Import-Module icinga-powershell-framework fails in ContranedLanguage powershell when Applocker is enabled

[arjanoosting]

I am trying to setup the Icinga for Windows with the PowerShell Framework on an Domain managed system.
Do to policy reason the Icinga agent has to run as an domain user and I have configured icinga agent like that (following the instruction.

When I run an powershell as that icinga service user to debug some stuff and try to import the icinga-powershell-framework module I get an error

Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this
is disallowed when the system is under application verification enforcement.

image

I guess this is caused due to the fact that AppLocker is active on the system and the user is not an Adminstrator and gets an PowerShell with ContrainedLanguage LanguageMode

Expected Behavior

I would like to be able to do an Import-Module icinga-powershell-framework as an normal user even when AppLocker is enabled.

Current Behavior

Failure to do an Import-Module icinga-powershell-framework

PS C:\Windows\system32> Import-Module icinga-powershell-framework
The pipeline has been stopped.
+ CategoryInfo : OperationStopped: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : PipelineStopped

Import-Module : The module to process 'icinga-powershell-framework.psm1', listed in field 'ModuleToProcess/RootModule'
of module manifest 'C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\icinga-powershell-framework.
psd1' was not processed because no valid module was found in any module directory.
At line:1 char:1

• Import-Module icinga-powershell-framework

•   + CategoryInfo          : ResourceUnavailable: (icinga-powershell-framework:String) [Import-Module], PSInvalidOper
   ationException
    + FullyQualifiedErrorId : Modules_ModuleFileNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
  
  

Import-Module : This module uses the dot-source operator while exporting functions using wildcard characters, and this
is disallowed when the system is under application verification enforcement.
At line:1 char:1

• Import-Module icinga-powershell-framework

•   + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : Modules_SystemLockDown_CannotUseDotSourceWithWildCardFunctionExport,Microsoft.PowerShell
   .Commands.ImportModuleCommand
  
  

Possible Solution

Steps to Reproduce (for bugs)

1. System with AppLocker enabled somehow (details are beyond my capabilities
2. Run PowerShell as normal user.
3. Verify LanguageMode is ConstrainedLanguage by displaying $ExecutionContext.SessionState.LanguageMode
4. Try to do an Import-Module icinga-powershell-framework

Context

I am trying to setup Icinga agent on an system where I will manage it but won't have Administrator access but can run stuff as the icinga service user

Your Environment

• PowerShell Version used ($PSVersionTable.PSVersion):

Major Minor Build Revision

---

5 1 19041 2673

• Operating System and version (Get-IcingaWindowsInformation Win32_OperatingSystem | Select-Object Version, BuildNumber, Caption):
  Version BuildNumber Caption

---

10.0.19045 19045 Microsoft Windows 10 Enterprise

[LordHepipud]

Thank you for your issue. I'm not really sure on how AppLocker works, but running Icinga for Windows or the Framework in ConstrainedLanguage is not supported.

Even though our own JEA write can be configured to use this mode, it is not supported because the entire background daemon will not work as example.

I'm however not sure on why the Import-Module fails. Even when you install it at C:\Program Files\WindowsPowerShell\Modules, a regular user should still be able to access the module.

I assume the AppLocker is preventing the exporter functions, as it requires that every single function is address directly, including exported variables.

I don't think this will work at all for the forceable future, as this would require a huge re-write on how Icinga for Windows operates. I will have to try to setup something similar to AppLocker and do some tests, but this is nothing we can address quickly.