PowerShell
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs‎
Lines changed: 17 additions & 8 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/AddType.cs‎
Lines changed: 17 additions & 8 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/Import-LocalizedData.cs‎
Lines changed: 10 additions & 2 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/Import-LocalizedData.cs‎
Lines changed: 10 additions & 2 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/InvokeExpressionCommand.cs‎
Lines changed: 11 additions & 0 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/InvokeExpressionCommand.cs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs‎
Lines changed: 43 additions & 22 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/commands/utility/New-Object.cs‎
Lines changed: 43 additions & 22 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/resources/AddTypeStrings.resx‎
Lines changed: 6 additions & 0 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/resources/AddTypeStrings.resx‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/resources/ImportLocalizedDataStrings.resx‎
Lines changed: 6 additions & 0 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/resources/ImportLocalizedDataStrings.resx‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx‎
Lines changed: 12 additions & 0 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/resources/NewObjectStrings.resx‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/Microsoft.PowerShell.Commands.Utility/resources/UtilityCommonStrings.resx‎
Lines changed: 6 additions & 0 deletions b/‎src/Microsoft.PowerShell.Commands.Utility/resources/UtilityCommonStrings.resx‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/Microsoft.PowerShell.ConsoleHost/host/msh/ConsoleHost.cs‎
Lines changed: 9 additions & 1 deletion b/‎src/Microsoft.PowerShell.ConsoleHost/host/msh/ConsoleHost.cs‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/Microsoft.PowerShell.ConsoleHost/resources/ManagedEntranceStrings.resx‎
Lines changed: 3 additions & 0 deletions b/‎src/Microsoft.PowerShell.ConsoleHost/resources/ManagedEntranceStrings.resx‎
Lines changed: 3 additions & 0 deletions
@@ -556,15 +556,24 @@ protected override void BeginProcessing()
         {
             // Prevent code compilation in ConstrainedLanguage mode, or NoLanguage mode under system lock down.
             if (SessionState.LanguageMode == PSLanguageMode.ConstrainedLanguage ||
-                (SessionState.LanguageMode == PSLanguageMode.NoLanguage && 
-                 SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
+                (SessionState.LanguageMode == PSLanguageMode.NoLanguage && SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce))
             {
-                ThrowTerminatingError(
-                    new ErrorRecord(
-                        new PSNotSupportedException(AddTypeStrings.CannotDefineNewType),
-                        nameof(AddTypeStrings.CannotDefineNewType),
-                        ErrorCategory.PermissionDenied,
-                        targetObject: null));
+                if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
+                {
+                    ThrowTerminatingError(
+                        new ErrorRecord(
+                            new PSNotSupportedException(AddTypeStrings.CannotDefineNewType),
+                            nameof(AddTypeStrings.CannotDefineNewType),
+                            ErrorCategory.PermissionDenied,
+                            targetObject: null));
+                }
+
+                SystemPolicy.LogWDACAuditMessage(
+                    context: Context,
+                    title: AddTypeStrings.AddTypeLogTitle,
+                    message: AddTypeStrings.AddTypeLogMessage,
+                    fqid: "AddTypeCmdletDisabled",
+                    dropIntoDebugger: true);
             }
 
             // 'ConsoleApplication' and 'WindowsApplication' types are currently not working in .NET Core
 
@@ -7,6 +7,7 @@
 using System.IO;
 using System.Management.Automation;
 using System.Management.Automation.Internal;
+using System.Management.Automation.Security;
 
 namespace Microsoft.PowerShell.Commands
 {
@@ -146,16 +147,23 @@ protected override void ProcessRecord()
             }
 
             // Prevent additional commands in ConstrainedLanguage mode
-            if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
+            if (_setSupportedCommand && Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
             {
-                if (_setSupportedCommand)
+                if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
                 {
                     NotSupportedException nse =
                         PSTraceSource.NewNotSupportedException(
                             ImportLocalizedDataStrings.CannotDefineSupportedCommand);
                     ThrowTerminatingError(
                         new ErrorRecord(nse, "CannotDefineSupportedCommand", ErrorCategory.PermissionDenied, null));
                 }
+                
+                SystemPolicy.LogWDACAuditMessage(
+                    context: Context,
+                    title: ImportLocalizedDataStrings.WDACLogTitle,
+                    message: ImportLocalizedDataStrings.WDACLogMessage,
+                    fqid: "SupportedCommandsDisabled",
+                    dropIntoDebugger: true);
             }
 
             string script = GetScript(path);
 
@@ -4,6 +4,7 @@
 using System;
 using System.Management.Automation;
 using System.Management.Automation.Internal;
+using System.Management.Automation.Security;
 
 namespace Microsoft.PowerShell.Commands
 {
@@ -43,6 +44,16 @@ protected override void ProcessRecord()
                 myScriptBlock.LanguageMode = PSLanguageMode.ConstrainedLanguage;
             }
 
