Skip to content

Terminal: allow PowerShell 7.4+ constrained language audit mode to work with shell integrations #283178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
skbtwiz wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Terminal: allow PowerShell 7.4+ constrained language audit mode to work with shell integrations #283178

skbtwiz wants to merge 2 commits into from
+22 −1

Conversation

@skbtwiz
Copy link

@skbtwiz skbtwiz commented Dec 12, 2025
edited
Loading

Fixes #283151

Description

PowerShell 7.4 introduced Constrained Language Audit Mode, where $ExecutionContext.SessionState.LanguageMode reports ConstrainedLanguage but runtime behavior is equivalent to FullLanguage Mode. This is intended only for logging what would be blocked were ConstrainedLanguage mode actually being enforced seriously.

The PowerShell VSCode shell integration guard currently aborts unless LanguageMode == FullLanguage. This logic predates the existence of audit-only constrained language mode and was correct for its time. Presently however, it falsely blocks the shell integration from working in audit scenarios, even though PowerShell execution is fully functional.

This change updates the guard to allow shell integration when:

  • LanguageMode == FullLanguage, or
  • LanguageMode == ConstrainedLanguage and system lockdown policy is Audit

Enforced constrained language mode continues to be blocked.

Why this change is safe

  • Audit CLM is explicitly non-restrictive by design
  • Enforced CLM behavior remains unchanged
  • Backward compatible with all older PowerShell versions
  • No elevation or system configuration changes required
  • Uses PowerShell’s official SystemPolicy.GetSystemLockdownPolicy() API

How to test

Audit CLM scenario

  1. On Windows 11, enable a WDAC / App Control audit-only policy
  2. Install PowerShell 7.4+. If step 1 went correctly, pwsh should be in ConstrainedLanguage Audit Mode
  3. Open VS Code
  4. Open the integrated terminal using pwsh
  5. Verify shell integration initializes correctly (prompt tracking, command boundaries)

Enforced CLM scenario

  1. Enable an enforced WDAC / App Control policy
  2. Open the integrated terminal using pwsh
  3. Verify shell integration does not initialize

Baseline

  • Windows PowerShell 5.1 (FullLanguage) continues to work unchanged because it is too old to understand Audit Mode.

Notes

The original language mode guard was introduced in #158548 and was correct at the time. This change adapts that logic to newer PowerShell semantics introduced in 7.4 without weakening security guarantees.

@skbtwiz
Add Terminal:Shell-Integration check for Pwsh 7.4 ConstrainedLanguage…
d72899f 
… Audit mode

Enhance shell integration checks for constrained language audit mode introduced in PowerShell 7.4 and later. This new mode is identical in behavior to FullLanguage mode and deserves to receive equal treatment.
@skbtwiz
Merge branch 'main' into skbtwiz/shell-integration-constrained-mode-a…
d00c1cf 
…udit
@skbtwiz
Copy link
Author

skbtwiz commented Dec 12, 2025

@microsoft-github-policy-service agree

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bryanchen-d bryanchen-d

Labels

triage-needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Terminal Shell Integration requires update for newer PowerShell 7.4+ ConstrainedLanguage AUDIT mode

2 participants

@skbtwiz @bryanchen-d