PowerShell Remove Constrained Language Mode Windows 11 (original) (raw)

November 6, 2023, 12:31pm 1

We have a GPO to set _PSLockdownPolicy to 4 to force constrained language mode in PowerShell. When I started testing Windows 11 I forgot to initially exclude my new laptop from that policy. I have since excluded my laptop from that policy and removed the environment variable. Despite multiple reboots, PowerShell is still running in Constrained Language mode when run normally. When I run as admin it runs in Full Language mode. Is there something I am missing to get the language mode changed for a non admin PowerShell session?

superbart (SuperBart) November 6, 2023, 12:51pm 2

have you tried manually setting the language mode and then see if the GPO is setting it back?

$ExecutionContext.SessionState.LanguageMode = "FullLanguage"

or

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "ExecutionPolicy" -Value "FullLanguage"

It could be that it is just stuck and needs a “_hammer test_”.

codemark (Codemark)

November 6, 2023, 2:21pm 3

Hi, if I understand you correctly, then ticking the following box should help you:

4794f632-6dbd-4497-8e4f-0ffe6779ab6f-CLM_GPO.png

@codemark ​ I checked the GPO and it did not have that box checked but I had manually removed the environment variable. I did try updating the GPO to include that checkbox and no luck. I also tried changing that value to 8 locally and no luck with that.

@superbart ​ I get an error any time I try to change the Language Mode with the command listed. If I run PowerShell as an admin it shows that it is in Full Language mode and will let me run the second command but it does not make any changes to running PowerShell normally.

ecab4ae1-85c9-4d7b-9f30-3ed1847d4de8-PowerShell.png

superbart (SuperBart) November 6, 2023, 4:08pm 5

what about the second command I shared?

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell" -Name "ExecutionPolicy" -Value "FullLanguage"

ich-ni-san (ich.ni.san) November 6, 2023, 4:16pm 6

I don’t know much about PowerShell, but this definitely sounds similar to a situation I experienced with certain GPO’s (preferences I think).

Some registry keys created by policies are not removed/reversed/disabled when the policy is disabled or removed. The registry keys have to be dealt with specifically. If you haven’t already, I would definitely try SuperBart’s second command.

No luck with the other command. The PowerShell key did not exist and even after creating it and adding the value specified the behavior did not change.

With any other OS (Win 10 and Server OS) we have not had any issues removing this setting by blocking GPO from applying, updating GPOs on the computer, removing the environment variable, and rebooting the device.

codemark (Codemark) November 7, 2023, 1:04pm 8

This may be a useless question, but after you excluded your Windows 11 Client, does the GPO still show up as applied in “gpresult /r” ?
Greetings :slight_smile:

The GPO shows up on the list as not applied, same as it does on my Win 10 laptop.

I was facing the same issue and it was because Controlled Folder Access CFA. I’ve resolve the issue adding powershell to the allowed application list of CFA:

Add-MpPreference -ControlledFolderAccessAllowedApplications “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

You are able to see CFA logs in Microsoft-Windows-Windows Defender/Operational and search for 1123 event. This script export the CFA logs to an .CSV file:

Get-WinEvent -LogName “Microsoft-Windows-Windows Defender/Operational” |
Where-Object { .Id−eq1124−or.Id -eq 1124 -or .Ideq1124or.Id -eq 1123 -or $_.Id -eq 5007
} | Select-Object TimeCreated, Id, Message |
Export-Csv -Path “$env:USERPROFILE\Desktop\CFA_Logs.csv” -NoTypeInformation

I hope this work for you!

Regards!