When you edit an Applocker Group Policy either a local one or one stored in Active Directrory, you can view and configure what collections are active and what these should do.
Rule collections can be “not configured” or when they are “configured”, they can be set to “enforced” or “audit only”.
I’ve created a function to view the above settings.
Let’s see it in action first:
It can be used without parameters and will display the Effective policy
Get-AppLockerPolicyInfo | ft -AutoSize
You can also use the Local switch to view the local policy configuration:
Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize
It accepts also a policy object sent into the pipeline.
In other words it can be bound with the built-in Applocker cmdlets:
Get-AppLockerPolicy -Local | Get-AppLockerPolicyInfo -Verbose | ft -AutoSize
It can be used to view the configuration in an Active Directory based Applocker policy.
In this case, I’ll use the cmdlets from the GroupPolicy module.
$gpo = Get-GPO -All | Out-GridView -OutputMode Single Get-AppLockerPolicy -Ldap "LDAP://$(($gpo).path)" -Domain | Get-AppLockerPolicyInfo | ft -AutoSize
There’s another use for this function.
Using both the Effective and Local switches, it can help you diagnose how enforcement is configured if you’ve more than a local policy.
Here’s an example when there’s an overlap on Applocker policies:
In the above specific example, we can see the local policy is Enforced with a few rules (probably default rules) and is stricter than the AD policy that is set to Audit Only. If we want to keep to local policy to apply, an explicit deny can be set to so that the computer stops applying the Audit only GPO.
Here’s the code of this function:
#Requires -Module Applocker | |
#Requires -PSEdition Desktop | |
Function Get-AppLockerPolicyInfo { | |
<# | |
.SYNOPSIS | |
Display the rule collections info: type, enforcement mode, rules count... | |
.DESCRIPTION | |
Get the exetended info that applies to rule collections | |
.PARAMETER Effective | |
Swtich to get the effective Applocker policy | |
.PARAMETER Local | |
Swtich to get the local Applocker policy | |
.PARAMETER InputObject | |
To be used with the pipeline, see examples | |
.EXAMPLE | |
Get-AppLockerPolicyInfo | ft -AutoSize | |
Without parameter, it displays rule collections info from the effective policy | |
.EXAMPLE | |
Get-AppLockerPolicyInfo -Local | Format-Table -AutoSize | |
Use the 'local' switch to display rule collections info from the local policy | |
.EXAMPLE | |
Get-AppLockerPolicy -Local | Get-AppLockerPolicyInfo -Verbose | ft -AutoSize | |
Use the built-in Get-AppLockerPolicy with its local switch and pipe it to | |
Get-AppLockerPolicyInfo to display rule collections info | |
.EXAMPLE | |
Get-AppLockerPolicy -Ldap "LDAP://$((Get-GPO -Name 'myGPOName').path)" -Domain | | |
Get-AppLockerPolicyInfo | ft -AutoSize | |
Use the built-in Get-AppLockerPolicy and Get-GPO cmdlets to read an Applocker policy stored | |
in Active Directory and pipe it to Get-AppLockerPolicyInfo to display rule collections info | |
#> | |
[CmdletBinding(DefaultParameterSetName='Effective')] | |
Param( | |
[Parameter(ParameterSetName='Effective')] | |
[Switch]$Effective, | |
[Parameter(ParameterSetName='Local')] | |
[switch]$Local, | |
[Parameter(ParameterSetName='Piped',ValueFromPipeline)] | |
[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy]$InputObject | |
) | |
Begin {} | |
Process { | |
try { | |
$HT = @{ ErrorAction = 'Stop'} | |
Switch ($PSCmdlet.ParameterSetName) { | |
Effective { | |
$data = Get-AppLockerPolicy -Effective @HT | |
Write-Verbose 'Successfully read effective Applocker policy' | |
} | |
Local { | |
$data = Get-AppLockerPolicy -Local @HT | |
Write-Verbose 'Successfully read local Applocker policy' | |
} | |
Piped { | |
$data = $InputObject | |
Write-Verbose 'Successfully read piped Applocker policy' | |
} | |
default {} | |
} | |
if ($data) { | |
$data.RuleCollections | Select-Object -Property * | |
} | |
} catch { | |
Write-Warning -Message "Failed to get Applocker extended info because $($_.Exception.Message)" | |
} | |
} | |
End {} | |
} |