This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi All,
I need some help and guidance in deploying the Windows Defender Application Control (WDAC) policy to enforce Windows PowerShell to run in Constrained Language Mode for my production servers.
Can someone here, please share the steps?
Because from the link: Deploy Windows Defender Application Control (WDAC) policies using the https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script it does not show the settings to enable the PowerShell constrained language mode.
Thanks in advance.
Hello @EnterpriseArchitect
The Policy you are looking for is :
Option 11 Disabled:Script Enforcement
Default value: Enabled (meaning it will DISABLE the Script Enforcement, to allow you should set a Disabled)
This option is only supported in Windows 1903 build 18362.145 or later. The Microsoft documentation on this option is incomplete and inconsistent.
Script enforcement has two main functions:
It blocks MSI’s. Why MSI’s? Application Control refers primarily to Portable Executables (PE’s), which are files encoded in a PE format including EXE, DLL and SYS files, but not MSI’s. So really, I think, “script” here means “non-PE”.
It does not block scripts, but it puts PowerShell into Constrained Language mode, which blocks specific elements that expose vulnerabilities (calls to Win32 API’s). Note: a policy will only put PowerShell into Constrained Language mode if it is in Enforced mode. In Audit mode, PowerShell remains in Full Language mode.
Reference to apply the changes: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
Hope this helps with your query,
--------
--If the reply is helpful, please Upvote and Accept as answer--