Share via

Windows 11 Pro files.vbs

MadUrantia 200 Reputation points
2025-12-14T17:18:56+00:00

Good afternoon.

Windows Server 2025 Standard DC.

I created a GPO with several users, for whom I need to restrict certain things.

One of them is not allowing the execution of .VBS files.

The machines where they work have Windows 11 Pro, integrated into the domain.

I have tried several tips on the internet, but without success.

Thank you in advance.

MadUrantia

Windows for business | Windows Server | Devices and deployment | Other
0 comments

Answer accepted by question author

  1. VPHAN 30,935 Reputation points Independent Advisor
    2025-12-14T19:06:30.7733333+00:00

    To answer your specific questions regarding the configuration in the screenshots:

    1. Value Name: Yes, you must write a specific name in the Nome do valor field. The exact name required by the Windows system is Enabled (please note the 'd' at the end).
      • Do not use "Enable".
      • Do not check the "Predefinição" (Default) box. Checking that box targets the default key value, which the Windows Script Host does not check for restrictions.
      The Yellow Triangle: You can safely ignore the yellow triangle icon you see in the list view (Image 2). In the Group Policy Preferences console, that icon does not indicate an error. It simply represents the "Update" (Atualizar) action. Green triangle = Create 
        Yellow triangle = Update

     Red circle = Replace/Delete

    To ensure the policy works, your final configuration in the Propriedades window should look exactly like this:

    Ação: Atualizar

    Ramo de registo: HKEY_CURRENT_USER

    Caminho da chave: SOFTWARE\Microsoft\Windows Script Host\Settings

    Nome do valor: Enabled

    Tipo do valor: REG_DWORD

    Dados do valor: 0

    Once you save this with the name Enabled and run gpupdate /force on the client machine, the restriction will take effect.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message.

    VP

    1 person found this answer helpful.

Answer accepted by question author

  1. VPHAN 30,935 Reputation points Independent Advisor
    2025-12-14T17:51:18.2833333+00:00

    Good afternoon MadUrantia,

    To reliably restrict .vbs files for specific users on Windows 11 Pro, the most robust "best practice" is to disable the Windows Script Host (WSH) engine specifically for those user profiles. This stops wscript.exe and cscript.exe from launching, rendering .vbs (and .js) files inert regardless of their location. Since you need to target specific users, you will implement this via Group Policy Preferences under the User Configuration context.

    Open your Group Policy Management Console and edit the GPO linked to your target users. Navigate to User Configuration > Preferences > Windows Settings > Registry. Right-click in the right pane and select New > Registry Item. Set the Action to Update and the Hive to HKEY_CURRENT_USER. For the Key Path, enter Software\Microsoft\Windows Script Host\Settings. In the Value Name field, type Enabled. Set the Value Type to REG_DWORD and ensure the Value Data is 0. If the registry key structure does not exist on the client, the "Update" action will create it.

    Once this policy propagates (you can test immediately by running gpupdate /force on a client machine), any attempt by that user to execute a VBS file will result in a strict system error stating, "Windows Script Host access is disabled on this machine." Please note that if you are currently using legacy VBS logon scripts for these users, this policy will block them; you should migrate those scripts to PowerShell or convert them to .cmd files before applying this restriction.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to Accept the Answer. Should you have more questions, feel free to leave a message. Have a nice day!

    VP

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-12-14T17:19:09.39+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To restrict the execution of .VBS files using Group Policy in your Windows Server 2025 environment, you can implement Software Restriction Policies (SRP) or AppLocker policies. Here’s a general approach using Software Restriction Policies:

    1. Open Group Policy Management Console (GPMC): On your Windows Server, open the GPMC.
    2. Create or Edit a GPO: Right-click on the Organizational Unit (OU) where your users are located and either create a new GPO or edit an existing one.
    3. Navigate to Software Restriction Policies: In the GPO editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies. If no policies are defined, right-click on Software Restriction Policies and select New Software Restriction Policies.
    4. Create a New Rule: Right-click on Additional Rules and select New Path Rule.
      • Set the path to *.vbs or the specific location of the .VBS files you want to restrict.
      • Set the security level to Disallowed.
    5. Apply the GPO: Link the GPO to the appropriate OU where the users are located.
    6. Test the Policy: After applying the policy, ensure that the users are unable to execute .VBS files. You may need to run gpupdate /force on the client machines to refresh the policy immediately.
    7. Troubleshoot if Necessary: If the policy does not seem to apply, check for conflicting policies or ensure that the correct GPO is linked to the OU.

    This method should effectively prevent the execution of .VBS files on the specified user machines running Windows 11 Pro.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.