Breakpoints doesn't work when Applocker (so ConstrainedLanguage mode) is enforced

[pgardy]

Prerequisites

• I have written a descriptive issue title.
• I have searched all open and closed issues to ensure it has not already been reported.
• I have read the troubleshooting guide.
• I am sure this issue is with the extension itself and does not reproduce in a standalone PowerShell instance.
• I have verified that I am using the latest version of Visual Studio Code and the PowerShell extension.
• If this is a security issue, I have read the security issue reporting guidance.

Summary

I have applocker deployed on my machine. When I want to debug a script , debugger doesn't stop for breakpoint. It just runs the script.

PowerShell Version

$PSVersionTable; $Host

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Name             : Visual Studio Code Host
Version          : 2024.2.2
InstanceId       : 1d7f7e62-162e-4a00-92f1-1454b2a0910e
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : en-GB
CurrentUICulture : en-GB
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace

Visual Studio Code Version

1.93.1
38c31bc77e0dd6ae88a4e9cc93428cc27a56ba40
x64

I've also tried Insiders build :
1.96.0-insider 
Commit: 3551cb01fa6f3a838e2d160df704cc3debfb9896

Extension Version

ms-vscode.powershell@2024.2.2

I've also done a build and packaging of latest source code and outcome was the same (at least dot-sourcing is fixed there)

Steps to Reproduce

1. Deploy default applocker rules for MI & Script and enforce them
2. prepare a new powershell script with at least two lines and save it (like write-host twice)
3. start visual studio , not elevated, as user without admin rights
4. put a breakpoint on line 1 or line 2
5. run the script . It should stop on breakpoint , but it is not

Visuals

No response

Logs

No response

[JustinGrote]

Thanks for your submission!

Does it work in the normal pwsh cli? If your constrained runtime doesn't include set-breakpoint, I would imagine it wouldn't work here, because that's basically all we do.

[pgardy]

When I run VSCode as admin or on machine without applocker, I can set breakpoint in VSCode (by pressing F9) and it works. In the non-working case, breakpoint is set, but debugging ignores it.
I don't know how can I set breakpoint in pwsh.exe/powershell.exe directly.

[JustinGrote]

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_debuggers?view=powershell-7.4#debugger-cmdlets

If you can reproduce it stopping OK in the console but not in vscode, we can investigate, otherwise this is behavior that is outside the extension and this issue would need to be transferred to Powershell/Powershell

[pgardy]

Thank you very much.
When I try to Set-PSBreakpoint -script <path_to_my_script> -Line 1 says:
Specified method is not supported.
(on both PWSH and powershell.exe ).. So , indeed, this is outside this extension.

[JustinGrote]

@pgardy as part of the breakpoint sync we will likely surface better when breakpoints can't be set.

@SeeminglyScience FYI

[pgardy]

Sounds good. Thank you,