From f2bb6f4c00f4c4332dddd3deaf5df418c78189ed Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 17 Jun 2026 14:25:29 -0500 Subject: [PATCH 1/2] Add notes about TypeData and FormatData commands --- .../Update-FormatData.md | 16 +++++++++++----- .../Update-TypeData.md | 8 +++++++- .../remoting/jea/security-considerations.md | 10 +++++++++- .../security/securing-restricted-sessions.md | 10 +++++++++- 4 files changed, 36 insertions(+), 8 deletions(-) diff --git a/reference/7.4/Microsoft.PowerShell.Utility/Update-FormatData.md b/reference/7.4/Microsoft.PowerShell.Utility/Update-FormatData.md index c6d941918ae9..07b1aaf436ca 100644 --- a/reference/7.4/Microsoft.PowerShell.Utility/Update-FormatData.md +++ b/reference/7.4/Microsoft.PowerShell.Utility/Update-FormatData.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Utility.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Utility -ms.date: 12/12/2022 +ms.date: 06/17/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/update-formatdata?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: Update-FormatData @@ -192,10 +192,16 @@ This cmdlet returns no output. ## NOTES -- `Update-FormatData` also updates the formatting data for commands in the session that were - imported from modules. If the formatting file for a module changes, you can run an - `Update-FormatData` command to update the formatting data for imported commands. You do not need - to import the module again. +`Update-FormatData` also updates the formatting data for commands in the session that were imported +from modules. If the formatting file for a module changes, you can run an `Update-FormatData` +command to update the formatting data for imported commands. You do not need to import the module +again. + +> [!WARNING] +> Restricted endpoints, such as JEA, must not expose the `Update-FormatData` command. This command +> allows you to add **ScriptBlock** elements to the formatting for a type. The **ScriptBlock** is +> evaluated in `FullLanguage` mode, even when the session is configured to use a more restrictive +> language mode. ## RELATED LINKS diff --git a/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md b/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md index ae0174ebbd5d..ab73c0a0038b 100644 --- a/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md +++ b/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md @@ -2,7 +2,7 @@ external help file: Microsoft.PowerShell.Commands.Utility.dll-Help.xml Locale: en-US Module Name: Microsoft.PowerShell.Utility -ms.date: 01/18/2026 +ms.date: 06/17/2026 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.utility/update-typedata?view=powershell-7.4&WT.mc_id=ps-gethelp schema: 2.0.0 title: Update-TypeData @@ -900,6 +900,12 @@ This cmdlet returns no output. ## NOTES +> [!WARNING] +> Restricted endpoints, such as JEA, must not expose the `Update-TypeData` command. This command +> allows you to add **ScriptProperty** members to types. The **ScriptProperty**` members are +> evaluated in `FullLanguage` mode, even when the session is configured to use a more restrictive +> language mode. + ## RELATED LINKS [about_Types.ps1xml](../Microsoft.PowerShell.Core/About/about_Types.ps1xml.md) diff --git a/reference/docs-conceptual/security/remoting/jea/security-considerations.md b/reference/docs-conceptual/security/remoting/jea/security-considerations.md index 2f7e16ae39dc..45b0a5f4ccd7 100644 --- a/reference/docs-conceptual/security/remoting/jea/security-considerations.md +++ b/reference/docs-conceptual/security/remoting/jea/security-considerations.md @@ -2,7 +2,7 @@ description: >- Since JEA allows these users to run administrative commands without having full administrator access, you can then remove those users from highly privileged security groups. -ms.date: 01/26/2026 +ms.date: 06/17/2026 title: JEA Security Considerations --- # JEA Security Considerations @@ -199,6 +199,14 @@ configured session. > PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The > `*-Job` cmdlets can create new runspaces without the restrictions. +### Don't allow commands that add TypeData or FormatData + +Restricted endpoints must not expose the `Update-TypeData`, `Remove-TypeData`, or +`Update-FormatData` commands. The `*-TypeData` commands allow you to add **ScriptProperty** members +to types. The `Update-FormatData` command allows you to add **ScriptBlock** definitions to create +custom formatting. The **ScriptProperty**` and **ScriptBlock** members are evaluated in +`FullLanguage` mode, even when the session is configured to use a more