The Windows PowerShell 2.0 feature must be disabled on the system.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-220728 | SRG-OS-000095-GPOS-00049 | WN10-00-000155 | SV-220728r958478_rule | 2025-02-25 | 3 |
| Description |
|---|
| Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature. |
| ℹ️ Check |
|---|
| Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2* If either of the following have a "State" of "Enabled", this is a finding. FeatureName : MicrosoftWindowsPowerShellV2 State : Enabled FeatureName : MicrosoftWindowsPowerShellV2Root State : Enabled Alternately: Search for "Features". Select "Turn Windows features on or off". If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding. |
| ✔️ Fix |
|---|
| Disable "Windows PowerShell 2.0" on the system. Run "Windows PowerShell" with elevated privileges (run as administrator). Enter the following: Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root This command should disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off". Alternately: Search for "Features". Select "Turn Windows features on or off". De-select "Windows PowerShell 2.0". |