AppLocker
AppLocker is a security feature in Microsoft Windows operating systems that enables administrators to define rules allowing or denying the execution of specific applications, scripts, and files based on attributes such as publisher, file path, hash, or version, thereby helping organizations enforce software restrictions and mitigate risks from unauthorized or malicious code.[1] Introduced with Windows 7 and Windows Server 2008 R2, AppLocker builds on earlier application control mechanisms like Software Restriction Policies, providing a more granular and user-friendly approach to whitelisting approved software while blocking others.[2] It supports enforcement of rules for executable files (.exe, .com), scripts (such as .bat, .cmd, .ps1, .vbs, .js), Windows Installer packages (.msi, .msp, .mst), dynamic-link libraries (DLLs, .dll, .ocx), and packaged apps, allowing policies to be applied to individual users, security groups, or the entire system via Group Policy or Local Security Policy.[1] Key benefits include preventing malware execution, ensuring compliance with licensing and organizational standards, and standardizing the software environment across endpoints, with features like audit-only mode for testing rules before full enforcement and PowerShell cmdlets for automated management.[2] AppLocker integrates with broader Windows security tools, such as App Control for Business (formerly Windows Defender Application Control), to provide scalable deployment in enterprise settings, though it requires the Application Identity service to be running and is not supported on Server Core installations.[1]Overview
Definition and Purpose
AppLocker is a Group Policy-based application control feature in Microsoft Windows that allows system administrators to define and enforce rules for allowing or denying the execution of applications, scripts, and installers based on attributes such as file publishers, paths, or hashes.[2][1] This capability enables precise management of software execution at the enterprise level, supporting both whitelisting (explicitly allowing approved files) and blacklisting (explicitly denying specific files) approaches.[3] The core purpose of AppLocker is to prevent unauthorized or malicious software from running on Windows devices, thereby reducing the risk of malware infections and enhancing overall system security in organizational environments.[4] By enforcing application control policies, it helps organizations maintain compliance with security standards and regulatory requirements, limiting the potential for unauthorized applications to compromise data or resources.[2] In practice, AppLocker promotes a default-deny posture where only vetted applications are permitted, significantly mitigating the attack surface compared to unrestricted execution.[5] AppLocker evolved from the earlier Software Restriction Policies (SRP) introduced in Windows XP, providing more flexible and granular rule conditions without fully supplanting SRP, which remains available for backward compatibility on older systems.[6][7] This progression allows for easier auditing of software usage patterns and supports the principle of least privilege by restricting users and processes to only necessary applications.[8] As a result, it lowers administrative overhead in managing endpoints and contributes to cost savings by decreasing the incidence of security incidents related to rogue software.[9]Key Features
AppLocker provides granular control over application execution through rules based on multiple criteria, enabling administrators to allow or deny files such as executables (.exe, .com), scripts (.bat, .cmd, .js, .ps1, .vbs), Windows Installer packages (.msi, .msp, .mst), dynamic-link libraries (.dll, .ocx), and packaged apps.[3] These rules can be defined using publisher information derived from digital signatures (including company name, product name, file name, and version), file paths (with support for environment variables like %WINDIR% or %PROGRAMFILES%), or file hashes for unique identification.[1][2] This flexibility allows for precise targeting, such as permitting all applications from a trusted publisher except those below a certain version, and supports exceptions within rules to refine permissions without creating multiple overlapping policies.[1] To ensure system stability and prevent administrative lockouts, AppLocker includes default allow rules that automatically permit execution of core Windows components, such as files in the Windows and Program Files directories, for all users, as well as full access for members of the Administrators group.[3] These built-in rules provide a safety net, allowing essential operations to proceed even when custom policies are enforced.[3] An audit-only mode enables policy testing by logging potential rule violations without blocking application launches, which helps administrators assess the impact of rules on user workflows before full enforcement.[1][10] This mode generates detailed event logs for analysis, supporting iterative refinement of policies.[1] For enterprise environments, AppLocker integrates with Group Policy Objects (GPOs) via the Group Policy Management Console, facilitating centralized deployment and management of rules across multiple computers in a domain.[1][10] Policies can be created on a staging server, exported using PowerShell, and imported for production use, ensuring consistent application control without manual configuration on each device.[1] Comprehensive reporting is available through Windows Event Viewer, where AppLocker logs track both allowed and denied executions, capturing details such as the user account, application path, and rule that triggered the event.[10] These logs, generated in audit or enforcement modes, allow for monitoring compliance and troubleshooting, with PowerShell cmdlets providing options for programmatic data extraction and analysis.[1]History and Development
