Admins find Windows 11 24H2 PowerShell AppLocker/WDAC script enforcement broken for months

Microsoft, this past week, announced that Windows 11 24H2 is now ready to roll out to everyone and that it can be downloaded by all. This is despite the several flaws the latest feature update has. For example, there are major upgrade-related bugs, widespread performance complaints, and potential data loss worries associated.

On top of that, as pointed out by Neowin reader dustojnikhummer, there are also problems that have seemingly remained undocumented for months and AppLocker WDAC (Windows Defender Application Control) Enforcement for scripts appears to be one of them.

Back in 2023, Microsoft had made AppLocker deployment easier, but it looks like the company did not quite test it all that well for 2024-2025.

For those wondering what it is, AppLocker application control policies help the enterprise manage the applications and files that users can run on their systems. These include EXE files, scripts, Windows Installer files, DLL files, packaged apps, and packaged app installers.

The issue appeared to have been first noticed by a user CFou on the Stack Exchange forum. They noticed that ConstrainedLanguage mode enforcement would not work as the PowerShell session would end up using FullLanguage. Another user commented later on the thread suggesting that the issue was related to Windows 11 24H2 as they could reproduce it on the latest version of Windows.

The issue was later picked up by Reddit user hornetfig on the sysadmin subreddit. Others on the thread said that they could reproduce the issue too on Windows 11 24H2. This is a huge security concern as it allows every script, including malicious ones, to run unrestricted.

Microsoft MVP Roody Ooms investigated the issue to understand what was happening differently on 24H2 to change this behaviour. He discovered that the problem was seemingly being caused due to an imperfect implementation of a new WldpCanExecuteFile API that was added with PowerShell 7.3. Previous PowerShell releases, instead, used the legacy WldpGetLockdownPolicy API for detecting system lockdowns.

Microsoft seems to be aware of this issue and is finally making changes. PowerShell 7.6-preview.4 contains the following fix as part of the Engine Improvements:

Fallback to AppLocker after WldpCanExecuteFile (#24912)

You can find more technical details about the bug on Roody Ooms' blog post here.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

RIP Matrix | Farewell my friend