Share via

Procedures to enforce Windows PowerShell to run in Constrained Language Mode using Windows Defender Application Control ?

EnterpriseArchitect 6,041 Reputation points
2021-12-01T06:19:24.757+00:00

Hi All,

I need some help and guidance in deploying the Windows Defender Application Control (WDAC) policy to enforce Windows PowerShell to run in Constrained Language Mode for my production servers.

Can someone here, please share the steps?

Because from the link: Deploy Windows Defender Application Control (WDAC) policies using the https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script it does not show the settings to enable the PowerShell constrained language mode.

From: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.2#constrained-language-constrained-language

Thanks in advance.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | PowerShell
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,926 Reputation points
    2021-12-01T19:42:48.067+00:00

    Hello @EnterpriseArchitect

    The Policy you are looking for is :

    Option 11 Disabled:Script Enforcement
    Default value: Enabled (meaning it will DISABLE the Script Enforcement, to allow you should set a Disabled)

    This option is only supported in Windows 1903 build 18362.145 or later. The Microsoft documentation on this option is incomplete and inconsistent.

    Script enforcement has two main functions:

    It blocks MSI’s. Why MSI’s? Application Control refers primarily to Portable Executables (PE’s), which are files encoded in a PE format including EXE, DLL and SYS files, but not MSI’s. So really, I think, “script” here means “non-PE”.
    It does not block scripts, but it puts PowerShell into Constrained Language mode, which blocks specific elements that expose vulnerabilities (calls to Win32 API’s). Note: a policy will only put PowerShell into Constrained Language mode if it is in Enforced mode. In Audit mode, PowerShell remains in Full Language mode.

    Reference to apply the changes: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create

    Hope this helps with your query,

    --------
    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.