通过Powershell设置Applocker策略GPO时遇到问题

时间:2018-10-02 07:14:12

标签: powershell gpo applocker

我构建了一个Powershell脚本来自动为Applocker设置GPO,以便可以将其部署在多个域中。不幸的是,设置了GPO时,我收到一个奇怪的错误,在Powershell控制台中,一切似乎正常,但是当我在GPedit中打开GPO本身时。我收到以下错误: “从对COM组件的调用返回了HRESULT E_FAIL”,我需要手动删除gpo,然后再次手动添加gpo,这会删除脚本的要点。

本身的一部分:

New-GPO -Name "$GPOApplockerN"
New-GPLink -Name "$GPOApplockerN" -Target "$domainroot"| Out-Null
$guidgpo=Get-GPO -name "$GPOApplockerN" | select-object -expandproperty ID
Set-GPPermissions -Guid "$guidgpo" -PermissionLevel Gpoapply -TargetName "$securitygroup" -TargetType group| Out-Null
Set-GPPermissions -Guid "$guidgpo" -PermissionLevel GPOread -TargetName 'Authenticated Users' -TargetType group | Out-Null

#Configure GPO APPLOCKER 

sc.exe config appidsvc start= auto
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\appx" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\msi" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\scripts" -ValueName EnforcementMode -Type DWord -value 0
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer" -ValueName AdminInfoURL -Type String -value $url

#Create Rules in applocker
#exe
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\13f89ee5-b386-4373-972a-e3a46c224ae3" -ValueName Value -Type String -value '<FilePublisherRule Id="13f89ee5-b386-4373-972a-e3a46c224ae3" Name="Allow all Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*"/></FilePublisherCondition></Conditions></FilePublisherRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20" -ValueName Value -Type String -value '<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathConditionPath="%PROGRAMFILES%\*"/></Conditions></FilePathRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51" -ValueName Value -Type String -value '<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%WINDIR%\*"/></Conditions></FilePathRule>'
Set-GPRegistryValue -Name "$GPOApplockerN" -key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2" -ValueName Value -Type String -value '<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the domain Administrators group to run all applications." UserOrGroupSid="S-1-5-21domain-512" Action="Allow"><Conditions><FilePathCondition Path="*"/></Conditions></FilePathRule>'

Microsoft支持不支持此脚本,因此我很困惑。

0 个答案:

没有答案