Origins and Initial Release
AppLocker was developed by Microsoft as an advanced application control mechanism to succeed Software Restriction Policies (SRP), which had been introduced in Windows XP Service Pack 2 in 2004 to restrict unauthorized software execution but suffered from limitations in rule flexibility and administrative manageability, particularly in large-scale enterprise deployments.[9] This evolution addressed the need for more intuitive policy creation based on file attributes like publisher, path, or hash, enabling finer-grained control over executables, scripts, and installers without relying solely on path-based restrictions.[9] The primary motivations for AppLocker's creation stemmed from the escalating malware threats during the mid-2000s, as cyber attacks increasingly targeted endpoints through unauthorized applications, prompting a shift toward proactive whitelisting strategies over reactive blacklisting.[1] Additionally, it responded to demands for compliance with industry security standards, where robust controls are required to prevent unapproved software from compromising sensitive data and ensuring audit-ready application governance.[11] These security enhancements were conceptualized as part of broader Windows improvements during the development of Windows 7, aiming to simplify endpoint protection for IT administrators managing diverse user environments.[9] AppLocker made its initial release on October 22, 2009, alongside Windows 7 and Windows Server 2008 R2, integrated as a built-in Group Policy feature available in the Ultimate and Enterprise editions of Windows 7, as well as all editions of Windows Server 2008 R2.[12] This debut marked a significant step in enterprise security, providing domain-based enforcement to limit application execution and mitigate risks from malicious or unauthorized code.[1] Early adoption focused on organizational IT administrators leveraging Active Directory to enforce policies across endpoints, particularly in corporate networks where controlling software proliferation was essential for maintaining security posture and operational efficiency.[1] Over subsequent Windows versions, AppLocker expanded in scope and accessibility, but its foundational role in application whitelisting remained tied to these initial enterprise-oriented implementations.[4]Evolution Across Windows Versions
Following its initial release in Windows 7 Enterprise and Ultimate editions and Windows Server 2008 R2 in 2009, AppLocker underwent significant enhancements starting with Windows 8 and Windows Server 2012 in 2012, primarily to address the growing ecosystem of modern applications. A key addition was support for packaged apps, including those distributed through the Microsoft Store, enabling administrators to create rules for both packaged app installers and the apps themselves using publisher-based conditions. This extension allowed for more granular control over Metro-style (now Universal Windows Platform) applications, which were not covered by traditional executable, script, or installer rules in prior versions. Additionally, scripting rule enforcement was refined to better integrate with emerging application types, though core script support remained consistent from earlier iterations. In Windows 8.1 and Windows Server 2012 R2, released in 2013, AppLocker received optimizations to its rule mechanisms. These updates built on the packaged app capabilities, ensuring compatibility with evolving app deployment models while maintaining backward compatibility with Windows 8 policies. AppLocker remained available only in Enterprise editions for Windows 8.1 clients. The introduction of Windows 10 and Windows Server 2016 in 2015 marked a pivotal shift toward integrated security ecosystems, with AppLocker gaining supplemental functionality through Windows Defender Application Control (WDAC), a more advanced code integrity solution. WDAC provided extensible policy options that complemented AppLocker's allow/deny model, such as enhanced kernel-level enforcement and supplemental driver blocking, while AppLocker itself saw improved auditing for script rules. Compatibility with mobile device management (MDM) protocols was also bolstered, enabling remote policy deployment via tools like Microsoft Intune, which facilitated management in enterprise mobile scenarios. By the Windows 10 era, Software Restriction Policies (SRP), the predecessor to AppLocker, were effectively phased out in favor of AppLocker and WDAC for modern deployments.[4][13] Windows 11 and Windows Server 2022, launched in 2021 and 2022 respectively, emphasized cloud-native administration, with AppLocker policies now seamlessly deployable through Microsoft Endpoint Manager (formerly Intune) for hybrid environments. This allowed centralized, cloud-based rule updates and auditing, reducing on-premises management burdens. Logging capabilities were enhanced for compliance, providing detailed event data in Event Viewer for better integration with security information and event management (SIEM) systems, including timestamps and rule violation contexts.[1] As of 2025, AppLocker in Windows 11 updates, including version 24H2 and support in Windows Server 2025, features minor refinements such as policy controls for AI-driven features like Microsoft 365 Copilot Chat, enabling restrictions on AI application executions without major architectural overhauls. These changes support hybrid work by strengthening MDM integrations and threat logging, aligning with broader Windows security postures like Zero Trust, while maintaining core compatibility with prior versions. No significant deprecations have occurred, but Microsoft continues to recommend transitioning to WDAC for advanced scenarios.[14][15]Functionality
Rule Types and Policies
AppLocker rules are categorized into five primary collections that define the types of files subject to control, enabling administrators to restrict application execution based on specific file formats and behaviors. Executable rules apply to portable executable files with .exe and .com extensions, preventing unauthorized programs from running on the system.[16] DLL rules apply to dynamic-link libraries with .dll and .ocx extensions, controlling the loading of libraries to enhance security against unauthorized or malicious DLLs; this collection is not enabled by default due to potential performance impacts and application compatibility issues.[16][17] Windows Installer rules govern installation packages, targeting .msi, .msp, and .mst files to control software deployment and updates.[16] Script rules manage scripting languages commonly used for automation, including .bat, .cmd, .js, .ps1, and .vbs files, to mitigate risks from malicious scripts.[16] Packaged app rules focus on modern application formats, such as AppX and MSIX packages for Universal Windows Platform (UWP) and desktop apps, ensuring only approved store or sideloaded applications can execute.[16][18] Each rule within these collections relies on one or more conditions to identify applicable files precisely, allowing for flexible yet targeted enforcement. Publisher-based conditions use digital signatures, including the certificate issuer, product name, file version, and binary name, to allow or block files from trusted vendors; this method is resilient to file relocations but requires updates for version changes.[19] Path-based conditions specify exact file locations or folders in the file system or network shares, supporting environment variables like %PROGRAMFILES% and wildcards for broader coverage, such as allowing all files in a directory except subfolders.[3] Hash-based conditions employ cryptographic file hashes (SHA-256 or similar) for exact matches, ideal for controlling specific, unchanging files like custom tools, though they necessitate recreation if files are modified or updated.[19] Extension-based conditions, often implemented via path rules with wildcards (e.g., *.exe), enable blocking or allowing files by their type without specifying full paths, providing a simple way to restrict entire categories like executables.[3] AppLocker policies organize these rules into structured collections within Group Policy Objects (GPOs), facilitating centralized management across Active Directory domains. Rules are grouped into allow lists, which explicitly permit specified files or users, and deny lists, which block them, with deny actions overriding allows for precedence; exceptions can be defined within rules to carve out allowances for particular users, groups, or subconditions, such as permitting a specific version despite a broader denial.[20] Policies inherit hierarchically from domain-level GPOs down to Organizational Units (OUs), allowing granular application while merging rules from parent containers unless explicitly overridden.[10] By default, AppLocker operates in a deny-all mode for each rule collection once enforcement is enabled, blocking any file not explicitly allowed to enforce strict whitelisting and prevent unauthorized code execution.[20] This configurable fallback ensures comprehensive control, though administrators can audit events in monitor-only mode before full enforcement to refine policies without disruptions.[1]Enforcement Mechanisms
