In this blog post I am going to show you how to enable the PowerShell Constrained Mode. What is the Constrained Mode? Microsoft explains this as follows:

The ConstrainedLanguage mode permits all cmdlets and all PowerShell language elements, but it limits permitted types.

ConstrainedLanguage mode is designed to support User Mode Code Integrity (UMCI) on Windows RT. It is the only supported language mode on Windows RT, but it is available on all supported systems.

UMCI protects ARM devices by allowing only Microsoft-signed and Microsoft-certified apps to be installed on Windows RT-based devices. ConstrainedLanguage mode prevents users from using PowerShell to circumvent or violate UMCI.

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.2

Follow the link to find out more about this very special PowerShell mode.

For now, I want to show you an example.

Let’s figure out the current mode, which is the default mode.

$ExecutionContext.SessionState.LanguageMode

The default mode is FullLanguage. Let’s try to execute the following line.

[System.Console]::WriteLine("Hello")

It works. The use of .NET Classes is allowed.

Now I change it to ConstrainedLanguage.

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

And again we execute the command.

This time it leads to an error. With the ConstrainedLanguage Mode I am not allowed to work with .NET Classes.

Hope this was helpful.