Session Configuration

I am testing customized endpoints for security and want to bypass the Constrained Language mode that is in place due to a Block App Data GPO policy. I want to bypass this for future projects where I may need to use .NET type of objects…for instance I may need to gather remote deskop profile paths within Active Directory.

ON a Windows 2016 test server, I created a custom endpoint with Full Language mode enabled.

@{

# Version number of the schema used for this document
SchemaVersion = '2.0.0.0'

# ID used to uniquely identify this document
GUID = 'bdd8a1fc-9f40-4e14-b1e3-5ddf1c43e2c9'

# Author of this document
Author = 'administrator'

# Description of the functionality provided by these settings
# Description = ''

# Session type defaults to apply for this session configuration. Can be 'RestrictedRemoteServer' (recommended), 'Empty', or 'Default'
SessionType = 'Default'

LanguageMode = 'FullLanguage'

# Directory to place session transcripts for this session configuration
# TranscriptDirectory = 'C:\Transcripts\'

# Whether to run this session configuration as the machine's (virtual) administrator account
# RunAsVirtualAccount = $true

# Scripts to run when applied to a session
# ScriptsToProcess = 'C:\ConfigData\InitScript1.ps1', 'C:\ConfigData\InitScript2.ps1'

# User roles (security groups), and the role capabilities that should be applied to them when applied to a session
# RoleDefinitions = @{ 'CONTOSO\SqlAdmins' = @{ RoleCapabilities = 'SqlAdministration' }; 'CONTOSO\ServerMonitors' = @{ VisibleCmdlets = 'Get-Process' } } 

}

I then register the session file BCTEST.pssc and for testing give domain admin full access to the session using the –ShowSecurityDescriptorUI.

  PS C:\Windows\system32> Get-PSSessionConfiguration


Name          : BCTEST
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, XXXX\administrator
                AccessAllowed

Name          : microsoft.powershell
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : microsoft.powershell.workflow
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : BUILTIN\Administrators AccessAllowed, BUILTIN\Remote Management Users AccessAllowed

Name          : microsoft.powershell32
PSVersion     : 5.1
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed, BUILTIN\Remote
                Management Users AccessAllowed

Name          : microsoft.windows.servermanagerworkflows
PSVersion     : 3.0
StartupScript :
RunAsUser     :
Permission    : NT AUTHORITY\INTERACTIVE AccessAllowed, BUILTIN\Administrators AccessAllowed

I set this session on server w16-tpbc, however when I create a remote session, and see what language mode I am in, I am still in Constrained language mode. Shouldn’t I be in ‘Full Language Mode’ from within this session?

PS C:\Windows\system32> Enter-PSSession -ComputerName w16-tpbc -ConfigurationName BCTEST
[w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[w16-tpbc]: PS C:\Users\administrator.TECHPRO\Documents>

If I’m following you correctly, what you’re encountering is by design. You’re not meant to bypass GPO-assigned security settings. If you could, then any bad actor good, which would defeat the purpose.