Skip to main content

Worklet - Disable PowerShell v2.0 on Windows 10

  • September 13, 2019
  • 2 replies
  • 212 views
owl-IT

Windows 10 includes Windows PowerShell 5.0 by default that has some great new features that enhance security including enhanced transcription logging and AMSI protection. However, the Windows PowerShell 2.0 engine is still enabled and is now recognized as a security risk that can be used to run malicious scripts.


Evaluation:


$App = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 | Select-Object Status


if ( $App -eq ‘Disabled’ ) {

Exit 0

} else { Exit 1 }


And then fix.


Remediation Code to Disable the PS v. engine


Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

You can recheck remotely with command:

$computer => Name of the host you trying to check

invoke-command -computername $computer {Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 }


Cheers,

-Roman

    JoeBud
    1 person likes this
    • JoeBud
      JoeBud

    2 replies

    Nic-Automox
    • Nic-Automox
    • Former Automox Employee
    • 832 replies
    • September 13, 2019

    Thanks for sharing that @owl-IT - very useful!

    Nic-Automox
    • Nic-Automox
    • Former Automox Employee
    • 832 replies
    • September 13, 2019

    One note for anyone running this worklet - Automox does use Powershell for the agent to run, so make sure V2 isn’t the only version running on any system you apply this worklet to or else Automox will stop working!

    owl-IT
    PaulZ-Automox
    DiegoF1000101
    3 people like this
    • owl-IT
      owl-IT
    • PaulZ-Automox
      PaulZ-Automox
    • DiegoF1000101
      DiegoF1000101

    Reply


    Terms & ConditionsCookie settings

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings