feat: add TrustedHosts policy config option to allow whitelisting of UNC paths#26688
feat: add TrustedHosts policy config option to allow whitelisting of UNC paths#26688Antvirf wants to merge 5 commits intoPowerShell:masterfrom
Conversation
…f UNC paths The default behaviour of assuming any hostname with a `.` in it is not usable in environments where one wishes to refer to a path via FQDN, for example when using DFS to refer to file servers. The configuration option added here allows a group-policy as well as a config-file based approach to whitelisting hosts.
There was a problem hiding this comment.
Pull request overview
This PR adds a configuration option to whitelist UNC server hostnames/paths that should be treated as "Intranet" security zone instead of "Internet" zone during script execution policy checks. This addresses an issue where PowerShell Core treats any UNC path with a period (.) in the hostname as originating from the Internet security zone, which prevents script execution from FQDN UNC paths even with RemoteSigned execution policy.
Changes:
- Added
TrustedHostspolicy configuration class with wildcard pattern support for trusted hostnames/paths - Implemented trusted host checking in security zone evaluation logic with Group Policy and config file support
- Added Group Policy template definitions (ADMX/ADML) for TrustedHosts configuration
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/System.Management.Automation/utils/ClrFacade.cs | Adds IsTrustedHost method to check UNC paths against trusted host patterns and integrates it into security zone mapping logic |
| src/System.Management.Automation/engine/Utils.cs | Registers TrustedHosts policy type in policy retrieval infrastructure and adds registry key mapping |
| src/System.Management.Automation/engine/PSConfiguration.cs | Defines TrustedHosts policy class with Patterns property for storing trusted host patterns |
| assets/GroupPolicy/PowerShellCoreExecutionPolicy.admx | Adds Group Policy definition for TrustedHosts with list-based pattern configuration |
| assets/GroupPolicy/PowerShellCoreExecutionPolicy.adml | Adds UI strings and help text for TrustedHosts Group Policy setting |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| #if !UNIX | ||
| /// <summary> | ||
| /// Check if a UNC path matches any trusted host pattern. | ||
| /// </summary> | ||
| /// <param name="uncPath">The full UNC path to check.</param> | ||
| /// <param name="hostname">The hostname from the UNC path.</param> | ||
| /// <returns>True if the path matches a trusted host pattern, false otherwise.</returns> | ||
| private static bool IsTrustedHost(string uncPath, string hostname) |
There was a problem hiding this comment.
The method is wrapped in #if !UNIX directive at line 150, but it's already inside a #if !UNIX block that starts at line 137 (#region Security). This creates a redundant nested preprocessor directive. Remove the inner #if !UNIX directive at line 150 and its corresponding #endif at line 196.
| catch (Exception) | ||
| { | ||
| // Invalid pattern - skip it silently | ||
| continue; | ||
| } |
There was a problem hiding this comment.
The exception handler catches all exceptions without any logging or diagnostic information. This could make it difficult to troubleshoot configuration issues where a pattern is invalid. Consider catching only specific exceptions like WildcardPatternException or ArgumentException, or at minimum add diagnostic logging to help administrators identify invalid patterns.
| catch (Exception) | |
| { | |
| // Invalid pattern - skip it silently | |
| continue; | |
| } | |
| catch (WildcardPatternException) | |
| { | |
| // Invalid pattern - skip it silently | |
| continue; | |
| } | |
| catch (ArgumentException) | |
| { | |
| // Invalid pattern - skip it silently | |
| continue; | |
| } |
| - *.corp.internal (matches any hostname in corp.internal domain) | ||
| - \\server.domain.com\Users\*\Documents\* (matches specific UNC path pattern) | ||
|
|
||
| Wildcard syntax supports: * (zero or more chars), ? (one char), [abc] (character set), ` (escape char) |
There was a problem hiding this comment.
The documentation states that the backtick () is the escape character, but in the context of wildcard patterns in PowerShell, the backtick is specifically used to escape wildcards in the pattern string itself. This might be confusing since the backtick is also PowerShell's general escape character. Consider clarifying this by adding an example or rephrasing to: 'Wildcard syntax supports: * (zero or more chars), ? (one char), [abc] (character set), (escape char to treat wildcards as literals)'.
| Wildcard syntax supports: * (zero or more chars), ? (one char), [abc] (character set), ` (escape char) | |
| Wildcard syntax supports: * (zero or more chars), ? (one char), [abc] (character set), ` (escape char to treat wildcards as literals). |
|
@microsoft-github-policy-service agree company="Marshall Wace" |
|
@Antvirf the command you issued was incorrect. Please try again. Examples are: and |
PR Summary
Add a configuration option in both registry and config JSON to whitelist server names to be marked as "local intranet zones" as far as script execution is concerned. Otherwise, PS7 cannot execute scripts from remote locations with a
.in the name, breaking e.g. the loading of powershell profiles when the user's Documents directory is redirected to a server referred to via an FQDN.Resolves #12336
PR Context
The default behaviour of assuming any hostname with a
.in it being insecure is not usable in environments where one wishes to refer to a path via FQDN, for example when using DFS to refer to file servers. The configuration option added here allows a group-policy as well as a config-file based approach to whitelisting hosts.PR Checklist
.h,.cpp,.cs,.ps1and.psm1files have the correct copyright headerTBC
Tests