I built a powershell script to automate the setting of a GPO for Applocker so it can be deployed on multiple domains. Unfortunately I receive a weird error when the GPO has been set, in the console of powershell everything seems to work but when I open
the GPO itself in GPedit. I receive the following error: "HRESULT E_FAIL has been returned from a call to a COM component" and I need to remove the gpo manually and add it again manually which removes the point of the script.
Some piece of the itself:
New-GPO -Name"$GPOApplockerN"New-GPLink-Name"$GPOApplockerN"-Target"$domainroot"|Out-Null
$guidgpo=Get-GPO -name "$GPOApplockerN"| select-object -expandproperty IDSet-GPPermissions-Guid"$guidgpo"-PermissionLevelGpoapply-TargetName"$securitygroup"-TargetType group|Out-NullSet-GPPermissions-Guid"$guidgpo"-PermissionLevelGPOread-TargetName'Authenticated Users'-TargetType group |Out-Null#Configure GPO APPLOCKER
sc.exe config appidsvc start= autoSet-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe"-ValueNameEnforcementMode-TypeDWord-value 0Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\appx"-ValueNameEnforcementMode-TypeDWord-value 0Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\msi"-ValueNameEnforcementMode-TypeDWord-value 0Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\scripts"-ValueNameEnforcementMode-TypeDWord-value 0Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer"-ValueNameAdminInfoURL-TypeString-value $url#Create Rules in applocker#exeSet-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\13f89ee5-b386-4373-972a-e3a46c224ae3"-ValueNameValue-TypeString-value '<FilePublisherRule Id="13f89ee5-b386-4373-972a-e3a46c224ae3" Name="Allow all Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>'Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20"-ValueNameValue-TypeString-value '<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathConditionPath="%PROGRAMFILES%\*"/></Conditions></FilePathRule>'Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51"-ValueNameValue-TypeString-value '<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%WINDIR%\*"/></Conditions></FilePathRule>'Set-GPRegistryValue-Name"$GPOApplockerN"-key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2"-ValueNameValue-TypeString-value '<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the domain Administrators group to run all applications." UserOrGroupSid="S-1-5-21domain-512" Action="Allow"><Conditions><FilePathCondition Path="*"/></Conditions></FilePathRule>