[release/v7.4] Fallback to AppLocker after `WldpCanExecuteFile` #25229

TravisEz13 · 2025-03-24T21:25:05Z

Backport #24912

This pull request includes several changes to the src/System.Management.Automation/security/wldpNativeMethods.cs file to improve the handling of system lockdown policies and file policy enforcement. The changes primarily focus on refining the logic for determining enforcement modes and handling exceptions more effectively.

Key changes include:

Improvements to system lockdown policy handling:

Modified the GetSystemLockdownPolicy method to use an out parameter for GetDebugLockdownPolicy.
Added a new method ConvertToModernFileEnforcement to convert legacy enforcement modes to modern file enforcement modes.

Enhancements to file policy enforcement:

Updated the GetFilePolicyEnforcement method to use the new ConvertToModernFileEnforcement method and added logic to handle different enforcement scenarios more accurately.
Introduced the TryGetWldpCanExecuteFileResult method to handle the result of WldpCanExecuteFile and fallback to legacy APIs if necessary.

Exception handling improvements:

Refined the exception handling in GetFilePolicyEnforcement to catch both DllNotFoundException and EntryPointNotFoundException and log the appropriate events.

Additional minor changes:

Added System.Diagnostics using directive for better debugging support.
Adjusted the GetDebugLockdownPolicy method to use an out parameter for modern enforcement. [1] [2] [3]

These changes collectively enhance the robustness and accuracy of the system's lockdown policy and file enforcement mechanisms.

Co-authored-by: Travis Plunk <travis.plunk@microsoft.com>

TravisEz13 · 2025-03-24T21:26:58Z

/azp run PowerShell-CI-linux-packaging, PowerShell-Windows-Packaging-CI

azure-pipelines · 2025-03-24T21:27:06Z

Azure Pipelines could not run because the pipeline triggers exclude this branch/path.

SeeminglyScience

LGTM!

microsoft-github-policy-service · 2025-04-04T22:12:14Z

📣 Hey @@TravisEz13, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms

Fallback to AppLocker after WldpCanExecuteFile (PowerShell#24912)

ad8d32d

Co-authored-by: Travis Plunk <travis.plunk@microsoft.com>

TravisEz13 requested a review from SeeminglyScience as a code owner March 24, 2025 21:25

TravisEz13 self-assigned this Mar 24, 2025

TravisEz13 added the CL-Engine Indicates that a PR should be marked as an engine change in the Change Log label Mar 24, 2025

SeeminglyScience approved these changes Mar 24, 2025

View reviewed changes

microsoft-github-policy-service bot added the Review - Needed The PR is being reviewed label Apr 1, 2025

TravisEz13 merged commit 3e5477f into PowerShell:release/v7.4 Apr 4, 2025
34 of 35 checks passed

TravisEz13 deleted the backport-24912-749 branch April 4, 2025 22:11

microsoft-github-policy-service bot removed the Review - Needed The PR is being reviewed label Apr 4, 2025

jshigetomi mentioned this pull request May 6, 2025

Add 7.4.10 Changelog #25520

Merged

12 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[release/v7.4] Fallback to AppLocker after `WldpCanExecuteFile` #25229

[release/v7.4] Fallback to AppLocker after `WldpCanExecuteFile` #25229

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Improvements to system lockdown policy handling:

Enhancements to file policy enforcement:

Exception handling improvements:

Additional minor changes:

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Development

Uh oh!