Hello Sean! To clarify, when you mention "powershell set to disabled", do you mean if powershell.exe was denied to run via AppLocker that login scripts would still work? Or was your reference to constrained language mode?
It would make sense if login scripts were exempt from this, but unfortunately that doesn't appear to be occurring, at least from what I've observed. Thanks, -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of Sean Chapman Sent: Monday, October 30, 2017 5:46 AM To: [email protected] Subject: [NTSysADM] RE: Application Whitelisting and PowerShell Constrained Language Mode - Problems With Trusted Login Scripts It was my understanding that even if you have powershell set to disabled that running a script via gpo like a login script would execute no matter what. I tried to find some documentation really quick to verify that but cannot so I could be wrong. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Friday, October 27, 2017 5:09 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Application Whitelisting and PowerShell Constrained Language Mode - Problems With Trusted Login Scripts Hello! I was hoping to see if anyone else in the community has encountered this problem: Windows 10 includes PowerShell v5 which includes a new security feature called Constrained Language Mode. This feature is automatically activated when application whitelisting is enabled and prevents PowerShell from running "riskier" code. As I understand it based on everything I have read, as long as AppLocker has a whitelist rule for it, those whitelisted scripts should be exempt from Constrained Language. However, this does not appear to be working on our Windows 10 computers. One of my login scripts that is in a whitelisted folder path fails to run and gives the error "Cannot dot-source this command because it was defined in a different language mode" which I understand to mean it is being blocked by Constrained Language mode. I have other scripts in this whitelisted folder path that are working, but they don't appear to be triggering Constrained Language. I have confirmed that the script is not being blocked by AppLocker since the logs confirm that the script was allowed to run by AppLocker. To rule out AppLocker path rules being the problem, I also signed the PowerShell script, whitelisted the cert and tried to run it and encountered the same problem. Has anyone else encountered this problem? If so have you found any workarounds for this? My goal is to avoid disabling Constrained Language mode entirely since I am looking to only allow trusted/whitelisted scripts to be exempt from Constrained Language mode. Thanks! -Aakash Shah ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The information contained in this communication and all accompanying documents from Coilcraft may be confidential and/or legally privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance on the contents of this transmitted information is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and destroy the original message or accompanying materials and any copy thereof. If you have any questions concerning this message, please contact the sender.
