Update guidance about lockdown mode (#12696)

* Update guidance about lockdown mode

* Feeback edits

Author: sdwheeler

reference/7.4/Microsoft.PowerShell.Core/About/about_Language_Modes.md

@@ -1,7 +1,7 @@
 ---
 description: Explains language modes and their effect on PowerShell sessions.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 01/26/2026
 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.4&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -60,7 +60,7 @@ ConstrainedLanguage
 ```
 
 However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you
-can't use the [member-access operator][02] (`.`) to get property values.
+can't use the [member-access operator][03] (`.`) to get property values.
 Instead, the error message reveals the language mode.
 
 When you access `$ExecutionContext.SessionState.LanguageMode` in a
@@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file
 system, or other system resources.
 
 For more information, see [JEA Session configurations][01] and
-[New-PSSessionConfigurationFile][05].
+[New-PSSessionConfigurationFile][06].
 
 ## Language mode features and limitations
 
@@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows:
 - Users can get all properties of allowed types. Users can set the values of
   properties only on allowed types.
 
+> [!IMPORTANT]
+> You must use `ConstrainedLanguage` mode in System Lockdown mode with App
+> Control for Business to ensure that `ConstrainedLanguage` mode can't be
+> bypassed. For more information about how PowerShell supports AppLocker and
+> App Control, see [Use App Control to secure PowerShell][02].
+
 The following .NET types are permitted in `ConstrainedLanguage` mode. Users can
 get properties, invoke methods, and convert objects to these types.
 
@@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in
 
 ## See also
 
-- [about_Session_Configuration_Files][03]
-- [about_Session_Configurations][04]
+- [about_Session_Configuration_Files][04]
+- [about_Session_Configurations][05]
 
 <!-- link references -->
 [01]: /powershell/scripting/learn/remoting/jea/session-configurations
-[02]: about_Member-Access_Enumeration.md
-[03]: about_Session_Configuration_Files.md
-[04]: about_Session_Configurations.md
-[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile
+[02]: /powershell/scripting/security/app-control/application-control
+[03]: about_Member-Access_Enumeration.md
+[04]: about_Session_Configuration_Files.md
+[05]: about_Session_Configurations.md
+[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile

reference/7.5/Microsoft.PowerShell.Core/About/about_Language_Modes.md

@@ -1,7 +1,7 @@
 ---
 description: Explains language modes and their effect on PowerShell sessions.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 01/26/2026
 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.5&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -60,7 +60,7 @@ ConstrainedLanguage
 ```
 
 However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you
-can't use the [member-access operator][02] (`.`) to get property values.
+can't use the [member-access operator][03] (`.`) to get property values.
 Instead, the error message reveals the language mode.
 
 When you access `$ExecutionContext.SessionState.LanguageMode` in a
@@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file
 system, or other system resources.
 
 For more information, see [JEA Session configurations][01] and
-[New-PSSessionConfigurationFile][05].
+[New-PSSessionConfigurationFile][06].
 
 ## Language mode features and limitations
 
@@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows:
 - Users can get all properties of allowed types. Users can set the values of
   properties only on allowed types.
 
+> [!IMPORTANT]
+> You must use `ConstrainedLanguage` mode in System Lockdown mode with App
+> Control for Business to ensure that `ConstrainedLanguage` mode can't be
+> bypassed. For more information about how PowerShell supports AppLocker and
+> App Control, see [Use App Control to secure PowerShell][02].
+
 The following .NET types are permitted in `ConstrainedLanguage` mode. Users can
 get properties, invoke methods, and convert objects to these types.
 
@@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in
 
 ## See also
 
-- [about_Session_Configuration_Files][03]
-- [about_Session_Configurations][04]
+- [about_Session_Configuration_Files][04]
+- [about_Session_Configurations][05]
 
 <!-- link references -->
 [01]: /powershell/scripting/learn/remoting/jea/session-configurations
-[02]: about_Member-Access_Enumeration.md
-[03]: about_Session_Configuration_Files.md
-[04]: about_Session_Configurations.md
-[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile
+[02]: /powershell/scripting/security/app-control/application-control
+[03]: about_Member-Access_Enumeration.md
+[04]: about_Session_Configuration_Files.md
+[05]: about_Session_Configurations.md
+[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile

reference/7.6/Microsoft.PowerShell.Core/About/about_Language_Modes.md

@@ -1,7 +1,7 @@
 ---
 description: Explains language modes and their effect on PowerShell sessions.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 01/26/2026
 no-loc: [FullLanguage, ConstrainedLanguage, RestrictedLanguage, NoLanguage]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-7.6&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -60,7 +60,7 @@ ConstrainedLanguage
 ```
 
 However, in sessions with `RestrictedLanguage` and `NoLanguage` modes, you
-can't use the [member-access operator][02] (`.`) to get property values.
+can't use the [member-access operator][03] (`.`) to get property values.
 Instead, the error message reveals the language mode.
 
 When you access `$ExecutionContext.SessionState.LanguageMode` in a
@@ -150,7 +150,7 @@ running a defined set of commands and can't directly access APIs, the file
 system, or other system resources.
 
 For more information, see [JEA Session configurations][01] and
-[New-PSSessionConfigurationFile][05].
+[New-PSSessionConfigurationFile][06].
 
 ## Language mode features and limitations
 
@@ -223,6 +223,12 @@ The features of `ConstrainedLanguage` mode are as follows:
 - Users can get all properties of allowed types. Users can set the values of
   properties only on allowed types.
 
+> [!IMPORTANT]
+> You must use `ConstrainedLanguage` mode in System Lockdown mode with App
+> Control for Business to ensure that `ConstrainedLanguage` mode can't be
+> bypassed. For more information about how PowerShell supports AppLocker and
+> App Control, see [Use App Control to secure PowerShell][02].
+
 The following .NET types are permitted in `ConstrainedLanguage` mode. Users can
 get properties, invoke methods, and convert objects to these types.
 
@@ -346,12 +352,13 @@ Beginning in PowerShell 7.2, the `New-Object` cmdlet is disabled in
 
 ## See also
 
-- [about_Session_Configuration_Files][03]
-- [about_Session_Configurations][04]
+- [about_Session_Configuration_Files][04]
+- [about_Session_Configurations][05]
 
 <!-- link references -->
 [01]: /powershell/scripting/learn/remoting/jea/session-configurations
-[02]: about_Member-Access_Enumeration.md
-[03]: about_Session_Configuration_Files.md
-[04]: about_Session_Configurations.md
-[05]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile
+[02]: /powershell/scripting/security/app-control/application-control
+[03]: about_Member-Access_Enumeration.md
+[04]: about_Session_Configuration_Files.md
+[05]: about_Session_Configurations.md
+[06]: xref:Microsoft.PowerShell.Core.New-PSSessionConfigurationFile

reference/docs-conceptual/security/app-control/application-control.md

@@ -1,6 +1,6 @@
 ---
 description: This article explains the features of Application Control that can be used to secure your PowerShell environment.
-ms.date: 12/09/2025
+ms.date: 01/26/2026
 title: Use App Control to secure PowerShell
 ---
 # Use App Control to secure PowerShell
@@ -26,11 +26,13 @@ following name format:
 - `$Env:TEMP/__PSScriptPolicyTest_<random-8dot3-name>.ps1`
 - `$Env:TEMP/__PSScriptPolicyTest_<random-8dot3-name>.psm1`
 
-App Control for Business is the preferred application control system for Windows. App Control
-provides APIs that allow you to discover the policy configuration. App Control is designed as a
-security feature under the servicing criteria defined by the Microsoft Security Response Center
-(MSRC). For more information, see [Application Controls for Windows][04] and
-[App Control and AppLocker feature availability][02].
+App Control for Business is the preferred application control system for Windows. App Control puts
+the system into System Lockdown mode. System Lockdown mode is the feature that detects the policies
+and determines if a context needs to be initialized or changed to a specific language mode.
+
+App Control is designed as a security feature under the servicing criteria defined by the Microsoft
+Security Response Center (MSRC). For more information, see [Application Controls for Windows][04]
+and [App Control and AppLocker feature availability][02].
 
 > [!NOTE]
 > When [choosing between App Control or AppLocker][03], we recommend that you implement application

reference/docs-conceptual/security/remoting/jea/security-considerations.md

@@ -2,7 +2,7 @@
 description: >-
     Since JEA allows these users to run administrative commands without having full administrator
     access, you can then remove those users from highly privileged security groups.
-ms.date: 10/10/2023
+ms.date: 01/26/2026
 title: JEA Security Considerations
 ---
 # JEA Security Considerations
@@ -102,8 +102,16 @@ access to all mapped users. For example, a JEA session configured using the foll
 grants full access to `CONTOSO\JEA_Lev1` and `CONTOSO\JEA_Lev2`.
 
 ```powershell
-$roles = @{ 'CONTOSO\JEA_Lev1' = 'Lev1Role'; 'CONTOSO\JEA_Lev2' = 'Lev2Role' }
-New-PSSessionConfigurationFile -Path '.\jea.pssc' -SessionType RestrictedRemoteServer -RoleDefinitions $roles -RunAsVirtualAccount
+$newPSSessionConfigurationFileSplat = @{
+    Path = '.\jea.pssc'
+    SessionType = 'RestrictedRemoteServer'
+    RoleDefinitions = @{
+        'CONTOSO\JEA_Lev1' = 'Lev1Role'
+        'CONTOSO\JEA_Lev2' = 'Lev2Role'
+    }
+    RunAsVirtualAccount = $true
+}
+New-PSSessionConfigurationFile @newPSSessionConfigurationFileSplat
 Register-PSSessionConfiguration -Path '.\jea.pssc' -Name 'MyJEAEndpoint'
 ```
 
@@ -187,7 +195,9 @@ configured session.
 ### Don't allow commands that can create new runspaces.
 
 > [!WARNING]
-> The `*-Job` cmdlets can create new runspaces without the restrictions.
+> The Windows Compatibility feature in PowerShell 7 creates a new runspace to host Windows
+> PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The
+> `*-Job` cmdlets can create new runspaces without the restrictions.
 
 ### Don't allow the `Trace-Command` cmdlet.
 

reference/docs-conceptual/security/securing-restricted-sessions.md

@@ -1,6 +1,6 @@
 ---
 description: This article explains how to secure a restricted PowerShell session that is used for secure remote access.
-ms.date: 10/10/2023
+ms.date: 01/26/2026
 title: Securing a restricted PowerShell remoting session
 ---
 # Securing a restricted PowerShell remoting session
@@ -39,7 +39,9 @@ restricted session implementation.
 ### Don't allow commands that can create new runspaces
 
 > [!WARNING]
-> The `*-Job` cmdlets can create new runspaces without the restrictions.
+> The Windows Compatibility feature in PowerShell 7 creates a new runspace to host Windows
+> PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The
+> `*-Job` cmdlets can create new runspaces without the restrictions.
 
 ### Don't allow the `Trace-Command` cmdlet.