Policy: File Access Deny Policy for PowerShell File

This example shows a File Access policy that targets a specific application (a PowerShell-related file/process identifier) and denies the matching activity on targeted endpoints. It’s useful for demonstrating how to block a known risky tool or technique while keeping the policy narrowly scoped to a single application rather than affecting everything on the machine.

What This Policy Does

• Applies a File Access rule in enforce mode.

• Targets:

  • Any user (*)

  • A specific application (one App ID, representing the PowerShell file/process being controlled)

  • One specific endpoint (one Machine ID)

• On a match, it applies a DENY control.

• Requires the user to acknowledge the notification (NotificationRequiresAcknowledge: true).

Why It Behaves This Way

• Application-Scoped Blocking: Because the application targeting is a single App ID (not *), only that specific PowerShell-related executable/file identity is affected.

• Broad User Scope: The wildcard user targeting means any user on the targeted endpoint will be blocked when they trigger the matching behavior.

• Enforced Deny: The policy is set to enforce and the success control is DENY, so matching file access activity is actively blocked.

• Standard Checks With No Extra Constraints: Date/Time/Day/Certificate restrictions are empty, so the behavior mainly depends on whether the user, machine, and application match.

• Message/Behavior Mismatch: The notification text references “monitor mode” and talks about MFA/justification/request for elevation, but this policy is a File Access policy that denies activity. The message should be updated to reflect the actual outcome (blocked)

What The User Experiences

• When a user triggers the covered PowerShell-related activity on an in-scope endpoint, the action is blocked.

• Because acknowledgement is required, the user will also see a notification prompt that they must dismiss—so the block is both enforced and explicitly communicated.

Important Notes And Common Adjustments

• Fix The Notification Message: Update the text so it clearly explains the action is being denied (and why), instead of referencing monitor mode or elevation controls.

• Reduce User Disruption: If the acknowledgement prompt is too disruptive, set acknowledgement to false and rely on logging/alerts for visibility.

• Tighten Or Broaden Scope Carefully:

  • Tighten by limiting to specific users/groups if only certain users should be blocked.

  • Broaden by adding more App IDs if you need to cover additional PowerShell variants/paths used in your environment.

• Consider Certificate Constraints: If supported, add signer/publisher/certificate restrictions to avoid blocking trusted, signed components unintentionally (or to block only untrusted builds).

Example JSON