question

EnterpriseArchitect avatar image
0 Votes"
EnterpriseArchitect asked LimitlessTechnology-2700 answered

Procedures to enforce Windows PowerShell to run in Constrained Language Mode using Windows Defender Application Control ?

Hi All,


I need some help and guidance in deploying the Windows Defender Application Control (WDAC) policy to enforce Windows PowerShell to run in Constrained Language Mode for my production servers.


Can someone here, please share the steps?

Because from the link: Deploy Windows Defender Application Control (WDAC) policies using the https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script it does not show the settings to enable the PowerShell constrained language mode.


From: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.2#constrained-language-constrained-language


Thanks in advance.

windows-server-powershellwindows-active-directorywindows-10-securitywindows-group-policywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered

Hello @EnterpriseArchitect

The Policy you are looking for is :

Option 11 Disabled:Script Enforcement
Default value: Enabled (meaning it will DISABLE the Script Enforcement, to allow you should set a Disabled)

This option is only supported in Windows 1903 build 18362.145 or later. The Microsoft documentation on this option is incomplete and inconsistent.

Script enforcement has two main functions:

It blocks MSI’s. Why MSI’s? Application Control refers primarily to Portable Executables (PE’s), which are files encoded in a PE format including EXE, DLL and SYS files, but not MSI’s. So really, I think, “script” here means “non-PE”.
It does not block scripts, but it puts PowerShell into Constrained Language mode, which blocks specific elements that expose vulnerabilities (calls to Win32 API’s). Note: a policy will only put PowerShell into Constrained Language mode if it is in Enforced mode. In Audit mode, PowerShell remains in Full Language mode.

Reference to apply the changes: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.