+            if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Audit)
+            {
+                SystemPolicy.LogWDACAuditMessage(
+                    context: Context,
+                    title: UtilityCommonStrings.IEXWDACLogTitle,
+                    message: UtilityCommonStrings.IEXWDACLogMessage,
+                    fqid: "InvokeExpressionCmdletConstrained",
+                    dropIntoDebugger: true);
+            }
+
             var emptyArray = Array.Empty<object>();
             myScriptBlock.InvokeUsingCmdlet(
                 contextCmdlet: this,
 
@@ -187,18 +187,30 @@ protected override void BeginProcessing()
                             targetObject: null));
                 }
 
-                if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)
-                {
-                    if (!CoreTypes.Contains(type))
-                    {
-                        ThrowTerminatingError(
-                            new ErrorRecord(
-                                new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage), "CannotCreateTypeConstrainedLanguage", ErrorCategory.PermissionDenied, null));
-                    }
-                }
-
                 switch (Context.LanguageMode)
                 {
+                    case PSLanguageMode.ConstrainedLanguage:
+                        if (!CoreTypes.Contains(type))
+                        {
+                            if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
+                            {
+                                ThrowTerminatingError(
+                                    new ErrorRecord(
+                                        new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage), 
+                                        "CannotCreateTypeConstrainedLanguage",
+                                        ErrorCategory.PermissionDenied,
+                                        targetObject: null));
+                            }
+                            
+                            SystemPolicy.LogWDACAuditMessage(
+                                context: Context,
+                                title: NewObjectStrings.TypeWDACLogTitle,
+                                message: StringUtil.Format(NewObjectStrings.TypeWDACLogMessage, type.FullName),
+                                fqid: "NewObjectCmdletCannotCreateType",
+                                dropIntoDebugger: true);
+                        }
+                        break;
+
                     case PSLanguageMode.NoLanguage:
                     case PSLanguageMode.RestrictedLanguage:
                         if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce
@@ -212,8 +224,7 @@ protected override void BeginProcessing()
                                     ErrorCategory.PermissionDenied,
                                     targetObject: null));
                         }
-
-                    break;
+                        break;
                 }
 
                 // WinRT does not support creating instances of attribute & delegate WinRT types.
@@ -301,21 +312,31 @@ protected override void BeginProcessing()
                     bool isAllowed = false;
 
                     // If it's a system-wide lockdown, we may allow additional COM types
-                    if (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce)
+                    var systemLockdownPolicy = SystemPolicy.GetSystemLockdownPolicy();
+                    if (systemLockdownPolicy == SystemEnforcementMode.Enforce || systemLockdownPolicy == SystemEnforcementMode.Audit)
                     {
-                        if ((result >= 0) &&
-                            SystemPolicy.IsClassInApprovedList(_comObjectClsId))
-                        {
-                            isAllowed = true;
-                        }
+                        isAllowed = (result >= 0) && SystemPolicy.IsClassInApprovedList(_comObjectClsId);
                     }
 
                     if (!isAllowed)
                     {
-                        ThrowTerminatingError(
-                            new ErrorRecord(
-                                new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage), "CannotCreateComTypeConstrainedLanguage", ErrorCategory.PermissionDenied, null));
-                        return;
+                        if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
+                        {
+                            ThrowTerminatingError(
+                                new ErrorRecord(
+                                    new PSNotSupportedException(NewObjectStrings.CannotCreateTypeConstrainedLanguage),
+                                    "CannotCreateComTypeConstrainedLanguage",
+                                    ErrorCategory.PermissionDenied,
+                                    targetObject: null));
+                            return;
+                        }
+
+                        SystemPolicy.LogWDACAuditMessage(
+                            context: Context,
+                            title: NewObjectStrings.ComWDACLogTitle,
+                            message: StringUtil.Format(NewObjectStrings.ComWDACLogMessage, ComObject ?? string.Empty),
+                            fqid: "NewObjectCmdletCannotCreateCOM",
+                            dropIntoDebugger: true);
                     }
                 }
 
