New-AppLockerPolicy

Creates a new AppLocker policy from a list of file information and other rule-creation options.
New-AppLockerPolicy [-FileInformation*] <FileInformation[]> [-RuleType <RuleType[]>] [-RuleNamePrefix <String>][-User <String>] [-Optimize <Boolean>] [-IgnoreMissingFileInformation <Boolean>] [-XML <Boolean>][<CommonParameters>]

The New-AppLockerPolicy cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use Get-AppLockerFileInformation to create the list of file information.

Parameters
-FileInformation <FileInformation[]>

  • This value is required
  • Accepts pipeline input ByValue

A file can contain publisher, path, and hash information. Some information may be missing, such as publisher information for an unsigned file.

-RuleType <RuleType[]>

  • Default value is Publisher

Specifies the type of rules to create from the file information. Publisher, path, or hash rules can be created from the file information. Multiple rule types may be specified so that there are backup rule types if the necessary file information is not available. For example, you can specify -RuleType Publisher, Hash so that hash rules are applied when publisher information is not available. Publisher, Hash is the default value.

-RuleNamePrefix <String>

Specifies a name to add as a prefix to each rule that is created.

-User <String>

  • Default value is Everyone

Defines the user or group that the rules are applied to. You must provide the value in one of the following formats: DNS user name (domainusername) User Principal Name (username@domain.com) SAM user name (username) Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

-Optimize <Boolean>

Instructs similar rules to be grouped together.

-IgnoreMissingFileInformation <Boolean>

Instructs the cmdlet to continue to execute if a rule cannot be created for a file because file information is missing. A warning log of the files skipped is generated.

-XML <Boolean>

Specifies the output of the new AppLocker policy as an XML-formatted string.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,ErrorAction, ErrorVariable, WarningAction, WarningVariable,OutBuffer, PipelineVariable, and OutVariable.

Outputs

By default, New-AppLockerPolicy returns an AppLockerPolicy object. If you use the XML parameter, it will return

the AppLocker policy as an XML string.

Examples
  1.  
    C:PS> Get-ChildItem C:WindowsSystem32*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
    
       Creates an AppLocker policy containing allow rules for all of the executable files in C:WindowsSystem32. The 
       policy contains publisher rules for those files with publisher information and hash rules for those that do not.  
       The rules are prefixed with "System32:" and the rules apply to the Everyone group.
  2.  
    C:PS> Get-ChildItem C:WindowsSystem32*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize -XML
    
       Creates an XML-formatted AppLocker policy for all of the executable files in C:WindowsSystem32. The policy 
       contains only path rules, the rules are applied to the Everyone group, and the Optimize parameter indicates that 
       similar rules are grouped together where possible.
  3.  
    C:PS> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User domainFinanceGroup -IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP "LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Sy
    stem,DC=WingTipToys,DC=com"
    
       Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event 
       log. All of the rules will be applied to the domainFinanceGroup group. Publisher rules are created when the 
       publisher information is available, and hash rules are created if the publisher information is not available. If 
       only path information is available for a file, the file is skipped because the IgnoreMissingFileInformation 
       parameter is specified, and the file is included in the warning log. If the IgnoreMissingFileInformation parameter 
       is not specified, when file information is missing, the cmdlet exits because it cannot create the specified rule 
       type. After the new AppLocker policy is created, the AppLocker policy of the specified Group Policy Object (GPO) 
       is set. The existing AppLocker policy in the specified GPO will be overwritten.
Additional Notes
 
Related Links

Get-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
Get-AppLockerFileInformation