This morning, I tried to edit a script I've written, but I can't run anything because PowerShell is stuck in constrained language mode. I've looked up solutions online, but nothing seems to work. I checked the environment variable, and it doesn't exist. Also, I found no registry key in HKLMSystemCurrentControlSetControlSession ManagerEnvironment for __PSLockDownPolicy. The HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShell does include FullLanguage, but there are no AppLocker or Device Guard group policies either. Running PowerShell as an admin makes no difference, and I have domain admin access. Does anyone know how I can troubleshoot why PowerShell is in constrained language mode? Just to note, I'm using the current version of Windows 11, and testing with both a local admin on the domain and a local admin not on the domain yields the same constrained mode.
2 Answers
Don't overlook the possibility of WDAC (Windows Defender Application Control). Even if AppLocker policies look clear, there might be other GPOs or settings affecting your configuration. It can really be tricky to pinpoint the issue without digging through all the policies.
You can start by checking the LanguageMode in PowerShell with `$ExecutionContext.SessionState.LanguageMode`. If it's set to ConstrainedLanguage, you'll face limitations in modifying it. It could be that some security settings are overriding your attempts. Sometimes, Defender for Endpoint can enforce ASR rules that maintain the constrained mode. It's worth investigating that further.
When I checked, `$ExecutionContext.SessionState.LanguageMode` showed it's ConstrainedLanguage, and I couldn't change it either. Running into "Cannot set property" errors. Since we're not subscribed to Defender 365, I'm starting to think it might be a default restriction, but I have no idea where to search for that.
I ran GPResult checks and found no AppLocker policies in the Computer Configuration settings or in Device Guard. I've spent hours troubleshooting this and still feel stuck.