Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings
| Property | Value |
|---|---|
| ISM Control | ISM-1622 |
| Revision | 0 |
| Updated | Oct-20 |
| Guideline | Not provided |
| Section | Operating system hardening |
| Topic | PowerShell |
| Essential Eight | ML3 |
| PSPF Levels | NC, OS, P, S, TS |
PowerShell runs in Constrained Language Mode to restrict language elements and reduce misuse risk from untrusted scripts.1 This outcome is achieved by enforcing App Control for Business (formerly WDAC) policies, deployed through Intune for cloud-managed devices and via Group Policy for hybrid-managed environments.23
Constrained Language Mode (CLM) restricts access to .NET types, COM objects, reflection APIs, Add-Type, DSC configuration keywords, and XAML workflows. Basic cmdlets and language constructs (loops, conditionals, string expansion) remain available for trusted operations. CLM is enforced automatically by the PowerShell engine whenever a WDAC policy with UMCI enabled and script enforcement active (Option 11 not disabled) is in enforcement or audit mode.34
| Feature | FullLanguage (default) | ConstrainedLanguage (CLM) |
|---|---|---|
| All native cmdlets | ✅ Available | ✅ Available |
Arbitrary .NET types (New-Object, Add-Type) |
✅ Allowed | ❌ Blocked — only whitelisted types |
| COM object creation | ✅ Allowed | ❌ Blocked |
Reflection / Assembly.Load |
✅ Allowed | ❌ Blocked |
DSC Configuration keyword |
✅ Allowed | ❌ Blocked |
| XAML workflows | ✅ Allowed | ❌ Blocked |
| Class definitions | ✅ Allowed | ❌ Blocked |
| Unsigned scripts from internet | ✅ Run freely | ⚠️ Constrained or blocked |
[!IMPORTANT] CLM does not protect against PowerShell 2.0. The legacy v2 engine is not subject to WDAC script enforcement and always runs in Full Language mode, providing an easy bypass. You must also implement ISM-1621 (disable PowerShell 2.0) for CLM to be effective.
Not provided in source documentation.
[!NOTE] The Windows Defender Application Control policy will be deployed via Intune configuration profiles to enforce the Constrained Language Mode setting for PowerShell.
Deploy WDAC policy via Intune in audit mode to observe PowerShell activity and identify requirements.1
Enable the WDAC setting Script Enforcement to enforce Constrained Language Mode for Windows PowerShell.1
Deploy WDAC policy to cloud managed devices using Intune (Group Policy for hybrid devices).1
Configure the policy to allow updates without a reboot using the Update Policy No Reboot setting.1
After validation in audit mode, switch the WDAC policy from audit to enforcement mode to enable Constrained Language Mode for PowerShell.1
Understand that App Control enforcement can block or run untrusted commands in Constrained Language Mode; refer to App Control documentation for specifics.3
Verify CLM is active on a managed device:
$ExecutionContext.SessionState.LanguageMode
The output should be ConstrainedLanguage. If it returns FullLanguage the WDAC policy has not applied correctly.
Microsoft-Windows-AppLocker/MSI and Script — indicates script handshake occurred.Microsoft-Windows-CodeIntegrity/Operational — confirms WDAC evaluated the script.