There are 3 main actions in this menu when you edit the local Applocker policy. You can Import, Export and Clear a policy.
Let’s see how one can clear a local Applocker policy.
If you use Windows PowerShell, you can directly access the built-in Applocker module.
In this case, you can use the following shortcut:
$null | New-AppLockerPolicy -User EveryOne -EA 0 | Set-AppLockerPolicy -Verbose
NB: EA is the Alias of ErrorAction and 0 means SilentlyContinue.
It’s required to avoid displaying a message saying:
New-AppLockerPolicy : Cannot validate argument on parameter ‘FileInformation’. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
Even if there’s an error thrown, a Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy is created and sent to the output stream.
Unfortunately, the same shortcut cannot be used within PowerShell 7.0.1 (current latest version).
You need the following 2 steps:
# step 1: write an empty policy to a file $null | New-AppLockerPolicy -User EveryOne -EA 0 -Xml | Out-File ~/Documents/empty.xml # step 2: import that file Set-AppLockerPolicy ~/Documents/empty.xml
NB: Notice the addition of the -XML switch in the first step.
Here’s another approach for Windows PowerShell that looks like the example provided by Microsoft, named delete-an-applocker-rule that tells you actually how to clear *all* the rules.
The following example doesn’t write a file to disk and directly clears the local Applocker Policy
NB: Notice the first call at line 11 to a built-in command from the Applocker module. It’s used to avoid this error message: Unable to find type [Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerPolicy].
If that first call at line 11 is missing, when you do the following, you get:
Weird, isn’t? If you’ve an explanation, please add a comment 🙂