PowerShell Security: How to enable the Constrained Mode

In this blog post I am going to show you how to enable the PowerShell Constrained Mode. What is the Constrained Mode? Microsoft explains this as follows:

The ConstrainedLanguage mode permits all cmdlets and all PowerShell language elements, but it limits permitted types.

ConstrainedLanguage mode is designed to support User Mode Code Integrity (UMCI) on Windows RT. It is the only supported language mode on Windows RT, but it is available on all supported systems.

UMCI protects ARM devices by allowing only Microsoft-signed and Microsoft-certified apps to be installed on Windows RT-based devices. ConstrainedLanguage mode prevents users from using PowerShell to circumvent or violate UMCI.


Follow the link to find out more about this very special PowerShell mode.

For now, I want to show you an example.

Let’s figure out the current mode, which is the default mode.


The default mode is FullLanguage. Let’s try to execute the following line.


It works. The use of .NET Classes is allowed.

Now I change it to ConstrainedLanguage.

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

And again we execute the command.

This time it leads to an error. With the ConstrainedLanguage Mode I am not allowed to work with .NET Classes.

Hope this was helpful.

Categories: PowerShell

Tagged as: ,

3 replies »

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.