ferventcoder
commented
5 years ago @Degrader I assume I can turn on Device Guard in any version of Windows 10?
Open Degrader opened 5 years ago
ferventcoder
commented
5 years ago @Degrader I assume I can turn on Device Guard in any version of Windows 10?
Degrader
commented
5 years ago @ferventcoder I believe just Pro and Enterprise? The issue can be replicated by placing PowerShell in constrained language mode
PS C:> $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
pauby
commented
5 years ago I believe just Pro and Enterprise?
@ferventcoder @Degrader Device Guard is only supported in Windows 10 Enterprise / Education and Windows Server 2016+.
Degrader
commented
5 years ago @pauby thank you! I forget they actually put some distance between their professional and enterprise/education offerings this time round.
We are currently using Windows 10 Education
joboboking
commented
4 years ago Has this been downgraded?
Marcus-James-Adams
commented
4 years ago Whilst this issue was reported a year ago I was running choco ok fine however it's just started for me as well. OS Name Microsoft Windows 10 Pro Version 10.0.17763 Build 17763
itoc-dw
commented
2 years ago Has anyone got a work around for PowerShell Constrained Language mode yet?
### What You Are Seeing? The specific error message (happens for any/all packages including installation of Chocolatey):
The specified module 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1' was not loaded because no valid module file was found in any module directory. ERROR: This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement.
This happens after the August 14th 2018 KB4343909 update from Microsoft on Windows 10. Here's a clip from the TechNet article describing the changes to default PowerShell behavior.
"Addresses a vulnerability related to the Export-Modulemember() function when used with a wildcard (*) and a dot-sourcing script. After installing this update, existing modules on devices that have Device Guard enabled will intentionally fail. The exception error is “This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement.” For more information, see https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2018-8200 and https://aka.ms/PSModuleFunctionExport.""
### What is Expected? Script to execute, software to install, anything!
### How Did You Get This To Happen? (Steps to Reproduce) When PowerShell runs in Constrained Language mode. Enabling AppLocker or deploying any sort of DeviceGuard policy will cause this to happen. I have not deployed any sort of DeviceGuard policy, but my AppLocker rules specifically allow scripts signed with Chocolatey certificate to run, which had been working well until this recent change by Microsoft. Below is an output of what happens when trying to run install.ps1 manually from the root of my OS volume. (downloaded from 'https://chocolatey.org/install.ps1')
### Output Log
Windows PowerShell transcript start Start time: 20181219113212 Username: RunAs User: Configuration Name: Machine: REDACTEDPC (Microsoft Windows NT 10.0.17134.0) Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process ID: 864 PSVersion: 5.1.17134.407 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.407 BuildVersion: 10.0.17134.407 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1
Transcript started, output file is C:\Users\user\Desktop\install.txt PS C:\Users\user> Set-ExecutionPolicy bypass Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? &Yes Yes to &All &No No to A&ll &Suspend A PS C:\Users\user> C:\install.ps1 Getting latest version of the Chocolatey package for download. Getting Chocolatey from https://chocolatey.org/api/v2/package/chocolatey/0.10.11. Extracting C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip to C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall... Installing chocolatey on this machine The pipeline has been stopped.
Import-Module : The specified module 'C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1' was not loaded because no valid module file was found in any module directory. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3
PS C:\Users\user> TerminatingError(Import-Module): "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement." Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:61 char:3
Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:155 char:3
Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:156 char:7
Creating ChocolateyInstall as an environment variable (targeting 'User') Setting ChocolateyInstall to 'C:\ProgramData\chocolatey' WARNING: It's very likely you will need to close and reopen your shell before you can use choco. Install-ChocolateyEnvironmentVariable : The term 'Install-ChocolateyEnvironmentVariable' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:167 char:3
Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:211 char:9
Restricting write permissions to Administrators We are setting up the Chocolatey package repository. The packages themselves go to 'C:\ProgramData\chocolatey\lib' (i.e. C:\ProgramData\chocolatey\lib\yourPackageName). A shim file for the command line goes to 'C:\ProgramData\chocolatey\bin' and points to an executable in 'C:\ProgramData\chocolatey\lib\yourPackageName'.
Creating Chocolatey folders if they do not already exist. WARNING: You can safely ignore errors related to missing log files when upgrading from a version of Chocolatey less than 0.9.9. 'Batch file could not be found' is also safe to ignore. 'The system cannot find the file specified' - also safe. Test-ProcessAdminRights : The term 'Test-ProcessAdminRights' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:511 char:7
Install-ChocolateyPath : The term 'Install-ChocolateyPath' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:518 char:3
The pipeline has been stopped.
Import-Module : The specified module 'C:\ProgramData\chocolatey\helpers\chocolateyInstaller.psm1' was not loaded because no valid module file was found in any module directory. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:120 char:3
PS C:\Users\user> TerminatingError(Import-Module): "This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement." Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this is disallowed when the system is under application verification enforcement. At C:\Users\user\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1:120 char:3
WARNING: Not setting tab completion: Profile file does not exist at '\user\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1'. Chocolatey (choco.exe) is now ready. You can call choco from anywhere, command line or powershell by typing choco. Run choco /? for a list of functions. You may need to shut down and restart powershell and/or consoles first prior to using choco. Ensuring chocolatey commands are on the path Ensuring chocolatey.nupkg is in the lib folder PS C:\Users\user> Stop-Transcript
Windows PowerShell transcript end End time: 20181219113236
Full Log Output
~~~sh PLACE LOG CONTENT HERE - WE NEED _ALL_ DETAILED OUTPUT BASED ON THE ABOVE TO BE ABLE TO PROVIDE SUPPORT (YOU WILL FIND THAT IN THE $env:ChocolateyInstall\logs\chocolatey.log between the `=====`) ~~~