This is the built-in help made by Microsoft for the command 'New-AppLockerPolicy', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates a new AppLocker policy from a list of file information and other rule creation options.
New-AppLockerPolicy [-FileInformation] <List<FileInformation>> [-IgnoreMissingFileInformation] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore |
Suspend}] [-InformationVariable [<System.String>]] [-Optimize] [-RuleNamePrefix [<String>]] [-RuleType [<List<RuleType>>]] [-ServiceEnforcement [<System.String>]] [-User
[<String>]] [-Xml] [<CommonParameters>]
The New-AppLockerPolicy cmdlet uses a list of file information to automatically generate a list of rules for a given user or group. Rules can be generated based on
publisher, hash, or path information.
Run the Get-AppLockerFileInformation cmdlet to create the list of file information.
By default, the output is an AppLockerPolicy object. If the Xml parameter is specified, the output will be the AppLocker policy as an XML-formatted string.
<
Online Version: http://go.microsoft.com/fwlink/?linkid=287250
Get-AppLockerFileInformation
Get-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
<
EXAMPLE 1
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -RuleNamePrefix System32
Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
1 {Microsoft.Security.ApplicationId.Po... {Exe}
This example creates an AppLocker policy that contains allow rules for all of the executable files in C:\Windows\System32. The policy contains publisher rules for those
files with publisher information and hash rules for those that do not. The rules are prefixed with System32: and the rules apply to the Everyone group.
EXAMPLE 2
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User Everyone -Optimize -XML
<AppLockerPolicy Version="1"><RuleCollection Type="Exe" EnforcementMode="NotConfigured"><FilePathRule Id="31B2F340-016D
-11D2-945F-00C04FB984F9" Name="%SYSTEM32%\*" Description="" 10 UserOrGroupSid="S-1-5-21-3165297888-301567370-576410423-
13" Action="cAllow"><Conditions><FilePathCondition Path="%SYSTEM32%\*" /></Conditions></FilePathRule></RuleCollection>
</AppLockerPolicy>
This example creates an XML-formatted AppLocker policy for all of the executable files in C:\Windows\System32. The policy contains only path rules, the rules are applied to
the Everyone group, and the Optimize parameter indicates that similar rules are grouped together where possible.
EXAMPLE 3
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User
domain\FinanceGroup -IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP
"LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=WingTipToys,DC=com"
This example creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log. All of the rules will be applied to the
domain\FinanceGroup group. Publisher rules are created when the publisher information is available, and hash rules are created if the publisher information is not available.
If only path information is available for a file, then the file is skipped because the IgnoreMissingFileInformation parameter is specified, and the file is included in the
warning log. If the IgnoreMissingFileInformation parameter is not specified when file information is missing, then the cmdlet exits because it cannot create the specified
rule type. After the new AppLocker policy is created, the AppLocker policy of the specified Group Policy Object (GPO) is set. The existing AppLocker policy in the specified
GPO will be overwritten.