How to Change Constrained Language Mode to Full Language Mode for Users (original) (raw)

January 28, 2025, 10:45am 1

Hello everyone,

I’m facing an issue where PowerShell is running in ConstrainedLanguage mode for a specific user, even though there are no policies configured to enforce this.

Here’s what I’ve checked so far:

  1. Registry Keys:
    • HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell
    • HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
      I also verified the __PSLockDownPolicy environment variable, but it doesn’t set.
  2. AppLocker and Software Restriction Policies:
    • I reviewed both AppLocker and SRP configurations, and there are no rules or restrictions applied that would enforce ConstrainedLanguage mode.
  3. Attempted Fixes:
    • Tried modifying the __PSLockDownPolicy value to allow full access, but it had no effect.
    • Allow access to script in AppLocker and SRP

Has anyone encountered a similar issue? Any suggestions on how to resolve this?

Thanks in advance!

Evan7191 (Evan7191) January 28, 2025, 2:15pm 2

Have you trried setting the $ExecutionContext variable?

Kenneth_12 (Kenneth_12) January 28, 2025, 3:35pm 3

Check for AppLocker, SRP, or WDAC policies causing the issue. Remove __PSLockDownPolicy with:

powershell

CopyEdit

Remove-Item Env:__PSLockDownPolicy

Reset execution policy:

powershell

CopyEdit

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

Troubleshoot further by exploring resources similar to the freecine app for managing scripts and settings.

How? If you’re referring to this method:

$ExecutionContext.SessionState.LanguageMode = “FullLanguage”

I can run it only as an admin. As user, it requires elevated permissions

Before: (some users in PSLockDownPolicy are set to 4, others to 0)

image_2025-01-29_10-35-01

After:

image_2025-01-29_10-35-07

However, I still can’t run my script, and the Language Mode remains “ConstrainedLanguage.”

I will check other users and get back to you.

Still the same, no changes. I decided to temporarily grant users Local Administrator permissions to resolve the issue.

I was facing the same issue and it was because Controlled Folder Access CFA. I’ve resolve the issue adding powershell to the allowed application list of CFA:

Add-MpPreference -ControlledFolderAccessAllowedApplications “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

You are able to see CFA logs in Microsoft-Windows-Windows Defender/Operational and search for 1123 event. This script export the CFA logs to an .CSV file:

Get-WinEvent -LogName “Microsoft-Windows-Windows Defender/Operational” |
Where-Object { .Id−eq1124−or.Id -eq 1124 -or .Ideq1124or.Id -eq 1123 -or $_.Id -eq 5007
} | Select-Object TimeCreated, Id, Message |
Export-Csv -Path “$env:USERPROFILE\Desktop\CFA_Logs.csv” -NoTypeInformation

I hope this work for you!

Regards!