I built a powershell script to automate the setting of a GPO for Applocker so it can be deployed on multiple domains. Unfortunately I receive a weird error when the GPO has been set, in the console of powershell everything seems to work but when I open
the GPO itself in GPedit. I receive the following error: "HRESULT E_FAIL has been returned from a call to a COM component" and I need to remove the gpo manually and add it again manually which removes the point of the script. I also replaced all
the GUID with new ones and that also didn't work.
Some piece of the itself:
New-GPO -Name "$GPOApplockerN"
New-GPLink -Name "$GPOApplockerN" -Target "$domainroot"| Out-Null
$guidgpo=Get-GPO -name "$GPOApplockerN" | select-object -expandproperty ID
sc.exe config appidsvc start= auto
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\appx" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\msi" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\scripts" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" -ValueName AdminInfoURL -Type String -value $url
#Create Rules in applocker
#exe
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\13f89ee5-b386-4373-972a-e3a46c224ae3" -ValueName Value -Type String -value '<FilePublisherRule Id="13f89ee5-b386-4373-972a-e3a46c224ae3" Name="Allow all Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20" -ValueName Value -Type String -value '<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathConditionPath="%PROGRAMFILES%\*"/></Conditions></FilePathRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51" -ValueName Value -Type String -value '<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%WINDIR%\*"/></Conditions></FilePathRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2" -ValueName Value -Type String -value '<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the domain Administrators group to run all applications." UserOrGroupSid="S-1-5-21domain-512" Action="Allow"><Conditions><FilePathCondition Path="*"/></Conditions></FilePathRule>Why can't I get this to work? I tried everything mentioned above. I even ran the script line by line and couldn't find anything.
