🛡️ Essential 8 Guide

Windows PowerShell 2.0 is disabled or removed

Summary

Disabling Windows PowerShell 2.0 reduces attack surface by removing a legacy execution engine. Microsoft guidance for Essential Eight user application hardening maps this outcome to deployment of UserApplicationHardening-RemoveFeatures.ps1 via Intune scripts; this script disables Windows PowerShell 2.0 and .NET Framework 3.5 (including .NET 2.0 and 3.0), and can also remove Internet Explorer 11 on supported Windows 10 platforms.¹²

[!IMPORTANT] PowerShell 2.0 predates Antimalware Scan Interface (AMSI), script-block logging (Event 4104), and module logging. An attacker can invoke powershell.exe -Version 2 to run malicious code that bypasses all modern logging and detection. Critically, the legacy v2 engine also bypasses Constrained Language Mode (CLM) enforced by WDAC (ISM-1622): a v2 session always runs in Full Language mode regardless of any App Control policy. These two controls (ISM-1621 and ISM-1622) are complementary — both must be applied together for effective protection.

Design Decision

[!NOTE] The UserApplicationHardening-RemoveFeatures.ps1 script will be deployed via Intune Platform scripts to disable Windows PowerShell 2.0 and .NET Framework 3.5. On supported Windows 10 systems, the script also disables Internet Explorer 11. The script will be assigned to the relevant deployment group for execution.

Prerequisites

• Devices are enrolled in Intune and meet Intune Management Extension (IME) prerequisites.²
• Devices are Microsoft Entra joined or Microsoft Entra hybrid joined, and running a supported Windows edition (not Windows in S mode).²
• The target script is uploaded as an Intune Windows Platform script and assigned to an appropriate Microsoft Entra group.³

Implementation Steps

Using UserApplicationHardening-RemoveFeatures.ps1 Script with Intune Platform scripts

1. In Intune admin center, go to Devices > Scripts and remediations > Platform scripts > Add > Windows 10 and later and upload UserApplicationHardening-RemoveFeatures.ps1.³

2. Configure script settings as follows:

   • Run this script using the logged on credentials: No
   • Enforce script signature check: No
   • Run script in 64-bit PowerShell Host: No¹

3. Assign the script to the required Microsoft Entra device/user group based on your deployment scope.³

4. Monitor deployment using Device status / User status and, when troubleshooting is required, review IME logs on the client at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs (for example AgentExecutor.log and IntuneManagementExtension.log).²³

5. Verify the feature is disabled on each device by running:

   Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
   

   The output should show State : Disabled. A state of Enabled indicates the feature was not removed and the script should be re-triggered or the feature disabled manually with:

   Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
   

Note: This script also disables .NET Framework 3.5 (includes .NET 2.0 and 3.0) and Windows PowerShell 2.0.
¹

Additional related information

• How App Control works with PowerShell provides policy enforcement guidance for PowerShell under App Control How App Control works with PowerShell
• How to use App Control to secure PowerShell provides implementation and audit-mode testing guidance for Constrained Language Mode outcomes How to use App Control to secure PowerShell
• Add, remove, or hide Windows features explains how to disable Windows features with DISM and PowerShell and how Intune scripts can automate this Add, remove, or hide Windows features
• Use PowerShell scripts on Windows devices in Intune provides script assignment, execution behavior, retries, and monitoring guidance Use PowerShell scripts on Windows devices in Intune
• Intune Management Extension for Windows provides prerequisites, check-in behavior, and detailed troubleshooting logs for script execution Intune Management Extension for Windows
• Disable-PSSessionConfiguration cmdlet description describes how to disable PS sessions to prevent usage Disable-PSSessionConfiguration
• ASD Blueprint: User application hardening describes essential eight guidance for hardening user applications including PS controls ASD Blueprint: User application hardening