Configuring PowerShell to always use Constrained Language Mode and script block logging, and transcription functionality

Question

Configuring PowerShell to always use Constrained Language Mode and script block logging, and transcription functionality

EnterpriseArchitect 6,041

Hi All,

I need some guidance to configure my PowerShell environment to enable the following:

Constrained Language Mode every script startup
Module logging, script block logging, and transcription functionality.

What are the steps or the script to do that?

Thanks.

Accepted answer

1 additional answer

Your answer

Answer 1

Pierre Audonnet - MSFT 10,191 Microsoft Employee

For the first point you can use AppLocker or DeviceGuard to enforce it: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/ (doc for DeviceGuard/Windows Defender Application Control: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions)

For the second point, you can use a group policy (Computer configuration/Administrative Templates/Windows Components/Windows PowerShell):

EnterpriseArchitect 6,041 Reputation points

2021-11-10T04:43:54.567+00:00

@Pierre Audonnet - MSFT Do I need to install Windows Defender and then enable something to make sure the Powershell is always running Constrained Language Mode every script startup?
Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-11-10T19:39:16.27+00:00

It's already installed, it is a part of Windows. You need to configure a policy, you can use a wizard to help you with that: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard
And pick a deployment type: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide

Answer 2

Hi there,

You can place a PowerShell session into Constrained Language mode simply by setting a property:

PS C:\> $ExecutionContext.SessionState.LanguageMode
FullLanguage
PS C:\> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage

PS C:\> [System.Console]::WriteLine("Hello")
Cannot invoke method. Method invocation is supported only on core types in this language mode.
At line:1 char:1

[System.Console]::WriteLine("Hello")
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidOperation: (:) [], RuntimeException
FullyQualifiedErrorId : MethodInvocationNotSupportedInConstrainedLanguage

You can get more info from here
https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

--If the reply is helpful, please Upvote and Accept it as an answer--

Pierre Audonnet - MSFT 10,191 Reputation points Microsoft Employee

2021-11-12T13:41:13.59+00:00

This does not always enable Constrained Language mode on a system. This only turns it on for the current session.

Share via

Configuring PowerShell to always use Constrained Language Mode and script block logging, and transcription functionality

1 additional answer

Your answer