question

FurkanAykut-8542 avatar image
0 Votes"
FurkanAykut-8542 asked FurkanAykut-8542 answered

Remove spesific Applocker rule by name with powershell

Hello,
I trying to remove Default Applocker rules from Local with powershell.
When support teams create a Applocker rule on lacal they select yes for adding Default Rules.
Is there anyway to delete this policy rules with powershell? I only want to delete these rules. not clear all applocker rule.


In applocker xml file it shown like below.

</FilePublisherCondition>
</Conditions></FilePublisherRule><FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder"
Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">

<Conditions><FilePathCondition Path="%PROGRAMFILES%*" /></Conditions></FilePathRule><FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">

<Conditions><FilePathCondition Path="%WINDIR%*" /></Conditions></FilePathRule><FilePathRule Id=
"fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

windows-server-powershellwindows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered

Take a look at:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule
You may configure the XML to remove policy (or set as Not Configured) for the one you are looking for.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FurkanAykut-8542 avatar image
0 Votes"
FurkanAykut-8542 answered

Thank you for quick answer Reza. I already read documents. But i have more than 10000+ clients in my domain and some of them have local applocker rules. these applocker rules must stay. I just want to delete which is coming from default rules while making new applocker rule.

I couldn't filter these default applocker rules. If i dont have choice i will try to do compare xml files which are on my clients computer and which has these default rules. But i dont think it is best practice.

For better to understand me i share an example of local default policies.

95180-capture.png



capture.png (40.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.