From 588434a35925c5a1115ab668cd59e29428223e52 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Fri, 23 Jan 2026 14:19:02 -0600 Subject: [PATCH 1/2] Update guidance about lockdown mode --- .../About/about_Language_Modes.md | 25 ++++++++++++------- .../About/about_Language_Modes.md | 25 ++++++++++++------- .../About/about_Language_Modes.md | 25 ++++++++++++------- .../remoting/jea/security-considerations.md | 4 ++- .../security/securing-restricted-sessions.md | 4 ++- 5 files changed, 54 insertions(+), 29 deletions(-) diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md index 8085f5e6dd18..4576953e0e59 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/18/2026 +ms.date: 01/23/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -60,7 +60,7 @@ ConstrainedLanguage ``` However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you -can't use the [member-access operator][02] (`.`) to get property values. +can't use the [member-access operator][03] (`.`) to get property values. Instead, the error message reveals the language mode. When you access `$ExecutionContext.SessionState.LanguageMode` in a @@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file system, or other system resources. For more information, see [JEA Session configurations][01] and -[New-PSSessionConfigurationFile][05]. +[New-PSSessionConfigurationFile][06]. ## Language mode features and limitations @@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows: - Users can get all properties of allowed types. Users can set the values of properties only on allowed types. +> [!IMPORTANT] +> You must use `ConstrainedLanguage` mode in System Lockdown mode with App +> Control for Business to ensure that `ConstrainedLanguage` mode can't be +> bypassed. For more information about how PowerShell supports AppLocker and +> App Control, see [Use App Control to secure PowerShell][02]. + The following .NET types are permitted in `ConstrainedLanguage` mode. Users can get properties, invoke methods, and convert objects to these types. @@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in ## See also -- [about_Session_Configuration_Files][03] -- [about_Session_Configurations][04] +- [about_Session_Configuration_Files][04] +- [about_Session_Configurations][05] [01]: /powershell/scripting/learn/remoting/jea/session-configurations -[02]: about_Member-Access_Enumeration.md -[03]: about_Session_Configuration_Files.md -[04]: about_Session_Configurations.md -[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile +[02]: /powershell/scripting/security/app-control/application-control +[03]: about_Member-Access_Enumeration.md +[04]: about_Session_Configuration_Files.md +[05]: about_Session_Configurations.md +[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md index ce5b980638f7..1e2ba3f31d3f 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/18/2026 +ms.date: 01/23/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -60,7 +60,7 @@ ConstrainedLanguage ``` However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you -can't use the [member-access operator][02] (`.`) to get property values. +can't use the [member-access operator][03] (`.`) to get property values. Instead, the error message reveals the language mode. When you access `$ExecutionContext.SessionState.LanguageMode` in a @@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file system, or other system resources. For more information, see [JEA Session configurations][01] and -[New-PSSessionConfigurationFile][05]. +[New-PSSessionConfigurationFile][06]. ## Language mode features and limitations @@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows: - Users can get all properties of allowed types. Users can set the values of properties only on allowed types. +> [!IMPORTANT] +> You must use `ConstrainedLanguage` mode in System Lockdown mode with App +> Control for Business to ensure that `ConstrainedLanguage` mode can't be +> bypassed. For more information about how PowerShell supports AppLocker and +> App Control, see [Use App Control to secure PowerShell][02]. + The following .NET types are permitted in `ConstrainedLanguage` mode. Users can get properties, invoke methods, and convert objects to these types. @@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in ## See also -- [about_Session_Configuration_Files][03] -- [about_Session_Configurations][04] +- [about_Session_Configuration_Files][04] +- [about_Session_Configurations][05] [01]: /powershell/scripting/learn/remoting/jea/session-configurations -[02]: about_Member-Access_Enumeration.md -[03]: about_Session_Configuration_Files.md -[04]: about_Session_Configurations.md -[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile +[02]: /powershell/scripting/security/app-control/application-control +[03]: about_Member-Access_Enumeration.md +[04]: about_Session_Configuration_Files.md +[05]: about_Session_Configurations.md +[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md index c270c2d8520a..e5fc404bfdb1 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/18/2026 +ms.date: 01/23/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 @@ -60,7 +60,7 @@ ConstrainedLanguage ``` However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you -can't use the [member-access operator][02] (`.