Security Focus: Set ConstrainedLanguage Mode on My Machine

Whilst doing some research, for a presentation on Security and PowerShell, I came across this cheeky one-liner:

[Environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')


After running it, look what happens when I try and start PowerShell. Damn, my profile script won’t run… but, what’s this? I can’t do other stuff, too? Damn!



If you’ve never come across ConstrainedLanguage mode, it does exactly that… it constrains the PowerShell language. Very useful if you want to harden a system.

In WMF 5 on Windows 10 you can use this in conjunction with Applocker to enforce the restriction of PowerShell activity.




Comments (0)

Skip to main content