AppLocker evaluates rules at execution time through the Application Identity service (appid.sys), a kernel-mode driver that intercepts attempts to run executables, DLLs, scripts, MSI files, and packaged apps. This real-time interception occurs before the file is loaded, where appid.sys reads the effective policy—cached for executables and DLLs to minimize repeated evaluations—and checks the file against the configured rules. If the rule collection for a file type is enforced but contains no rules, all files of that type are denied by default.[21][3] The evaluation prioritizes explicit deny rules over allow rules across all applicable conditions (publisher, path, or file hash); a file matching any deny rule is blocked regardless of matching allow rules, while files must match at least one allow rule if the collection has rules. For executables and DLLs, enforcement happens in kernel mode for enhanced security, whereas scripts and MSI files are evaluated in user mode via the Safer API. This process integrates with User Account Control (UAC), applying rules to both standard and elevated contexts during privilege checks.[21][3][21] AppLocker operates in two primary modes: Audit only and Enforce rules, configurable per rule collection. In Audit only mode, rules are evaluated without blocking execution, generating log events for allowed (Event IDs 8002 and 8005) or would-be-blocked files (Event IDs 8003 and 8006) to facilitate policy testing and monitoring. In Enforce rules mode, matching deny rules prevent execution—either silently or with user notifications indicating the block—while logging allowed (Event IDs 8002 and 8005) or blocked files (Event IDs 8004 and 8007).[22][3][23] All events are recorded in the Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > AppLocker, with sublogs for EXE and DLL, MSI and Script, and Packaged app rules. Each event includes details such as the file path or app identifier, process name, user or group security identifier (SID), rule type (e.g., publisher or path), rule name, and the reason for the match or block. This logging supports analysis without impacting enforcement.[23] For error handling, AppLocker resolves rule conflicts by enforcing deny precedence, ensuring no ambiguous allowances; if policy application fails (e.g., due to GPO issues), it falls back to the previous effective policy or a default deny state for configured collections. The system handles elevation requests through UAC integration, evaluating rules against the requested context to prevent unauthorized privilege escalations.[21][3] Performance impact is minimal overall, thanks to appid.sys caching rule evaluations for executables and DLLs, which avoids repeated policy reads during sessions. However, enabling DLL rule collections introduces slight overhead from per-load checks, though this is typically imperceptible; optimizing involves limiting rules per GPO and preferring publisher over hash conditions to reduce evaluation complexity.[24][21][3]Configuration and Management
Creating and Applying Rules
AppLocker rules are created and managed primarily through the Local Security Policy editor (secpol.msc) for standalone systems or the Group Policy Management Editor (gpedit.msc or via Group Policy Management Console) for domain environments. To begin, administrators navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker, where they can select specific rule collections such as Executable rules, Windows Installer rules, Script rules, or Packaged app rules.[25][10] Creating rules involves a wizard-based process within the AppLocker console. For publisher rules, which rely on digital signatures for identification, the process starts by right-clicking the appropriate rule collection and selecting Create New Rule. After specifying permissions (allow or deny for users or groups), the wizard prompts selection of the "Publisher rule condition." Administrators then browse to a signed file, such as an executable, to extract certificate details including publisher name, product name, file name, and version; a slider allows scoping from the full certificate chain down to file version, with options for wildcards (e.g., "*") in custom fields to broaden or narrow matching. Exceptions can be added to exclude specific sub-conditions.[26] Path rules, suitable for controlling access based on file locations, follow a similar workflow but select the "Path rule condition" after permissions. Administrators browse or manually enter folder paths (e.g., "C:\Program Files[Microsoft Office](/page/Microsoft_Office)"), with support for environment variables like %OSDRIVE% and recursion options to include or exclude subfolders. This allows granular control, such as permitting executables only from system directories while blocking others. Exceptions for specific paths within the rule can also be defined.[27] File hash rules identify applications by their cryptographic hash, providing a content-based match independent of location or signature. In the wizard, after selecting "File hash rule condition," administrators browse to one or more files (or folders for multiple), and the system automatically computes Authenticode cryptographic hashes. These rules are ideal for unsigned or custom applications but require recalculation if files update. For scripting scenarios, PowerShell cmdlets likeNew-AppLockerRule can be used to create rules by providing file paths, as the cmdlet internally computes the required hashes.[28][29][30]
Once rules are defined, policies are applied by linking Group Policy Objects (GPOs) to Organizational Units (OUs) in the Group Policy Management Console, targeting specific computers or users. Enforcement is enabled by setting the policy to "Enforce rules" in the AppLocker properties, though initial deployment should use "Audit only" mode to log violations without blocking, allowing review via Event Viewer (under Applications and Services Logs > Microsoft > Windows > AppLocker). Policies propagate automatically during Group Policy refresh intervals, but immediate application can be forced with the command gpupdate /force on target machines. Testing in a controlled environment helps identify unintended blocks before full enforcement. Note that in Windows 11 version 24H2, a temporary issue prevented proper enforcement of script rules for PowerShell Constrained Language Mode, which was resolved in the May 2025 cumulative update (KB5058411). Ensure systems are updated for full functionality.[31][32]
Common scenarios include whitelisting productivity applications, such as creating publisher rules to allow the entire Microsoft Office suite by selecting any Office executable and setting the scope to the Microsoft Corporation publisher certificate, ensuring only signed versions run. Another frequent use is blocking executables on removable media by defining a deny path rule for "%REMOVABLE%" with recursion enabled, preventing unauthorized software from portable drives. These approaches balance security with operational needs in enterprise settings.[31]
For basic troubleshooting, administrators can configure custom notifications to inform users of restrictions when a blocked application is attempted, such as displaying a URL with policy details or support instructions via registry settings under HKLM\SOFTWARE\Policies[Microsoft](/page/Microsoft)\Windows\AppLocker. Event logs in Event Viewer provide details on blocked or audited events, aiding in rule refinement without disrupting users.[33][23]
Administrative Tools and Interfaces
AppLocker policies in enterprise environments are primarily managed through core interfaces integrated with Windows management tools. The Group Policy Management Console (GPMC) serves as the central interface for configuring and deploying AppLocker policies across Active Directory domains, allowing administrators to create, edit, and link Group Policy Objects (GPOs) that enforce rules on multiple machines simultaneously.[34] For standalone or non-domain-joined systems, the Local Group Policy Editor (gpedit.msc) provides a graphical interface to define and apply AppLocker policies locally, enabling rule management without domain infrastructure.[10] Advanced scripting and automation capabilities extend management beyond graphical tools. Windows PowerShell cmdlets, such as New-AppLockerPolicy for generating rules from file lists and Get-AppLockerPolicy for retrieving existing policies from local or domain sources, facilitate bulk rule creation, policy merging, and testing in scripted workflows.[35][36][37] Although AppLocker's core interfaces are not publicly exposed as a general API for third-party custom applications, programmatic access is available through the AppLocker Configuration Service Provider (CSP), which leverages WMI Bridge providers for policy configuration in managed device scenarios.[38][39] In hybrid and cloud-managed setups, AppLocker integrates with broader endpoint management platforms for scalable deployment. Microsoft Endpoint Configuration Manager (formerly SCCM) supports AppLocker by designating it as a managed installer, allowing policies to tag and authorize applications deployed via Configuration Manager while enforcing restrictions on unauthorized software.[40] For cloud-based mobile device management (MDM), Microsoft Intune enables AppLocker policy delivery through the AppLocker CSP, supporting hybrid environments where policies are pushed to Windows devices for enforcement of executable, script, and MSI rules. Monitoring AppLocker enforcement relies on built-in logging tools, with Event Viewer providing detailed audit trails of policy applications, including blocked or allowed executions, user contexts, and file paths under the Applications and Services Logs\Microsoft\Windows\AppLocker path.[23] These logs can be exported and integrated with third-party Security Information and Event Management (SIEM) systems, such as Splunk, for centralized aggregated reporting and correlation with other security events across the enterprise.[23] Further automation is achieved via Windows Management Instrumentation (WMI) providers, which expose AppLocker policy states and rule details through classes like MDM_AppLocker_EXE03 for executable restrictions, enabling remote querying and updates in enterprise scripts or management tools.[41] This WMI-based access supports programmatic monitoring and adjustment of enforcement modes without manual intervention.[39]Availability and Compatibility
Supported Windows Editions
AppLocker is available in select editions of Windows client and server operating systems, with support evolving through updates to enable broader deployment across editions.Client Editions
AppLocker was initially supported on Windows 7 Enterprise and Ultimate editions. In Windows 8 and 8.1, support extended to Enterprise editions for full configuration and enforcement, while Pro editions allowed configuration but not enforcement. For Windows 10 versions prior to 2004, AppLocker required Enterprise or Education editions for Group Policy-based enforcement.[15] Following the release of KB5024351 in February 2023, edition restrictions were removed, enabling configuration and enforcement of AppLocker policies on all editions of Windows 10 version 2004 and later, as well as all editions of Windows 11, including Home and Pro.[42] This update allows deployment via Mobile Device Management (MDM) on Pro editions without additional registry modifications, though local enforcement on Home editions remains limited to policy application without native PowerShell cmdlets for advanced management.[43] As of November 2025, no further changes to core edition availability have occurred, and AppLocker functions on ARM-based Windows 11 devices, including version 24H2, consistent with general App Control for Business support.[4]Server Editions
