none
Having problems with setting Applocker policies GPO through Powershell RRS feed

  • General discussion


  • I built a powershell script to automate the setting of a GPO for Applocker so it can be deployed on multiple domains. Unfortunately I receive a weird error when the GPO has been set, in the console of powershell everything seems to work but when I open the GPO itself in GPedit. I receive the following error: "HRESULT E_FAIL has been returned from a call to a COM component" and I need to remove the gpo manually and add it again manually which removes the point of the script. I also replaced all the GUID with new ones and that also didn't work.

    Some piece of the itself:

    New-GPO -Name "$GPOApplockerN"
    New-GPLink -Name "$GPOApplockerN" -Target "$domainroot"| Out-Null
    $guidgpo=Get-GPO -name "$GPOApplockerN" | select-object -expandproperty ID
    
    sc.exe config appidsvc start= auto
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe" -ValueName EnforcementMode -Type DWord -value 0
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\appx" -ValueName EnforcementMode -Type DWord -value 0
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\msi" -ValueName EnforcementMode -Type DWord -value 0
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\scripts" -ValueName EnforcementMode -Type DWord -value 0
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" -ValueName AdminInfoURL -Type String -value $url
    
    #Create Rules in applocker
    #exe
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\13f89ee5-b386-4373-972a-e3a46c224ae3" -ValueName Value -Type String -value '<FilePublisherRule Id="13f89ee5-b386-4373-972a-e3a46c224ae3" Name="Allow all Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>'
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20" -ValueName Value -Type String -value '<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathConditionPath="%PROGRAMFILES%\*"/></Conditions></FilePathRule>'
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51" -ValueName Value -Type String -value '<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%WINDIR%\*"/></Conditions></FilePathRule>'
    Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2" -ValueName Value -Type String -value '<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the domain Administrators group to run all applications." UserOrGroupSid="S-1-5-21domain-512" Action="Allow"><Conditions><FilePathCondition Path="*"/></Conditions></FilePathRule>

    Why can't I get this to work? I tried everything mentioned above. I even ran the script line by line and couldn't find anything.
    • Edited by -Karsten- Tuesday, October 9, 2018 7:15 AM
    • Changed type Bill_Stewart Thursday, December 20, 2018 9:54 PM
    • Moved by Bill_Stewart Thursday, December 20, 2018 9:55 PM Cannot reproduce environment-specific problem
    Monday, October 8, 2018 6:42 AM

All replies

  • Don't forget to ask your question.

    -- Bill Stewart [Bill_Stewart]

    Monday, October 8, 2018 1:16 PM
  • You have undefined variables. $securitygroup


    \_(ツ)_/

    Monday, October 8, 2018 2:40 PM
  • I indeed had, I forgot to copy that one from my source code. I did remove it from this post as it is irelevant to the core problem ;(
    Tuesday, October 9, 2018 12:43 PM
  • I don't think that's a script problem (unless there is more relevant code) I just ran this through all my lab environments and it worked fine.

    Monday, October 15, 2018 9:35 PM
  • Did you also check if it works in group policy management? I tried it on different machines but I still get the error in Group policy management
    Monday, October 22, 2018 8:00 AM
  • Yeah I understand that the error is shown when reopening the created GPO in the management console. It was fine each time, no errors or problems.
    Monday, October 22, 2018 8:41 PM