4 Comments

  1. I tried the script running as follows:
    .\Get-ApplockerBlocks -computerName PCName -logType ExeandDll -Mode ‘Audit Only’ and it runs and returns nothing, including any error messages. I can look into the event log on the computer and there are warning events about several programs. So do you know what might be happening? This would be so sweet a program if I could get it to work correctly. Thanks.

    • Hi, This script works fine on 2000 PC’s where I used to work. I no longer work there and we’re not currently using applocker at my new place but I have had another look at the code and I can’t see any issues. You could try changing the filter so it’s not filtering on ExeAndDll – are you sure there are entries in the exe and dll event log? Also try changing audit mode to Both.

      • Ok, I tried it like you suggested: .\Get-ApplockerBlocks -computerName PCName -Mode โ€˜Bothโ€™ and got the same result. I looked over the script and it looks like it should work. I can retrieve events if I run the Command you have in your script manually:
        Get-WinEvent -LogName “Microsoft-Windows-AppLocker/MSI and Script” -ComputerName PCName | where {$_.leveldisplayname -eq ‘Warning’} | group-object -property message | select name

        So it seems that the script should work.

  2. I have just configured auditing mode for applocker at my new work place and I’m pleased to say the powershell code works just fine..happy days! ๐Ÿ™‚

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.