Hello @EnterpriseArchitect
The Policy you are looking for is :
Option 11 Disabled:Script Enforcement
Default value: Enabled (meaning it will DISABLE the Script Enforcement, to allow you should set a Disabled)
This option is only supported in Windows 1903 build 18362.145 or later. The Microsoft documentation on this option is incomplete and inconsistent.
Script enforcement has two main functions:
It blocks MSI’s. Why MSI’s? Application Control refers primarily to Portable Executables (PE’s), which are files encoded in a PE format including EXE, DLL and SYS files, but not MSI’s. So really, I think, “script” here means “non-PE”.
It does not block scripts, but it puts PowerShell into Constrained Language mode, which blocks specific elements that expose vulnerabilities (calls to Win32 API’s). Note: a policy will only put PowerShell into Constrained Language mode if it is in Enforced mode. In Audit mode, PowerShell remains in Full Language mode.
Reference to apply the changes: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
Hope this helps with your query,
--------
--If the reply is helpful, please Upvote and Accept as answer--