PowerShell Constrained Language Audit Mode blocking actions

Prerequisites

[x] Write a descriptive title.
[x] Make sure you are able to repro it on the latest released version
[x] Search the existing issues.
[x] Refer to the FAQ.
[x] Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

start-job -ScriptBlock {Get-ChildItem} #Will result in an error that the language mode is incompatible with the system-wide language mode $executionContext.SessionState.LanguageMode = "FullLanguage" #Would not be possible if Constrained language mode was enforced, but succeeds start-job -ScriptBlock {Get-ChildItem} #Succeeds

Expected behavior

1      Job1            BackgroundJob   Running       True            localhost            Get-ChildItem

Actual behavior

Start-Job: Cannot start job. The language mode for this session is incompatible with the system-wide language mode.

Error details

Start-Job: Cannot start job. The language mode for this session is incompatible with the system-wide language mode.

Environment data

Name                           Value
----                           -----
PSVersion                      7.5.0
PSEdition                      Core
GitCommitId                    7.5.0
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

Constrained language audit mode seems to block commands. I would expect audit mode to log but not enforce anything. Using start-job as an example, the command fails with "The language mode for this session is incompatible with the system-wide language mode."

Feb 28 '25 14:02 Chris1WK

Apologies, I should have included this originally.

Audit mode is from the default WDAC policy from Intune endpoint security.

Feb 28 '25 14:02 Chris1WK

@Chris1WK I concur. I know that even in audit mode ACFB will report and it does mention that it will block if rule 11 is on. Perhaps that is enabled ACFB Script Enforcement App Control puts interactive PowerShell into Constrained Language Mode if any App Control UMCI policy is enforced and any active App Control policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for all policies.

Dec 01 '25 02:12 usnoozeyulosey