PowerShell Community Call - April 20 2023
- 7.4 Preview 3
- WDAC Audit work @PaulHigin
- OpenSSH updates - @maertendMSFT @tgauth
- PSGet Updates, compat module merge - @anamnavi @alerickson
- Native piping work @SeeminglyScience
- Docs Update @sdwheeler
Community Demos
- AnyPackage - @ThomasNieto
- ShowDemo - @StartAutomating
- VSCode Binary modules - Justin Grote
- 7.4 Preview 3 will be coming out today if everything goes well, we are basically finishing the
release build.
- Check out the changelog for changes since the previous 7.4 preview 2.
- WDAC audit work
- It's not in the preview yet, probably will be in the next preview, but I just want to let people
know that this is coming.
- It's not going to affect a lot of people that use PowerShell because it's a Windows feature only
- It's a Windows feature called WDAC or Windows Defender Application Control, and it's basically
an application control that's applied to an entire system. A high value system that you want to
protect and basically the way it works is that only ohm applications binaries that are known and
proved by policy are allowed to run on the machine, and that also includes script and script
files.
- Basically just some more logging that was added as an experimental feature called Pwac audit
logging and the idea is that when the policy you can put the policy in enforcement mode or an
audit mode when the policy is an audit mode of no restrictions apply but but when you run
PowerShell you'll get a little notice basically saying that.
- logging information is going to be in the PowerShell core analytic channel and it's a new log
event ID 16387 and the kind of message you're going to get is say OK, it's a DAC audit message.
- There'll be a title about what the restriction would be applied and would be a message that
basically tells you what restriction would be replied applied if you were running in enforcement
mode.
- And in this case it's a very simple issue when you're running an enforcement mode, PowerShell
does not allow you to access.net API or does it just a very small subset of .net APIs
- This is basically saying that the net system console, right line, as a static method is is being
called and and enforcement mode is untrusted script and so wouldn't be allowed if you had the
policy and enforcement mode. It also includes information about where in the script the problem
is. So you get the script name, the script line and character and also a fragment of the script
line where the issue is and this is the issue is where we're calling it a net API. That's not allowed in untrusted script.
- OpenSSH updates
- Quick update on open SSH 9.3 was released upstream last month, so we've received a few inquiries
on GitHub about when we will be releasing 9.3 for Windows. I just wanted to talk about why we're
not prioritizing or release for this, mainly the delta between 9.2 and 9.3 upstream is a few
security fixes that are not applicable to Windows
- The upstream SSH agent security fix is regarding per hop destination constraints, and that's a
feature that we have not implemented on Windows yet, so neither the vulnerability or the fix is
applicable, but it is still in our backlog to get the Windows SSH agent on parity with that
upstream behavior, and then the second memory safety problem is also not applicable to Windows
open SSH because we do not support that method. And then the other new features and bug fixes in
9.3, we figured they were pretty minor and did not really meet the minimum criteria for us to
sort of justify the overhead of pulling in the upstream changes and doing a release at this
time.
- We did however, release 9.2.2 this week with some patches to the 9.2.0 release. This new release
contains a security fix for Libra SSL, so that has libre SSL 3.7.2 up from Libressl 3.6.1.
- One of the other fixes was related to the SSH agent adding UTF and Fido keys from non Windows
agents like Fedora, Fedora, so that should be working now and then there was a console output
page fix where the SSH client binaries were not respecting the existing console output page
settings. So now the client binaries will remember those settings and then change them back once
the client command has been run, and then the last thing was just fully removing the mark of the
web from SCP and SFTP downloads which we have talked about during the past few community calls.
- PSGet updates
- So we had a release of PowerShell get a couple weeks ago about three weeks ago and that was the
accumulation of about like 3 months worth of work where we were moving off of the Nuget client
APIs. We decided to move off of that because we were really limited by their API's and it
prevented us from making some really important perf improvements, including adding parallelism.
So the last release, the vast majority of the repository, was refactored off of those API beta
21 will be in a couple of weeks and that's going to finish that refactoring. we'll be completely
off of those API and then we are also going to be integrating a compact PowerShell get which is
right now a completely separate module. So we've added that as a dependency to PowerShell get so
that, Users can just use a find module and all of the the commandlets with PowerShell get V3, so
hopefully that'll make that transition process a little bit easier.
- With beta 21, we are also going to address other bug fixes, so if there's any other issues that
you guys encounter, please open up an issue on GitHub.
- Native piping work - On screen Demo (Please watch)
- Docs Update
- We had a new article from Mikey Lombardi about creating class based DSC resources for Azure
machine configuration.
- We added a new article describing PS read line key handlers and how to set that up, especially
adding information about configuring your Mac OS terminal applications to support Alt key
keyboard chords.
- AnyPackage - @ThomasNieto - On screen Demo (Please watch)
- ShowDemo - @StartAutomating - On screen Demo (Please watch)
- VSCode Binary modules - Justin Grote - On screen Demo (Please watch)