Ensure PowerShell Uses Constrained Language Mode
PowerShell should be setup to limit script execution and mitigate potential risks.
Plain language
This control is about making sure that PowerShell, a tool used to manage and automate tasks on your computer network, is set up to reduce risk. It's important because if PowerShell isn't limited, a hacker could use it to access sensitive information or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2020
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
PowerShell is configured to use Constrained Language Mode.
Why it matters
Without Constrained Language Mode, PowerShell can be exploited for code execution, risking data breaches and operational disruptions.
Operational notes
Regularly check $ExecutionContext.SessionState.LanguageMode is ConstrainedLanguage across endpoints and confirm WDAC/AppLocker policies enforce it to prevent drift.
Implementation tips
- The IT team should configure all computers to use PowerShell in Constrained Language Mode. This means adjusting the settings on each computer so that PowerShell can only perform safe, simple tasks and cannot use powerful, risky ones.
- Business managers should ask their IT team to include this configuration in regular security checks. This ensures the settings remain effective and consistent across the organisation.
- System administrators should update documentation to reflect this change. Clearly indicate that PowerShell is limited in its capabilities, providing guidance for users on what that means for daily operations.
- The IT manager should establish a process to routinely verify that Constrained Language Mode is enabled. This could involve setting reminders for periodic checks or using software that automatically reports the setting status.
- Executives should support these changes by explaining to staff why they are necessary. Sharing how these efforts help protect the business can motivate cooperation and compliance.
Audit / evidence tips
-
Askconfiguration reports from the IT team: Request documentation or system logs showing the current PowerShell settings across your computers
Goodincludes a report dated recently that clearly indicates PowerShell is set to the limited mode on all devices
-
Askthe IT department for policy documents
Goodincludes a comprehensive policy that mentions Constrained Language Mode as a requirement
-
Askto see staff communications or training records
-
Goodwill show consistent settings across sampled devices, ideally with automated monitoring proof
-
Goodincludes logs confirming that any detected deviations were corrected promptly
Cross-framework mappings
How ISM-1622 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 8.8 | ISM-1622 requires a specific hardening configuration: PowerShell must use Constrained Language Mode | |
| Annex A 8.9 | ISM-1622 mandates a particular security configuration for a specific technology (PowerShell Constrained Language Mode) | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-AC-ML1.3 | ISM-1622 requires PowerShell to run in Constrained Language Mode to limit what PowerShell scripts and commands can do | |
| E8-AH-ML2.11 | ISM-1622 requires PowerShell to be configured to use Constrained Language Mode to restrict what scripts can do | |
| handshake Supports (1) expand_less | ||
| E8-AH-ML3.2 | ISM-1622 requires PowerShell to use Constrained Language Mode to reduce capability available to scripts and interactive sessions | |
| link Related (1) expand_less | ||
| E8-AH-ML3.3 | ISM-1622 requires PowerShell to be configured to use Constrained Language Mode to limit script capability and reduce abuse | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.