Move bypass execution policy check after AppLocker Deny check (#15035)
This commit is contained in:
parent
b001003670
commit
f1b8798264
|
@ -140,10 +140,6 @@ namespace Microsoft.PowerShell
|
|||
// Get the execution policy
|
||||
_executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
|
||||
|
||||
// See if they want to bypass the authorization manager
|
||||
if (_executionPolicy == ExecutionPolicy.Bypass)
|
||||
return true;
|
||||
|
||||
// Always check the SAFER APIs if code integrity isn't being handled system-wide through
|
||||
// WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
|
||||
// Otherwise, block.
|
||||
|
@ -184,6 +180,13 @@ namespace Microsoft.PowerShell
|
|||
}
|
||||
}
|
||||
|
||||
// WLDP and Applocker takes priority over powershell exeuction policy.
|
||||
// See if they want to bypass the authorization manager
|
||||
if (_executionPolicy == ExecutionPolicy.Bypass)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
if (_executionPolicy == ExecutionPolicy.Unrestricted)
|
||||
{
|
||||
// Product binaries are always trusted
|
||||
|
|
Loading…
Reference in a new issue