Table of Contents
What Are the Risks of Broken AppLocker Script Enforcement in Windows 11 24H2?
A major security vulnerability affected Windows 11 24H2, where PowerShell script enforcement under AppLocker and Windows Defender Application Control (WDAC) was broken for several months. This flaw allowed scripts that should have been restricted to run without limitations, exposing systems to heightened security risks.
AppLocker is a Windows feature that lets administrators control which applications and scripts users can run by defining rules based on file attributes or certificates.
WDAC (Windows Defender Application Control) enforces code integrity policies, restricting unauthorized or unsigned code from executing, and is considered a stronger security boundary than AppLocker.
What Went Wrong in Windows 11 24H2?
In previous Windows versions, PowerShell checked AppLocker rules to determine if it should run in Constrained Language Mode (CLM), which restricts potentially dangerous script capabilities.
In Windows 11 24H2, a change in the way PowerShell interacted with system APIs caused it to skip proper AppLocker evaluation. Instead of enforcing CLM, PowerShell scripts defaulted to Full Language Mode (FLM), removing critical restrictions.
This issue stemmed from faulty logic in PowerShell’s use of the new WldpCanExecuteFile API. PowerShell failed to fall back to AppLocker evaluation after checking WDAC, resulting in unrestricted script execution even when AppLocker rules were in place.
Security Risks
- Privilege escalation: Attackers could run advanced scripts that should have been blocked, increasing the risk of privilege abuse.
- Lateral movement: Malicious scripts could spread across a network unchecked, amplifying the impact of a breach.
- Malware deployment: Ransomware and other threats often use PowerShell scripts to bypass defenses, a scenario AppLocker was designed to prevent.
Detection and Resolution
The problem was first widely noticed by administrators in early 2025, with multiple community reports and technical analyses confirming the flaw.
Microsoft addressed the issue in PowerShell 7.6 and through a May 2025 security update. The fix involved correcting the logic in the Windows Lockdown Policy (WLDP) runtime, ensuring that PowerShell correctly enforces CLM when AppLocker or WDAC policies require it.
The updated enforcement now relies on a feature flag and improved API handling, mapping the results of script evaluations to the appropriate language mode:
- Allowed > Full Language Mode
- RequireSandbox > Constrained Language Mode
- Blocked > Script execution denied.
Actions for Administrators
Review and test
Before upgrading to Windows 11 24H2, verify that PowerShell script enforcement works as expected in your environment.
Prefer WDAC over AppLocker
Microsoft recommends using WDAC (now called App Control for Business) for robust application control, as AppLocker is considered a defense-in-depth feature and not a primary security boundary.
Apply updates
Ensure PowerShell 7.6 or the relevant security updates are installed to restore proper script enforcement.
The lapse in PowerShell script enforcement in Windows 11 24H2 created a significant security gap, allowing restricted scripts to run freely. Microsoft’s update restores proper controls, but organizations should reassess their reliance on AppLocker and consider transitioning to WDAC for stronger protection.