From f1b879826483d5b3e7d09fcf3dd3b7fe9e7766b7 Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Mon, 22 Mar 2021 11:25:01 -0700
Subject: [PATCH] Move bypass execution policy check after AppLocker Deny check
 (#15035)

---
 .../security/SecurityManager.cs                       | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/System.Management.Automation/security/SecurityManager.cs b/src/System.Management.Automation/security/SecurityManager.cs
index be0c8d83b..5d7295354 100644
--- a/src/System.Management.Automation/security/SecurityManager.cs
+++ b/src/System.Management.Automation/security/SecurityManager.cs
@@ -140,10 +140,6 @@ namespace Microsoft.PowerShell
             // Get the execution policy
             _executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
 
-            // See if they want to bypass the authorization manager
-            if (_executionPolicy == ExecutionPolicy.Bypass)
-                return true;
-
             // Always check the SAFER APIs if code integrity isn't being handled system-wide through
             // WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
             // Otherwise, block.
@@ -184,6 +180,13 @@ namespace Microsoft.PowerShell
                 }
             }
 
+            // WLDP and Applocker takes priority over powershell exeuction policy.
+            // See if they want to bypass the authorization manager
+            if (_executionPolicy == ExecutionPolicy.Bypass)
+            {
+                return true;
+            }
+
             if (_executionPolicy == ExecutionPolicy.Unrestricted)
             {
                 // Product binaries are always trusted