AppLocker – Making sure that local rules are removed

This is just a quick blogpost about a thing I forgot to write about a long time ago.
One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here:

In order to make sure that any locally added rules are removed everytime a computer boots you can do the following:


  1. Create a xml file on your sysvol, or any other share where no one has write access and add the following lines into the file:
    <AppLockerPolicy Version="1">
      <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
  2.  Add the following lines into a script and use it as a computer startup script:
    import-module AppLocker
    Set-AppLockerPolicy -XMLPolicy \\\netlogon\ClearApplockerPolicy.xml


The next time the computers boot that gets this group policy will remove any local rules that has been created.



2 thoughts on “AppLocker – Making sure that local rules are removed

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.