AppLocker On Windows 10 Pro

deploy-applocker.ps1

# Requires system privileges!
# Thank you: https://github.com/sandytsang/MSIntune/blob/master/Intune-PowerShell/AppLocker/Delete-AppLockerEXE.ps1

$path = "<PATH TO APPLOCKER XML'S>"

$xmls = (ls -filter '*.xml' $path |% {$_.FullName})

$Appx, $Dll, $Exe, $Msi, $Script = $null

$xmls |% {
    $filename = $_
    [xml]$xml = (gc $filename)

    # Appx
    $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Appx' -and $_.EnforcementMode -match 'Enabled'} |% {
        $node = $_;
        if (-not $Appx) {
            $merge = New-Object XML
            $importnode = $merge.ImportNode($node, $true)
            $merge.AppendChild($importnode) | Out-Null

            $Appx = $merge
        } else {
            $node.ChildNodes |% {
                $child = $_
                $importnode = $Appx.ImportNode($child, $true)
                $Appx.DocumentElement.AppendChild($importnode) | Out-Null
            }
        }
    }

    # DLL
    $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Dll' -and $_.EnforcementMode -match 'Enabled'} |% {
        $node = $_;
        if (-not $Dll) {
            $merge = New-Object XML
            $importnode = $merge.ImportNode($node, $true)
            $merge.AppendChild($importnode) | Out-Null

            $Dll = $merge
        } else {
            $node.ChildNodes |% {
                $child = $_
                $importnode = $Dll.ImportNode($child, $true)
                $Dll.DocumentElement.AppendChild($importnode) | Out-Null
            }
        }
    }

    # Exe
    $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Exe' -and $_.EnforcementMode -match 'Enabled'} |% {
        $node = $_;
        if (-not $Exe) {
            $merge = New-Object XML
            $importnode = $merge.ImportNode($node, $true)
            $merge.AppendChild($importnode) | Out-Null

            $Exe = $merge
        } else {
            $node.ChildNodes |% {
                $child = $_
                $importnode = $Exe.ImportNode($child, $true)
                $Exe.DocumentElement.AppendChild($importnode) | Out-Null
            }
        }
    }

    # Msi
    $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Msi' -and $_.EnforcementMode -match 'Enabled'} |% {
        $node = $_;
        if (-not $Msi) {
            $merge = New-Object XML
            $importnode = $merge.ImportNode($node, $true)
            $merge.AppendChild($importnode) | Out-Null

            $Msi = $merge
        } else {
            $node.ChildNodes |% {
                $child = $_
                $importnode = $Msi.ImportNode($child, $true)
                $Msi.DocumentElement.AppendChild($importnode) | Out-Null
            }
        }
    }

    # Script
    $xml.AppLockerPolicy.RuleCollection |? {$_.Type -imatch 'Script' -and $_.EnforcementMode -match 'Enabled'} |% {
        $node = $_;
        if (-not $Script) {
            $merge = New-Object XML
            $importnode = $merge.ImportNode($node, $true)
            $merge.AppendChild($importnode) | Out-Null

            $Script = $merge
        } else {
            $node.ChildNodes |% {
                $child = $_
                $importnode = $Script.ImportNode($child, $true)
                $Script.DocumentElement.AppendChild($importnode) | Out-Null
            }
        }
    }
}

Add-Type -AssemblyName System.Web

$GroupName = "AppLocker001"
$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

# Appx
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03" #Do not change this
$obj = [System.Net.WebUtility]::HtmlEncode($Appx.InnerXml)

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='STOREAPPS'" | Remove-CimInstance
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="STOREAPPS";Policy=$obj}

# Dll
$className = "MDM_AppLocker_DLL03" #Do not change this
$obj = [System.Net.WebUtility]::HtmlEncode($Dll.InnerXml)

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}

# Exe
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
$obj = [System.Net.WebUtility]::HtmlEncode($Exe.InnerXml)

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}

# Msi
$className = "MDM_AppLocker_MSI03" #Do not change this
$obj = [System.Net.WebUtility]::HtmlEncode($Msi.InnerXml)

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}

# Script
$className = "MDM_AppLocker_Script03" #Do not change this
$obj = [System.Net.WebUtility]::HtmlEncode($Script.InnerXml)

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='SCRIPT'" | Remove-CimInstance
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="SCRIPT";Policy=$obj}