Move bypass execution policy check after AppLocker Deny check (#15035)
This commit is contained in:
parent
b001003670
commit
f1b8798264
|
@ -140,10 +140,6 @@ namespace Microsoft.PowerShell
|
||||||
// Get the execution policy
|
// Get the execution policy
|
||||||
_executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
|
_executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
|
||||||
|
|
||||||
// See if they want to bypass the authorization manager
|
|
||||||
if (_executionPolicy == ExecutionPolicy.Bypass)
|
|
||||||
return true;
|
|
||||||
|
|
||||||
// Always check the SAFER APIs if code integrity isn't being handled system-wide through
|
// Always check the SAFER APIs if code integrity isn't being handled system-wide through
|
||||||
// WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
|
// WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
|
||||||
// Otherwise, block.
|
// Otherwise, block.
|
||||||
|
@ -184,6 +180,13 @@ namespace Microsoft.PowerShell
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// WLDP and Applocker takes priority over powershell exeuction policy.
|
||||||
|
// See if they want to bypass the authorization manager
|
||||||
|
if (_executionPolicy == ExecutionPolicy.Bypass)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
if (_executionPolicy == ExecutionPolicy.Unrestricted)
|
if (_executionPolicy == ExecutionPolicy.Unrestricted)
|
||||||
{
|
{
|
||||||
// Product binaries are always trusted
|
// Product binaries are always trusted
|
||||||
|
|
Loading…
Reference in a new issue