restrictive language mode. + ### Don't allow the `Trace-Command` cmdlet. > [!WARNING] diff --git a/reference/docs-conceptual/security/securing-restricted-sessions.md b/reference/docs-conceptual/security/securing-restricted-sessions.md index 7c4a60d231ed..d2121e1ed209 100644 --- a/reference/docs-conceptual/security/securing-restricted-sessions.md +++ b/reference/docs-conceptual/security/securing-restricted-sessions.md @@ -1,6 +1,6 @@ --- description: This article explains how to secure a restricted PowerShell session that is used for secure remote access. -ms.date: 01/26/2026 +ms.date: 06/17/2026 title: Securing a restricted PowerShell remoting session --- # Securing a restricted PowerShell remoting session @@ -43,6 +43,14 @@ restricted session implementation. > PowerShell. Don't allow any commands that would run via the Windows Compatibility feature. The > `*-Job` cmdlets can create new runspaces without the restrictions. +### Don't allow commands that add TypeData or FormatData + +Restricted endpoints must not expose the `Update-TypeData`, `Remove-TypeData`, or +`Update-FormatData` commands. The `*-TypeData` commands allow you to add **ScriptProperty** members +to types. The `Update-FormatData` command allows you to add **ScriptBlock** definitions to create +custom formatting. The **ScriptProperty**` and **ScriptBlock** members are evaluated in +`FullLanguage` mode, even when the session is configured to use a more restrictive language mode. + ### Don't allow the `Trace-Command` cmdlet. > [!WARNING] From 335452cbadee47cacff07c79c0a0306afa750c0f Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Wed, 17 Jun 2026 14:41:37 -0500 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md | 2 +- .../security/remoting/jea/security-considerations.md | 2 +- .../docs-conceptual/security/securing-restricted-sessions.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md b/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md index ab73c0a0038b..dc6c1633d72e 100644 --- a/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md +++ b/reference/7.4/Microsoft.PowerShell.Utility/Update-TypeData.md @@ -902,7 +902,7 @@ This cmdlet returns no output. > [!WARNING] > Restricted endpoints, such as JEA, must not expose the `Update-TypeData` command. This command -> allows you to add **ScriptProperty** members to types. The **ScriptProperty**` members are +> allows you to add **ScriptProperty** members to types. The **ScriptProperty** members are > evaluated in `FullLanguage` mode, even when the session is configured to use a more restrictive > language mode. diff --git a/reference/docs-conceptual/security/remoting/jea/security-considerations.md b/reference/docs-conceptual/security/remoting/jea/security-considerations.md index 45b0a5f4ccd7..3b93595c8935 100644 --- a/reference/docs-conceptual/security/remoting/jea/security-considerations.md +++ b/reference/docs-conceptual/security/remoting/jea/security-considerations.md @@ -204,7 +204,7 @@ configured session. Restricted endpoints must not expose the `Update-TypeData`, `Remove-TypeData`, or `Update-FormatData` commands. The `*-TypeData` commands allow you to add **ScriptProperty** members to types. The `Update-FormatData` command allows you to add **ScriptBlock** definitions to create -custom formatting. The **ScriptProperty**` and **ScriptBlock** members are evaluated in +custom formatting. The **ScriptProperty** and **ScriptBlock** members are evaluated in `FullLanguage` mode, even when the session is configured to use a more restrictive language mode. ### Don't allow the `Trace-Command` cmdlet. diff --git a/reference/docs-conceptual/security/securing-restricted-sessions.md b/reference/docs-conceptual/security/securing-restricted-sessions.md index d2121e1ed209..b2603964868c 100644 --- a/reference/docs-conceptual/security/securing-restricted-sessions.md +++ b/reference/docs-conceptual/security/securing-restricted-sessions.md @@ -48,7 +48,7 @@ restricted session implementation. Restricted endpoints must not expose the `Update-TypeData`, `Remove-TypeData`, or `Update-FormatData` commands. The `*-TypeData` commands allow you to add **ScriptProperty** members to types. The `Update-FormatData` command allows you to add **ScriptBlock** definitions to create -custom formatting. The **ScriptProperty**` and **ScriptBlock** members are evaluated in +custom formatting. The **ScriptProperty** and **ScriptBlock** members are evaluated in `FullLanguage` mode, even when the session is configured to use a more restrictive language mode. ### Don't allow the `Trace-Command` cmdlet.