PowerShell is configured to use Constrained Language Mode
Limit PowerShell's capabilities to reduce security risks.
Plain language
Configuring PowerShell to use Constrained Language Mode limits what PowerShell can do on a computer. This is important because it helps prevent malicious scripts from running that could steal your information or damage your system. Imagine PowerShell as a versatile tool that can perform many tasks, and putting it in Constrained Language Mode means it's only allowed to perform essential, safe tasks.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
PowerShell is configured to use Constrained Language Mode.
Why it matters
Without Constrained Language Mode, attackers can abuse PowerShell to run advanced scripts and .NET methods, leading to privilege escalation, data theft and system compromise.
Operational notes
Periodically confirm Constrained Language Mode is enforced (e.g., $ExecutionContext.SessionState.LanguageMode) and that policy/AppLocker/WDAC settings still apply after updates.
Implementation tips
- IT team should assess existing PowerShell scripts to identify those that absolutely need to run using Full Language Mode. This helps in deciding where Constrained Language Mode can be enforced.
- System administrator should configure PowerShell to enable Constrained Language Mode. This can be done by setting system environment variables appropriately or by using group policy settings.
- Security officer needs to communicate to staff that legitimate technical tasks requiring PowerShell will not be hindered on regular business systems because essential commands remain operational.
- IT team should regularly review and update script policies to make sure that any exceptions to Constrained Language Mode are still justified and that security is not being compromised.
Audit / evidence tips
- AskHave you configured PowerShell to operate in Constrained Language Mode across the organisation's computers?
- GoodThe settings should clearly indicate that PowerShell is running in Constrained Language Mode, visible through group policy management or confirmed by a system report
- AskHas there been any approval process for exceptions to the Constrained Language Mode?
- GoodThere should be documented approvals signed by a security officer with a clear justification for any exceptions
Cross-framework mappings
How E8-AH-ML3.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.8 | E8-AH-ML3.3 mandates constraining PowerShell via Constrained Language Mode to reduce attack surface from scripting | |
| Annex A 8.9 | E8-AH-ML3.3 requires a specific security configuration: setting PowerShell to Constrained Language Mode to reduce exploitation of scripti... | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restricting and tightly controlling utility programs that can override system and application controls to prevent u... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0380 | E8-AH-ML3.3 requires PowerShell to be configured to use Constrained Language Mode, restricting available functionality to reduce attack t... | |
| ISM-1409 | E8-AH-ML3.3 requires PowerShell to be configured to use Constrained Language Mode to reduce the risk of malicious script execution | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1246 | ISM-1246 ensures server applications are hardened using ASD/vendor guidance, following the most restrictive precedence | |
| handshake Supports (1) expand_less | ||
| ISM-1621 | ISM-1621 requires organisations to disable or remove Windows PowerShell 2.0 so PowerShell cannot fall back to a legacy engine with reduce... | |
| link Related (3) expand_less | ||
| ISM-1622 | ISM-1622 requires PowerShell to be configured to use Constrained Language Mode to limit script capability and reduce abuse | |
| ISM-1798 | ISM-1798 requires secure configuration guidance to be produced and shared with software consumers | |
| ISM-1858 | ISM-1858 requires hardening of IT equipment using ASD and vendor guidance, adopting the most restrictive configuration when guidance differs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.