deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update delete-an-applocker-rule.md

Browse Source
This commit is contained in:
jsuther1974 2023-03-10 14:59:01 -08:00
parent e5a3668868
commit c0b7abffb8
1 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -13,7 +13,7 @@ author: vinaypamnani-msft
manager: aaroncz manager: aaroncz
audience: ITPro audience: ITPro
ms.topic: conceptual ms.topic: conceptual
ms.date: 11/09/2020 ms.date: 03/10/2023
ms.technology: itpro-security ms.technology: itpro-security
--- ---
@ -28,65 +28,59 @@ ms.technology: itpro-security
>[!NOTE] >[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This article for IT professionals describes the steps to delete an AppLocker rule. This article for IT professionals describes the steps to delete an AppLocker rule.
As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings. These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools.
## To delete a rule in an AppLocker policy ## To delete a rule in an AppLocker policy
1. Open the AppLocker console. 1. Open the AppLocker console.
2. Click the appropriate rule collection for which you want to delete the rule. 2. Select the appropriate rule collection for which you want to delete the rule.
3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. 3. In the details pane, right-click the rule to delete, select **Delete**, and then select **Yes**.
> [!Note] > [!NOTE]
>
> - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices. > - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices.
> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`. > - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`.
When the following procedure is performed on the local device, the AppLocker policy takes effect immediately. When the following procedure is performed on the local device, the AppLocker policy takes effect immediately.
## To clear AppLocker policies on a single system or remote systems ## To clear AppLocker policies on a single system or remote systems
Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents:
```xml First import the AppLocker modules for PowerShell:
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="ManagedInstaller" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
```
To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules:
```powershell ```powershell
PS C:\Users\Administrator> import-module AppLocker PS C:\Users\Administrator> import-module AppLocker
``` ```
We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command: Create a file called clear.xml with the following XML content and save it to your desktop.
```powershell ```xml
C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml <AppLockerPolicy Version="1" />
``` ```
This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. Then run the following command from an elevated PowerShell session to remove all local AppLocker policies from the device:
The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy. ```powershell
C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy $env:USERPROFILE\Desktop\clear.xml
```
Run the following PowerShell commands to stop the AppLocker services and change their startup configuration.
```powershell ```powershell
appidtel.exe stop [-mionly] appidtel.exe stop [-mionly]
sc.exe config appid start=demand sc.exe config appid start=demand
sc.exe config appidsvc start=demand sc.exe config appidsvc start=demand
sc.exe config applockerfltr start=demand sc.exe config applockerfltr start=demand
sc stop applockerfltr sc.exe stop applockerfltr
sc stop appidsvc sc.exe stop appidsvc
sc stop appid sc.exe stop appid
``` ```
All of these steps can be run on a single machine or deployed as a script to multiple devices.