none
AppLocker policy "like"

    Question

  • Hey,

    I am setting AppLocker policies for Sysinternals.
    Because of clearity it would be great, if I would not have to define a special rule for every sysinternals tool itself.
    I know I can specific the settings like Publisher, Product name, File name & File version to be like anything.
    But is it possible to say the Product name starts with "SYSINTERNALS" ?

    I already tried something like this - unfortunately without success:

    Thanks for help :)

    Thursday, November 12, 2015 2:42 PM

Answers

  • > But is it possible to say the Product name starts with "SYSINTERNALS" ?
     
    Unfortunately: No. The * in these fields is not a real wildcard, but
    basically a hint to "ignore this property".
     
    What you can do instead: Leverage Get-AppLockerFileInformation and
    New-AppLockerPolicy to create a set of cert rules for a given set of
    files all at once... Lets assume your source directory from where to
    create rules is C:\Sysinternals:
     
    Get-AppLockerFileInformation C:\Sysinternals\*.exe | New-AppLockerPolicy
    -RuleType Publisher -RuleNamePrefix "Sysinternals-" -User Everyone
    -IgnoreMissingFileInformation -Optimize | Set-AppLockerPolicy -LDAP "DN
    of the Destination GPO" -Merge
     
    (all one line...)
     
    Friday, November 13, 2015 11:29 AM