Share via

PowerShell New-Object blocked on some Constrained hosts but not others

Kevin Grant 0 Reputation points
2023-05-24T00:01:19.9633333+00:00

Hi all,

I have a PowerShell script that is being distributed by Intune to a number of PCs. The script basically creates a shortcut using the commands:

$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$($env:APPDATA)\Microsoft\Windows\Start Menu\Programs\Startup\Word_Main_Template.lnk")
$Shortcut.TargetPath = "$($PSHOME)\powershell.exe"
$Shortcut.Arguments = "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$($scriptFolder)\$($copyScriptName)`""
$Shortcut.Save()

The script also dumps a log file using the Start-Transcript/Stop-Transcript command pair.

All PCs are configured to be in Constrained Language mode as per the transcript output:

Language mode: ConstrainedLanguage

On most PCs (>100) the script executes without issues but on some (<10) I get the following error when executing the New-Object command:

PS>TerminatingError(New-Object): "Cannot create type. Only core types are supported in this language mode."

I have verified that all PCs are running the same versions of Windows (Microsoft Windows NT 10.0.19044.0), PowerShell (5.1.19041.2673) etc by comparing the transcript output.

Can anyone suggest a reason why I would be seeing this error?

Thanks :)

Windows for business Windows Server User experience PowerShell
Microsoft Security Intune Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 47,901 Reputation points
    2023-05-24T02:44:48.1266667+00:00

    If all of the machines are set to use "ConstrainedLanguage" then they all should be rejecting the creation of a COM object.

    Place function "Test-TypePermitted" into a PS script file: https://stackoverflow.com/questions/64805592/automatically-retrieve-allowed-types-for-constrained-language-mode

    At the bottom of the script, place this code:

    [__ComObject] | Test-TypePermitted -Mode Constrained

    You should see this when you run that script:

    TypeName           Permitted Message
--------           --------- -------
System.__ComObject     False Cannot create type. Only core types are supported in this language mode.

    This bit of code should tell you the current language mode for the machine:

    try {
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
    $Property = "__PSLockdownPolicy"
    $result = Get-ItemProperty -Path $path -Name $Property
    $PolicyValue = $result.__PSLockdownPolicy
    
    $LockdownPolicy = switch ($PolicyValue) {
        0 { "Full Language Mode"; Break }
        1 { "Full Language Mode"; Break }
        2 { "Full Language Mode"; Break }
        3 { "Full Language Mode"; Break }
        8 { "Full Language Mode"; Break }
        4 { "Constrained Language Mode"; Break }
        5 { "Constrained Language Mode"; Break }
        6 { "Constrained Language Mode"; Break }
        7 { "Constrained Language Mode"; Break }
    }
    
    Write-Host "Lockdown Policy Value: $PolicyValue -  $LockdownPolicy" -ForegroundColor Yellow
}
Catch {
    if ($result -eq $null) {
        Write-Host = "No PSLockdownPolicy found. Should be operating in Full Lanaguge Mode" -ForegroundColor Yellow
    }
    
}
  2. Limitless Technology 44,746 Reputation points
    2023-05-24T11:13:18.1933333+00:00

    Hello there,

    Check if that user has write permissions on the share with: "test" | Out-File $location

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.