`) to get property values. +can't use the [member-access operator][03] (`.`) to get property values. Instead, the error message reveals the language mode. When you access `$ExecutionContext.SessionState.LanguageMode` in a @@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file system, or other system resources. For more information, see [JEA Session configurations][01] and -[New-PSSessionConfigurationFile][05]. +[New-PSSessionConfigurationFile][06]. ## Language mode features and limitations @@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows: - Users can get all properties of allowed types. Users can set the values of properties only on allowed types. +> [!IMPORTANT] +> You must use `ConstrainedLanguage` mode in System Lockdown mode with App +> Control for Business to ensure that `ConstrainedLanguage` mode can't be +> bypassed. For more information about how PowerShell supports AppLocker and +> App Control, see [Use App Control to secure PowerShell][02]. + The following .NET types are permitted in `ConstrainedLanguage` mode. Users can get properties, invoke methods, and convert objects to these types. @@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in ## See also -- [about_Session_Configuration_Files][03] -- [about_Session_Configurations][04] +- [about_Session_Configuration_Files][04] +- [about_Session_Configurations][05] [01]: /powershell/scripting/learn/remoting/jea/session-configurations -[02]: about_Member-Access_Enumeration.md -[03]: about_Session_Configuration_Files.md -[04]: about_Session_Configurations.md -[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile +[02]: /powershell/scripting/security/app-control/application-control +[03]: about_Member-Access_Enumeration.md +[04]: about_Session_Configuration_Files.md +[05]: about_Session_Configurations.md +[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile diff --git a/reference/docs-conceptual/security/remoting/jea/security-considerations.md b/reference/docs-conceptual/security/remoting/jea/security-considerations.md index ceb2149f7335..6a38c9d8f489 100644 --- a/reference/docs-conceptual/security/remoting/jea/security-considerations.md +++ b/reference/docs-conceptual/security/remoting/jea/security-considerations.md @@ -187,7 +187,9 @@ configured session. ### Don't allow commands that can create new runspaces. > [!WARNING] -> The `*-Job` cmdlets can create new runspaces without the restrictions. +> The Windows Compatibility feature in PowerShell 7 creates a new runspace to host Windows +> PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The +> `*-Job` cmdlets can create new runspaces without the restrictions. ### Don't allow the `Trace-Command` cmdlet. diff --git a/reference/docs-conceptual/security/securing-restricted-sessions.md b/reference/docs-conceptual/security/securing-restricted-sessions.md index eaa9b042cee8..b904880985aa 100644 --- a/reference/docs-conceptual/security/securing-restricted-sessions.md +++ b/reference/docs-conceptual/security/securing-restricted-sessions.md @@ -39,7 +39,9 @@ restricted session implementation. ### Don't allow commands that can create new runspaces > [!WARNING] -> The `*-Job` cmdlets can create new runspaces without the restrictions. +> The Windows Compatibility feature in PowerShell 7 creates a new runspace to host Windows +> PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The +> `*-Job` cmdlets can create new runspaces without the restrictions. ### Don't allow the `Trace-Command` cmdlet. From 0ad67c7089c10b8e075c8933d1e02d12fb66eff3 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Mon, 26 Jan 2026 09:45:21 -0600 Subject: [PATCH 2/2] Feeback edits --- .../About/about_Language_Modes.md | 2 +- .../About/about_Language_Modes.md | 2 +- .../About/about_Language_Modes.md | 2 +- .../security/app-control/application-control.md | 14 ++++++++------ .../remoting/jea/security-considerations.md | 14 +++++++++++--- .../security/securing-restricted-sessions.md | 2 +- 6 files changed, 23 insertions(+), 13 deletions(-) diff --git a/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md index 4576953e0e59..d21828076e3b 100644 --- a/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/23/2026 +ms.date: 01/26/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 diff --git a/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md index 1e2ba3f31d3f..9318a185f276 100644 --- a/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/23/2026 +ms.date: 01/26/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.5&WT.mc_id=ps-gethelp schema: 2.0.0 diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md index e5fc404bfdb1..df4ce5f8228f 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md @@ -1,7 +1,7 @@ --- description: Explains language modes and their effect on PowerShell sessions. Locale: en-US -ms.date: 01/23/2026 +ms.date: 01/26/2026 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage] online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 diff --git a/reference/docs-conceptual/security/app-control/application-control.md b/reference/docs-conceptual/security/app-control/application-control.md index d0b7e39dffae..3b5beffd4fcc 100644 --- a/reference/docs-conceptual/security/app-control/application-control.md +++ b/reference/docs-conceptual/security/app-control/application-control.md @@ -1,6 +1,6 @@ --- description: This article explains the features of Application Control that can be used to secure your PowerShell environment. -ms.date: 12/09/2025 +ms.date: 01/26/2026 title: Use App Control to secure PowerShell --- # Use App Control to secure PowerShell @@ -26,11 +26,13 @@ following name format: - `$Env:TEMP/__PSScriptPolicyTest_.ps1` - `$Env:TEMP/__PSScriptPolicyTest_.psm1` -App Control for Business is the preferred application control system for Windows. App Control -provides APIs that allow you to discover the policy configuration. App Control is designed as a -security feature under the servicing criteria defined by the Microsoft Security Response Center -(MSRC). For more information, see [Application Controls for Windows][04] and -[App Control and AppLocker feature availability][02]. +App Control for Business is the preferred application control system for Windows. App Control puts +the system into System Lockdown mode. System Lockdown mode is the feature that detects the policies +and determines if a context needs to be initialized or changed to a specific language mode. + +App Control is designed as a security feature under the servicing criteria defined by the Microsoft +Security Response Center (MSRC). For more information, see [Application Controls for Windows][04] +and [App Control and AppLocker feature availability][02]. > [!NOTE] > When [choosing between App Control or AppLocker][03], we recommend that you implement application diff --git a/reference/docs-conceptual/security/remoting/jea/security-considerations.md b/reference/docs-conceptual/security/remoting/jea/security-considerations.md index 6a38c9d8f489..2f7e16ae39dc 100644 --- a/reference/docs-conceptual/security/remoting/jea/security-considerations.md +++ b/reference/docs-conceptual/security/remoting/jea/security-considerations.md @@ -2,7 +2,7 @@ description: >- Since JEA allows these users to run administrative commands without having full administrator access, you can then remove those users from highly privileged security groups. -ms.date: 10/10/2023 +ms.date: 01/26/2026 title: JEA Security Considerations --- # JEA Security Considerations @@ -102,8 +102,16 @@ access to all mapped users. For example, a JEA session configured using the foll grants full access to `CONTOSO\JEA_Lev1` and `CONTOSO\JEA_Lev2`. ```powershell -$roles = @{ 'CONTOSO\JEA_Lev1' = 'Lev1Role'; 'CONTOSO\JEA_Lev2' = 'Lev2Role' } -New-PSSessionConfigurationFile -Path '.\jea.pssc' -SessionType RestrictedRemoteServer -RoleDefinitions $roles -RunAsVirtualAccount +$newPSSessionConfigurationFileSplat = @{ + Path = '.\jea.pssc' + SessionType = 'RestrictedRemoteServer' + RoleDefinitions = @{ + 'CONTOSO\JEA_Lev1' = 'Lev1Role' + 'CONTOSO\JEA_Lev2' = 'Lev2Role' + } + RunAsVirtualAccount = $true +} +New-PSSessionConfigurationFile @newPSSessionConfigurationFileSplat Register-PSSessionConfiguration -Path '.\jea.pssc' -Name 'MyJEAEndpoint' ``` diff --git a/reference/docs-conceptual/security/securing-restricted-sessions.md b/reference/docs-conceptual/security/securing-restricted-sessions.md index b904880985aa..7c4a60d231ed 100644 --- a/reference/docs-conceptual/security/securing-restricted-sessions.md +++ b/reference/docs-conceptual/security/securing-restricted-sessions.md @@ -1,6 +1,6 @@ --- description: This article explains how to secure a restricted PowerShell session that is used for secure remote access. -ms.date: 10/10/2023 +ms.date: 01/26/2026 title: Securing a restricted PowerShell remoting session --- # Securing a restricted PowerShell remoting session