PowerShell: Constrained Language Audit mode breaks az.resources

Prerequisites

Write a descriptive title.
Make sure you are able to repro it on the latest released version
Search the existing issues.
Refer to the FAQ.
Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

Previously, in 7.3.9, I could use the Get-AzADGroup cmdlet from az.resources. This now fails in 7.4.0, logging the following warning to the event log, apparently due to Constrained Language mode. I have read the notes at https://learn.microsoft.com/en-us/powershell/scripting/learn/application-control?view=powershell-7.4#wdac-policy-enforcement but my understanding is that this is in warning-only mode, so not sure why this breaks.

Confirm 7.4.0 works fine where WDAC doesn’t get involved. In both cases, $ExecutionContext.SessionState.LanguageMode reads as “FullLanguage” but with WDAC, we get the below error.

Can also confirm that rolling back to 7.3.9, Get-AZADGroup works fine again.

Expected behavior

PS > get-azadgroup -displayname azurevirtualdesktop

DisplayName         Id                 MailNickname Description
-----------         --                 ------------ -----------
AzureVirtualDesktop 4b5fc7cb.....745ff 61b71d76-7   Azure Virtual Desktop users

Actual behavior

PowerShell 7.4.0
[Constrained Language AUDIT Mode : No Restrictions]
PS > ipmo az.resources

PS> get-azadgroup -DisplayName azurevirtualdesktop
ParentContainsErrorRecordException: ....\Documents\PowerShell\Modules\az.resources\6.12.0\MSGraph.Autorest\exports\ProxyCmdletDefinitions.ps1:3532
Line |
3532 |          $steppablePipeline = $scriptCmd.GetSteppablePipeline($MyInvoc …
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "GetSteppablePipeline" with "1" argument(s): "The expression after '&' in a pipeline element
     | produced an object that was not valid. It must result in a command name, a script block, or a CommandInfo
     | object."

PS > $ExecutionContext.SessionState.LanguageMode = 'FullLanguage'

PS > get-azadgroup -DisplayName azurevirtualdesktop
ParentContainsErrorRecordException: ....\Documents\PowerShell\Modules\az.resources\6.12.0\MSGraph.Autorest\exports\ProxyCmdletDefinitions.ps1:3532
Line |
3532 |          $steppablePipeline = $scriptCmd.GetSteppablePipeline($MyInvoc …
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "GetSteppablePipeline" with "1" argument(s): "The expression after '&' in a pipeline element
     | produced an object that was not valid. It must result in a command name, a script block, or a CommandInfo
     | object."



### Error details

```console
From PowershellCore/Operational:

Error Message = Exception calling "GetSteppablePipeline" with "1" argument(s): "The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name, a script block, or a CommandInfo object."
Fully Qualified Error ID = RuntimeException


Context:
        Severity = Warning
        Host Name = ConsoleHost
        Host Version = 7.4.0
        Host ID = e0d32791-7e3c-44a6-bbb3-c46817f36700
        Host Application = C:\Program Files\PowerShell\7\pwsh.dll
        Engine Version = 7.4.0
        Runspace ID = 33297d30-ce4f-4807-ba84-84f0aa1b96de
        Pipeline ID = 17
        Command Name = 
        Command Type = 
        Script Name = ....\Documents\PowerShell\Modules\az.resources\6.12.0\MSGraph.Autorest\exports\ProxyCmdletDefinitions.ps1
        Command Path = 
        Sequence Number = 10
        Connected User = 
        Shell ID = Microsoft.PowerShell


User Data:

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.0
PSEdition                      Core
GitCommitId                    7.4.0
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

No response

About this issue

Original URL
State: closed
Created 7 months ago
Reactions: 4
Comments: 15 (3 by maintainers)

Most upvoted comments

Confirmed that this is a critical error in PowerShell 7.4.0. The Az Module is unusable and anything with [PSCustomObject] is unusable.

This is insane that this made it through testing.

ChristopherGLewis on Dec 4, 2023

However, getting a bit off-topic for this particular issue so I’m happy to take it up on the bicep repo instead.

@lansalot does https://github.com/Azure/azure-powershell/issues/23685 look like the same issue? If not, please could you make sure you’ve reported the separate issue with the process hang under https://github.com/Azure/azure-powershell/issues?

anthony-c-martin on Dec 13, 2023

@anthony-c-martin Thanks, I was also able to see this in the procmon trace, for the hung process/image. Copying and pasting the exact same line into a terminal worked instantly, so not sure why doing that from within vscode was having the different result.

However, getting a bit off-topic for this particular issue so I’m happy to take it up on the bicep repo instead.

lansalot on Dec 12, 2023

Related:

System lockdown / WDAC: Use of new audit-only mode prevents use of [pscustomobject] literals, behaves as if ConstrainedLanguage mode were in effect #20768

Thanks, I did see that in research - but I noted that the OP stated setting LanguageMode to “FullLanguage” was a workaround. In my case above, I had FullLanguage, but problem still exists.

lansalot on Nov 27, 2023