OctopusDeploy and PowerShell Constrained Mode


Our InfoSec team are currently preparing to roll out the PowerShell lockdown environment variable “__pslockdownpolicy=4” which enables PowerShell 5’s “Constrained Mode” and stops a load of PowerShell features from working unless the code is signed with a trusted certificate (e.g. New-Object and Import-Module are blocked for the most part) .

I’ve tested this setting on a canary server, and it broke a lot of our OctopusDeploy projects :-(. I didn’t get as far as testing the core Tentacle itself so I’m not sure if there are any other problems waiting for me further down th eline.

Do you currently have any advice for how to run a Tentacle on a server with this the PowerShell Constrained Mode setting applied? E.g. are there specific folders I could try whitelisting, do you sign your code with a code-signing certificate I could trust, or is OctopusDeploy just not really designed to support Constrained Mode?



Hi Michael,

Thanks for getting in touch! As you noticed Octopus won’t work with PowerShell set to Contrainted Mode. Our EXEs and DLLs are signed using a trusted code certificate but out scripts are not and at the moment we don’t plan to change that.

Regarding possible workarounds, I couldn’t find any official Microsoft documentation on __pslockdownpolicy environment variable and what its scope is. My understanding is that environment variables are scoped to process (not file system) boundaries. But if you want to give it a try then please whitelist the following Server and Tentacle folders. Please also whitelist the folders where binaries are installed to (e.g C:\Program Files\Octopus Deploy).

Would you mind telling me why the InfoSec team is making this change? Maybe we can up with a different solution that is Octopus friendly?

Please let me know how you go.