| description | PowerShell has several features designed to improve the security of your scripting environment. |
|---|---|
| ms.date | 09/23/2021 |
| title | PowerShell security features |
PowerShell has several features designed to improve the security of your scripting environment.
PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts. You can use a Group Policy setting to set execution policies for computers and users. Execution policies only apply to the Windows platform.
For more information see about_Execution_Policies.
Module Logging allows you to enable logging for selected PowerShell modules. This setting is effective in all sessions on the computer. Pipeline execution events for the specified modules are recorded in the Windows PowerShell log in Event Viewer.
Script Block Logging enables logging for the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. This information is logged to the Microsoft-Windows-PowerShell/Operational event log.
For more information, see the following articles:
ConstrainedLanguage mode protects your system by limiting the cmdlets and .NET types that can be used in a PowerShell session. For a full description, see about_Language_Modes.
Windows 10 includes two technologies, Windows Defender Application Control (WDAC) and AppLocker that can be used for application control. They allow you to create a lockdown experience to meet your organization's specific scenarios and requirements.
Note
When it comes to choosing between WDAC or AppLocker it is generally recommended that customers implement application control using WDAC rather than AppLocker. WDAC is undergoing continual improvements and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements.
WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows 10 devices. WDAC is designed as a security feature under the servicing criteria defined by the Microsoft Security Response Center (MSRC).
AppLocker builds on the application control features of Software Restriction Policies. AppLocker contains new capabilities and extensions that enable you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps.
PowerShell follows the Microsoft Security Servicing Criteria for Windows. The table below outlines the features that meet the servicing criteria and those that do not.
| Feature | Type |
|---|---|
| System Lockdown - with WDAC | Security Feature |
| Constrained language mode - with WDAC | Security Feature |
| System Lockdown - with AppLocker | Defense in Depth |
| Constrained language mode - with AppLocker | Defense in Depth |
| Execution Policy | Defense in Depth |
Note
There is a corner-case scenario in AppLocker where you only have Deny rules and constrained
language mode is not used to enforce the policy that allows you to bypass the execution policy.
Beginning in PowerShell 7.2, a change was made to ensure AppLocker rules take precedence
over a Set-ExecutionPolicy -ExecutionPolicy Bypass command.
For more information about AppLocker and Windows Defender Application Control (WDAC), see Application Controls for Windows and WDAC and AppLocker feature availability.