Creating AppLocker Rules using Powershell (Appx)


Another bug that we needed to work around is creating an Applocker rule for a built-in 1709 app (whether to whitelist or blacklist). Currently, if you try to use the Applocker GUI it crashes with an error in SRPUxSnapin.dll

Luckily there are some PowerShell commands that we can use to create a new ruleset by inserting a new rule into what we are already using.

First, locate the app you want to allow\block from this list:

You can see which apps are on your device using the command in the article:

Get-AppxPackage |Select Name,PackageFamilyName

The code below is an example of how to allow the ‘input app’ (touchscreen keyboard) and merge it with the currently effective policy

#Get the app we want to allow
$AppXPackage = get-appxpackage -name inputapp

#use this app to get AppLocker information to make the rule
$FileInfo = Get-AppLockerFileInformation -Packages $AppXPackage

#Create a new allow rule for everyone
$rule = New-AppLockerPolicy -RuleType publisher -FileInformation $FileInfo -User Everyone

#Import the currently active rules
$existingRules = Get-AppLockerPolicy -Effective

#Merge them with the new rule

Note – I wasn’t able to set the $existingRules.Merge result to a variable so have to overwrite the existing variable.

At this point, you can use this ruleset with the Set-AppLocker Policy commandlet. However, I prefer to export this as an XML file to import into the Group Policy Object:

$existingRules.ToXml() > C:\Temp\AppLockerRules.xml

Once imported you can use the GUI to tweak the rule such as adding a description, changing it to a specific file version or every version above (recommended)


Update – Adding directly from an event in the AppLocker event log

For troublesome App-x apps that may be getting blocked from the store where you do not have access to the source you can generate file information directly from the event log on a machine. In the example below this pulls all blocked app-x apps:

Get-AppLockerFileInformation -EventLog -logpath “C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx” -EventType denied

Where more than one result is returned, assign to a variable array and pick the one you want. In the below example file 2:

$FileInfo = Get-AppLockerFileInformation -EventLog -logpath “C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx” -EventType denied

$rule = New-AppLockerPolicy -RuleType publisher -FileInformation $FileInfo[2] -User Everyone

Leave a Reply

Your email address will not be published. Required fields are marked *