StartingScriptWrapper.ps1 - not launching with AppLocker enabled

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3060404%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EStartingScriptWrapper.ps1%20-%20not%20launching%20with%20AppLocker%20enabled%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3060404%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EHi%20folks.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EHas%20anyone%20got%20the%20above%20script%20to%20launch%20in%20environments%20where%20AppLocker%20is%20present%3F%20PowerShell%20runs%20for%20standard%20users%20in%20Constrained%20Language%20mode%20where%20AppLocker%20is%20enabled%20and%20this%20prevents%20the%20Start%3CSPAN%3EingScriptWrapper.ps1%20script%20from%20launching%20due%20to%20the%20dot-sourcing%20at%20the%20start%20of%20the%20script.%20I%20thought%20that%20the%20script%20would%20be%20digitally%20signed%20so%20that%20it%20would%20pass%20an%20AppLocker%20Publisher%20rule%20but%20that%20doesn't%20seem%20to%20be%20the%20case.%20I%20tried%20signing%20it%20with%20a%20known%20good%20cert%20but%20that%20didn't%20work%20either.%20The%20same%20MSIX%20will%20launch%20fine%20on%20a%20machine%20without%20AppLocker%20present.%26lt%3B%5C%2FSPAN%26gt%3B%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E
Occasional Visitor

Hi folks.

 

Has anyone got the above script to launch in environments where AppLocker is present? PowerShell runs for standard users in Constrained Language mode where AppLocker is enabled and this prevents the StartingScriptWrapper.ps1 script from launching due to the dot-sourcing at the start of the script. I thought that the script would be digitally signed so that it would pass an AppLocker Publisher rule but that doesn't seem to be the case. I tried signing it with a known good cert but that didn't work either. The same MSIX will launch fine on a machine without AppLocker present.

1 Reply
I have heard this feedback from others. The issue will be the AppLocker configuration. Ultimately, PSFTooling will run the StartingScriptWrapper which will then run your powershell script.

You will need to investigate why AppLocker is blocking this. Here are some ideas: If the configuration does not allow powershell to run, you are out of luck. If it requires the scripts to be signed, then you'll have to sign them. If it only allows scripts to be run from certain locations, you should add C:\Program Files\WindowsApps to that list.