 
@@ -150,4 +150,10 @@
   <data name="AssemblyTypeNotSupported" xml:space="preserve">
     <value>Both the assembly types 'ConsoleApplication' and 'WindowsApplication' are not currently supported.</value>
   </data>
+  <data name="AddTypeLogTitle" xml:space="preserve">
+    <value>Add-Type Cmdlet</value>
+  </data>
+  <data name="AddTypeLogMessage" xml:space="preserve">
+    <value>Add-Type cmdlet will not be allowed in ConstrainedLanguage mode.</value>
+  </data>
 </root>
@@ -143,4 +143,10 @@
   <data name="IncorrectVariableName" xml:space="preserve">
     <value>The BindingVariable name '{0}' is invalid.</value>
   </data>
+  <data name="WDACLogTitle" xml:space="preserve">
+    <value>Import-LocalizedData Cmdlet</value>
+  </data>
+  <data name="WDACLogMessage" xml:space="preserve">
+    <value>Additional supported commands (via SupportedCommand parameter) will not be allowed in ConstrainedLanguage mode.</value>
+  </data>
 </root>
@@ -147,4 +147,16 @@
   <data name="CannotCreateTypeLanguageMode" xml:space="preserve">
     <value>Cannot create type. Only core types are supported in {0} language mode on a policy locked down machine.</value>
   </data>
+  <data name="TypeWDACLogTitle" xml:space="preserve">
+    <value>New-Object Cmdlet Type Creation</value>
+  </data>
+  <data name="TypeWDACLogMessage" xml:space="preserve">
+    <value>The type '{0}' will not be created in ConstrainedLanguage mode.</value>
+  </data>
+  <data name="ComWDACLogTitle" xml:space="preserve">
+    <value>New-Object Cmdlet COM Object Creation</value>
+  </data>
+  <data name="ComWDACLogMessage" xml:space="preserve">
+    <value>The COM object '{0}' will not be created in ConstrainedLanguage mode.</value>
+  </data>
 </root>
@@ -168,4 +168,10 @@
   <data name="InvalidSDDL" xml:space="preserve">
     <value>Cannot construct a security descriptor from the given SDDL due to the following error: {0}</value>
   </data>
+  <data name="IEXWDACLogTitle" xml:space="preserve">
+    <value>Invoke-Expression Cmdlet</value>
+  </data>
+  <data name="IEXWDACLogMessage" xml:space="preserve">
+    <value>Invoke-Expression cmdlet script block will be run in ConstrainedLanguage mode.</value>
+  </data>
 </root>
@@ -16,6 +16,7 @@
 using System.Management.Automation.Remoting;
 using System.Management.Automation.Remoting.Server;
 using System.Management.Automation.Runspaces;
+using System.Management.Automation.Security;
 using System.Management.Automation.Subsystem.Feedback;
 using System.Management.Automation.Tracing;
 using System.Reflection;
@@ -1855,7 +1856,14 @@ private void DoRunspaceInitialization(RunspaceCreationEventArgs args)
                     switch (languageMode)
                     {
                         case PSLanguageMode.ConstrainedLanguage:
-                            s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLMode);
+                            if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)
+                            {
+                                s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLMode);
+                            }
+                            else
+                            {
+                                s_theConsoleHost.UI.WriteLine(ManagedEntranceStrings.ShellBannerCLAuditMode);
+                            }
                             break;
 
                         case PSLanguageMode.NoLanguage:
 
@@ -123,6 +123,9 @@
   <data name="ShellBannerCLMode" xml:space="preserve">
     <value>[Constrained Language Mode]</value>
   </data>
+  <data name="ShellBannerCLAuditMode" xml:space="preserve">
+    <value>[Constrained Language AUDIT Mode : No Restrictions]</value>
+  </data>
   <data name="ShellBannerNLMode" xml:space="preserve">
     <value>[No Language Mode]</value>
   </data>
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@`
`7`	`7`	`using System.IO;`
`8`	`8`	`using System.Management.Automation;`
`9`	`9`	`using System.Management.Automation.Internal;`
	`10`	`+using System.Management.Automation.Security;`
`10`	`11`
`11`	`12`	`namespace Microsoft.PowerShell.Commands`
`12`	`13`	`{`
`@@ -146,16 +147,23 @@ protected override void ProcessRecord()`
`146`	`147`	`}`
`147`	`148`
`148`	`149`	`// Prevent additional commands in ConstrainedLanguage mode`
`149`		`- if (Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)`
	`150`	`+ if (_setSupportedCommand && Context.LanguageMode == PSLanguageMode.ConstrainedLanguage)`
`150`	`151`	`{`
`151`		`- if (_setSupportedCommand)`
	`152`	`+ if (SystemPolicy.GetSystemLockdownPolicy() != SystemEnforcementMode.Audit)`
`152`	`153`	`{`
`153`	`154`	`NotSupportedException nse =`
`154`	`155`	`PSTraceSource.NewNotSupportedException(`
`155`	`156`	`ImportLocalizedDataStrings.CannotDefineSupportedCommand);`
`156`	`157`	`ThrowTerminatingError(`
`157`	`158`	`new ErrorRecord(nse, "CannotDefineSupportedCommand", ErrorCategory.PermissionDenied, null));`
`158`	`159`	`}`
	`160`	`+`
	`161`	`+ SystemPolicy.LogWDACAuditMessage(`
	`162`	`+ context: Context,`
	`163`	`+ title: ImportLocalizedDataStrings.WDACLogTitle,`
	`164`	`+ message: ImportLocalizedDataStrings.WDACLogMessage,`
	`165`	`+ fqid: "SupportedCommandsDisabled",`
	`166`	`+ dropIntoDebugger: true);`
`159`	`167`	`}`
`160`	`168`
`161`	`169`	`string script = GetScript(path);`