From aebe0d00632a1d9a07386b80e2607ca53bc3f504 Mon Sep 17 00:00:00 2001
From: Paul Higinbotham <paulhi@microsoft.com>
Date: Thu, 15 Nov 2018 15:32:48 -0800
Subject: [PATCH 1/2] Add fix for Start-Job initialization script in system
 lockdown

---
 .../server/ServerRunspacePoolDriver.cs        |  4 +++-
 .../ConstrainedLanguageValidation.Tests.ps1   | 22 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/System.Management.Automation/engine/remoting/server/ServerRunspacePoolDriver.cs b/src/System.Management.Automation/engine/remoting/server/ServerRunspacePoolDriver.cs
index 79a43bb42b9..9035e16195f 100644
--- a/src/System.Management.Automation/engine/remoting/server/ServerRunspacePoolDriver.cs
+++ b/src/System.Management.Automation/engine/remoting/server/ServerRunspacePoolDriver.cs
@@ -546,7 +546,9 @@ private PSDataCollection<PSObject> InvokeScript(Command cmdToRun, RunspaceCreate
         {
             Debug.Assert(cmdToRun != null, "cmdToRun shouldn't be null");
 
-            cmdToRun.CommandOrigin = CommandOrigin.Internal;
+            // Don't invoke initialization script as trusted (CommandOrigin == Internal) if the system is in lock down mode.
+            cmdToRun.CommandOrigin = (SystemPolicy.GetSystemLockdownPolicy() == SystemEnforcementMode.Enforce) ? CommandOrigin.Runspace : CommandOrigin.Internal;
+
             cmdToRun.MergeMyResults(PipelineResultTypes.Error, PipelineResultTypes.Output);
             PowerShell powershell = PowerShell.Create();
             powershell.AddCommand(cmdToRun).AddCommand("out-default");
diff --git a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageValidation.Tests.ps1 b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageValidation.Tests.ps1
index 09ec771fe13..f148b2fb727 100644
--- a/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageValidation.Tests.ps1
+++ b/test/powershell/Modules/Microsoft.PowerShell.Security/ConstrainedLanguageValidation.Tests.ps1
@@ -54,6 +54,28 @@ try
         }
     }
 
+    Describe "Start-Job initialization script should work in system lock down" -Tags 'Feature','RequireAdminOnWindows' {
+
+        It "Verifies that Start-Job initialization script runs successfully in system lock down" {
+
+            try
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -SetLockdownMode
+                $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
+
+                $job = Start-Job -InitializationScript { function Hello { "Hello" } } -ScriptBlock { Hello }
+                $result = $job | Wait-Job | Receive-Job
+            }
+            finally
+            {
+                Invoke-LanguageModeTestingSupportCmdlet -RevertLockdownMode -EnableFullLanguageMode
+            }
+
+            $result | Should -BeExactly "Hello"
+            $job | Remove-Job
+        }
+    }
+
     # End Describe blocks
 }
 finally

From 36b09d0ef5bde59a6fa1919ae9f92470f039226b Mon Sep 17 00:00:00 2001
From: Paul Higinbotham <paulhi@microsoft.com>
Date: Mon, 19 Nov 2018 11:01:58 -0800
Subject: [PATCH 2/2] [Feature]