System lockdown / WDAC: Use of new audit-only mode prevents use of [pscustomobject]
literals, behaves as if ConstrainedLanguage
mode were in effect
#20768
Labels
In-PR
Indicates that a PR is out for the issue
Issue-Bug
Issue has been identified as a bug in the product
WG-NeedsReview
Needs a review by the labeled Working Group
WG-Security
security related areas such as JEA
Prerequisites
Steps to reproduce
If I understand correctly, the new audit-only mode - despite technically reporting
ConstrainedLanguage
via$ExecutionContext.SessionState.LanguageMode
- is meant to be a what-if constrained mode:FullLanguageMode
, but log operations that would be prevented ifConstrainedLanguage
mode were actually enforced.However, with respect to
[pscustomobject]
literals that isn't the case: Their use fails quietly:The workaround is to simply execute
$ExecutionContext.SessionState.LanguageMode = 'FullLanguage'
in a session that was started in audit mode. (Is the ability to do so by design?)However, even that doesn't work in other use cases: see
As an aside:
[pscustomobject]
literals should also work in trueConstrainedLanguage
mode, but currently do not - seeConstrainedLanguage
mode:[pscustomobject]
literals cannot be used, even though the type is white-listed, and an equivalentNew-Object
call succeeds #20767Expected behavior
A
[pscustomobject]
instance should be constructed and output.Actual behavior
No output, i.e. the expression fails quietly (but may be logged - haven't verified that).
Error details
No response
Environment data
Visuals
No response
The text was updated successfully, but these errors were encountered: