER Effective
Swtich to get the effective Applocker policy
.PARAMETER Local
Swtich to get the local Applocker policy
.PARAMETER InputObject
To be used with the pipeline, see examples
.EXAMPLE
Get-AppLockerPolicyInfo | ft -AutoSize
Without parameter, it displays rule collections info from the effective policy
.EXAMPLE
Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize
Use the 'local' switch to display rule collections info from the local policy
.EXAMPLE
Get-AppLockerPolicy -Local | Get-AppLockerPolicyInfo -Verbose | ft -AutoSize
Use the built-in Get-AppLockerPolicy with its local switch and pipe it to
Get-AppLockerPolicyInfo to display rule collections info
.EXAMPLE
Get-AppLockerPolicy -Ldap "LDAP://$((Get-GPO -Name 'myGPOName').path)" -Domain |
Get-AppLockerPolicyInfo | ft -AutoSize
Use the built-in Get-AppLockerPolicy and Get-GPO cmdlets to read an Applocker policy stored
in Active Directory and pipe it to Get-AppLockerPolicyInfo to display rule collections info
#>
[CmdletBinding(DefaultParameterSetName='Effective')]
Param(
[Parameter(ParameterSetName='Effective')]
[Switch]$Effective,
[Parameter(ParameterSetName='Local')]
[switch]$Local,
[Parameter(ParameterSetName='Piped',ValueFromPipeline)]
[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]$InputObject
)
Begin {}
Process {
try {
$HT = @{ ErrorAction = 'Stop'}
Switch ($PSCmdlet.ParameterSetName) {
Effective {
$data = Get-AppLockerPolicy -Effective @HT
Write-Verbose 'Successfully read effective Applocker policy'
}
Local {
$data = Get-AppLockerPolicy -Local @HT
Write-Verbose 'Successfully read local Applocker policy'
}
Piped {
$data = $InputObject
Write-Verbose 'Successfully read piped Applocker policy'
}
default {}
}
if ($data) {
$data.RuleCollections | Select-Object -Property *
}
} catch {
Write-Warning -Message "Failed to get Applocker extended info because $($_.Exception.Message)"
}
}
End {}
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.