AppLocker received full support starting with Windows Server 2008 R2 Enterprise and Datacenter editions.[44] Subsequent versions, including Windows Server 2012, 2012 R2, 2016, 2019, and 2022, provide support across all editions, with policies enforceable via Group Policy.[15] Windows Server 2025 maintains this availability without alterations to edition requirements.[4]Limitations
AppLocker is unavailable on Home or Standard editions of Windows versions predating the KB5024351 update, and it does not support Windows editions below Windows 7 or non-listed server variants.[15] On Windows 10 Pro editions prior to version 2004, activation required specific Group Policy or registry configurations for enforcement.[42]Prerequisites
Domain-based AppLocker policies necessitate an Active Directory environment for Group Policy deployment, while local policies can be applied without it.[15] Kernel-level enforcement requires a 64-bit Windows installation and standard hardware meeting the OS minimum specifications, such as sufficient RAM for policy evaluation.| Windows Version | Supported Client Editions | Supported Server Editions |
|---|---|---|
| Windows 7 | Enterprise, Ultimate | N/A |
| Windows 8/8.1 | Enterprise (full), Pro (config only) | N/A |
| Windows 10 (pre-2004) | Enterprise, Education | N/A (Server separate) |
| Windows 10 (2004+) / Windows 11 | All (Home, Pro, Enterprise, Education) | All editions |
| Windows Server 2008 R2 | N/A | Enterprise, Datacenter |
| Windows Server 2012+ (incl. 2022, 2025) | N/A | All editions |
Version-Specific Features and Limitations
AppLocker's capabilities have evolved significantly across Windows versions, with each iteration introducing new rule types or deployment options while retaining certain constraints tied to the underlying operating system architecture. Initial releases focused on basic file-based controls, while later versions integrated support for modern application formats and enhanced management through mobile device management (MDM) tools. The following table summarizes key version-specific features and limitations, based on official Microsoft documentation.[15][4]| Windows Version | New Features | Limitations |
|---|---|---|
| Windows 7 / Server 2008 R2 | Introduced core rule types for executables (.exe, .com), scripts (.ps1, .bat, .cmd, .vbs, .js), Windows Installer files (.msi, .msp), and DLLs (.dll, .ocx); audit-only mode for testing policies; rules based on publisher, path, hash, or file properties.[45][9] | No support for packaged app rules; configuration and enforcement limited to Enterprise and Ultimate editions; lacked native MDM or cloud-based policy deployment; hash rules required manual recomputation for any file modifications, increasing administrative overhead.[45][29] |
| Windows 8 / Server 2012 | Added packaged app and packaged app installer rules (.appx, .mst) for Microsoft Store applications; publisher rules specifically for signed packaged apps.[46][47] | Enforcement still restricted to Enterprise edition for client OS; no integration with emerging device management frameworks like Intune; continued fragility of hash rules with software updates altering file hashes.[15][29] |
| Windows 8.1 / Server 2012 R2 | Enhanced rule management with PowerShell cmdlets for automation; improved exception handling in policies.[45] | Pro edition could configure but not enforce policies; absent support for later cloud integrations; performance degradation on systems with extensive hash-based rules due to computational demands.[15][24] |
| Windows 10 / Server 2016+ | Full integration with Windows Defender Application Control (WDAC) for hybrid policies; MDM support via Intune for cloud deployment; post-KB5024351 (2023), enforcement enabled on all editions starting from version 2004; expanded script rule coverage including PowerShell.[4][42][15] | Hash rules remain vulnerable to breakage from automatic updates or file versioning, necessitating frequent policy maintenance; notable performance overhead on low-end hardware during hash verification for large rule sets; no native controls for Windows Subsystem for Linux (WSL) binaries.[29][24] |
| Windows 11 | Builds on Windows 10 with refined WDAC convergence for Zero Trust architectures; improved handling of modern packaged apps and scripts in audit mode; alignment with Smart App Control features for baseline protection.[4][15][48] | Enforcement unavailable in S mode due to its restrictive Store-only app ecosystem; persistent hash rule maintenance challenges with frequent OS updates; disabled by default in consumer-focused configurations without MDM; lacks direct support for non-Win32 subsystems like WSL; script enforcement broken in version 24H2, where PowerShell Constrained Language Mode is not enforced correctly, allowing bypass of script rules as of November 2025.[15][29][42][32] |