Create Software Restriction Policy with Powershell

Hi all,

I've been reading up about the Cryptlocker malware, and came across an article that explained how you can prevent your PCs becoming infected. It involves setting up a Software Restriction Policy with the following parameters:

Path: %localAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData


Path: %localAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData

I know how to do this manually via editing the Local Security Policy on a machine, however I have 120 machines (all Win7) to update in various locations.

So I was wondering whether anyone knew of a way to set up the above policy using a powershell script? If so, I could roll the script out to the PCs with Windows Intune, which would be a massive time saver.

Much appreciated,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does your win7 edition support applocker (the better SRPol)? Applocker can be controlled by powershell. Appl. is available with ultimate and enterprise.
adriaanvwAuthor Commented:
Yes, we use Win7 Enterprise. However I would prefer to use the method described if at all possible...
I would definitely advise you to use applocker. It is the same as softw. restriction policy, only better and powershell can be used.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I realise this is an old Thread. But Applocker only works on Windows 7 Ent not pro
Therefore SRP are the only option unless you have ent windows
Is there any way of making SRP work via powershell or the Command line?
Hi rampant.

Please open up a new thread. And when you do, please specify why you wouldn't use local or domain GPOs to manage SRPs.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.