[German]On this occasion, I'll take up a topic that came to my attention at the beginning of May 2025. Administrators noticed that the PowerShell Script Enforcement in AppLocker/WDAC had been broken for months. Although this should now be fixed with PowerShell 7.6, it shows that you can't look often enough when the worst comes to the worst.
AppLocker and WDAC
AppLocker is an application control feature in Windows that is used to control which applications and files users can run. It allows the creation of rules to allow or deny the execution of apps based on various factors, such as file size, hash value or certificate.
Windows Defender Application Control (WDAC) is intended to help minimize many conceivable security threats. This is done by restricting the applications that users are allowed to run and the code that is executed in the system kernel. Application Control Policies can also block unsigned scripts and MSI files and restrict Windows PowerShell to run in ConstrainedLanguage mode.
PowerShell Script Enforcement with App-Control
App Control Script Enforcement by AppLocker/WDAC is a security layer in which script execution is negotiated between the script host (PowerShell) and App Control via handshake. The script host then controls whether set rules for executing or blocking the script are to be applied. Some script hosts, such as the Microsoft HTML Application Host (mshta.exe), block all code execution if an App Control UMCI policy is active. Most script hosts first ask App Control if the execution of a script should be allowed based on the currently active App Control policy. The script host then blocks or allows the script execution or modifies it to best protect the user and the device. Described by Microsoft here.
There was a problem in Windows 11 24H2
I didn't noticed that, but already in early April 2025 there is the post Application Control blocking WDAC policy deployment in the Spice-Works community, where someone pointed out that there were issues enforcing WDAC policies in Windows 11 24H2.
On reddit.com there is the thread Heads up!! Windows 11 24H2: AppLocker script enforcement broken!!, which warns that there are problems with AppLocker script enforcement when migrating to Windows 11 24H2. The article refers to the article Windows 11 24H2: AppLocker script enforcement broken published on April 27, 2025 at Patch my PC.
According to the article, there is (was) a critical security problem with the migration to Windows 11 24H2. Under Windows 11 24H2, the Constrained Language Mode is no longer correctly enforced when AppLocker script rules are used.
PowerShell scripts, which should be severely restricted, would now run in full language mode without any restrictions. This creates a major gap in security enforcement that administrators need to understand and address before upgrading to Windows 24H2.
I first came across the topic at the beginning of May 2025 in the neowin.net article Admins find Windows 11 24H2 PowerShell AppLocker/WDAC script enforcement broken for months. In the context of this German comment from today, I decided to pulled out the topic here. In the meantime, Microsoft has fixed the behavior with PowerShell 7.6 (see Fallback to AppLocker after WldpCanExecuteFile (#24912). But the blog readership is probably aware of this.
