From 1b7ccf24fb9731cdff5532cd2cd3212cb55eadb2 Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Mon, 15 Mar 2021 22:49:00 +0000
Subject: [PATCH 1/3] move bypass after applocker deny

---
 .../security/SecurityManager.cs                          | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/System.Management.Automation/security/SecurityManager.cs b/src/System.Management.Automation/security/SecurityManager.cs
index be0c8d83b24..d3d9e11ba08 100644
--- a/src/System.Management.Automation/security/SecurityManager.cs
+++ b/src/System.Management.Automation/security/SecurityManager.cs
@@ -140,10 +140,6 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
             // Get the execution policy
             _executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
 
-            // See if they want to bypass the authorization manager
-            if (_executionPolicy == ExecutionPolicy.Bypass)
-                return true;
-
             // Always check the SAFER APIs if code integrity isn't being handled system-wide through
             // WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
             // Otherwise, block.
@@ -184,6 +180,11 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
                 }
             }
 
+            // WLDP and Applocker takes priority over powershell exeuction policy.
+            // See if they want to bypass the authorization manager
+            if (executionPolicy == ExecutionPolicy.Bypass)
+                return true;
+
             if (_executionPolicy == ExecutionPolicy.Unrestricted)
             {
                 // Product binaries are always trusted

From 1167f27ebf4dbf069bf3680b3ac9f5e8ea2ce1ea Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Mon, 15 Mar 2021 22:59:06 +0000
Subject: [PATCH 2/3] fix variable rename

---
 src/System.Management.Automation/security/SecurityManager.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/System.Management.Automation/security/SecurityManager.cs b/src/System.Management.Automation/security/SecurityManager.cs
index d3d9e11ba08..7b5b352b646 100644
--- a/src/System.Management.Automation/security/SecurityManager.cs
+++ b/src/System.Management.Automation/security/SecurityManager.cs
@@ -182,7 +182,7 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
 
             // WLDP and Applocker takes priority over powershell exeuction policy.
             // See if they want to bypass the authorization manager
-            if (executionPolicy == ExecutionPolicy.Bypass)
+            if (_executionPolicy == ExecutionPolicy.Bypass)
                 return true;
 
             if (_executionPolicy == ExecutionPolicy.Unrestricted)

From b95d5b9959a5dbd8f8d14ed7bfc12dc314f850b8 Mon Sep 17 00:00:00 2001
From: Travis Plunk <travis.plunk@microsoft.com>
Date: Mon, 15 Mar 2021 23:06:11 +0000
Subject: [PATCH 3/3] Fix style issue

---
 src/System.Management.Automation/security/SecurityManager.cs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/System.Management.Automation/security/SecurityManager.cs b/src/System.Management.Automation/security/SecurityManager.cs
index 7b5b352b646..5d7295354be 100644
--- a/src/System.Management.Automation/security/SecurityManager.cs
+++ b/src/System.Management.Automation/security/SecurityManager.cs
@@ -183,7 +183,9 @@ private bool CheckPolicy(ExternalScriptInfo script, PSHost host, out Exception r
             // WLDP and Applocker takes priority over powershell exeuction policy.
             // See if they want to bypass the authorization manager
             if (_executionPolicy == ExecutionPolicy.Bypass)
+            {
                 return true;
+            }
 
             if (_executionPolicy == ExecutionPolicy.Unrestricted)
             {