Windows 10 includes Windows PowerShell 5.0 by default that has some great new features that enhance security including enhanced transcription logging and AMSI protection. However, the Windows PowerShell 2.0 engine is still enabled and is now recognized as a security risk that can be used to run malicious scripts.

Evaluation:

$App = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 | Select-Object Status

if ( $App -eq ‘Disabled’ ) {

Exit 0

} else { Exit 1 }

And then fix.

Remediation Code to Disable the PS v. engine

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

You can recheck remotely with command:

$computer => Name of the host you trying to check

invoke-command -computername $computer {Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 }

Cheers,

-Roman

Page 1 / 1

Thanks for sharing that @owl-IT - very useful!

One note for anyone running this worklet - Automox does use Powershell for the agent to run, so make sure V2 isn’t the only version running on any system you apply this worklet to or else Automox will stop working!

Remediation Code to Disable the PS v. engine

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded