Skip to content

Support Hyper-V on CLM PowerShell hosts #13776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
granstrand wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Support Hyper-V on CLM PowerShell hosts #13776

granstrand wants to merge 2 commits into from
+225 −42

Conversation

@granstrand
Copy link

@granstrand granstrand commented Jan 4, 2026

This addresses #13775.

On Windows hosts where PowerShell Constrained Language Mode (CLM) is
enforced, Vagrant Hyper-V provider malfunctions as essential checks
fail to run, lacking the necessary capabilities under CLM.

The Constrained Language Mode is highly restricted, as described in:
https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

Among them, here are some noteworthy limitations

  1. Block method invocation on non-core types
  2. Ban on reflection and assembly loading
  3. Restricted New-Object/[TypeName] -- only for a strict allow list
  4. Block COM objects and Add-Type

This commit addressed such limitation by providing alternative logic
specifically for hosts running under CLM. By replacing unsanctioned
New-Object calls, method invocations, and reflaction with native tools
(like net session and whoami) and compliant cmdlets, the Vargrant
Hyper-V provider now functions in CLM environments.

@granstrand
Support Hyper-V on CLM PowerShell hosts
6df507f 
This addresses hashicorp#13775.

On Windows hosts where PowerShell Constrained Language Mode (CLM) is
enforced, Vagrant Hyper-V provider malfunctions as essential checks
fail to run, lacking the necessary capabilities under CLM.

The Constrained Language Mode is highly restricted, as described in:
https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/

Among them, here are some noteworthy limitations

1. Block method invocation on non-core types
2. Ban on reflection and assembly loading
3. Restricted New-Object/[TypeName] -- only for a strict allow list
4. Block COM objects and Add-Type

This commit addressed such limitation by providing alternative logic
specifically for hosts running under CLM. By replacing unsanctioned
New-Object calls, method invocations, and reflaction with native tools
(like `net session` and `whoami`) and compliant cmdlets, the Vargrant
Hyper-V provider now functions in CLM environments.
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Jan 4, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@granstrand
Fix unit test mock and check the new function
f55cca8 
- Add powershell_constrained_language_mode? method unit test
- Mock powershell_constrained_language_mode as needed
@granstrand
Copy link
Author

granstrand commented Jan 4, 2026
edited
Loading

Action Items:

  1. bundle exec rake
    • Test on Ubuntu
      • 6df507f failed at ./test/unit/vagrant/util/platform_test.rb:315, :322
      • f55cca8 pass
    • Test on Windows (Full Language)
    • Test on Windows (Constrained Language)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@granstrand