This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 13%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
We blocked the powershell using GPO "Don't run specified Windows applications" but if a user rename the powershell.exe to something else then he is allowed to run it. We found another method in URL "https://activedirectorypro.com/disable-powershell-with-group-policy/" , It is blocking the path "C:\Windows\System32\WindowsPowerShell\v1.0" which means user can it from a different location. Wondering if anyt=one has blocked it using group policy and which method did you use. Please suggest
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 1%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Block the hash using the same GPO entry - just select "New hash" instead of "New Path" - then browse to powershell.exe. Also do a second hash entry for powershell_ise.exe
The benefit of a hash rule is it will block the file no matter its location.
For example, if PowerShell tried to run from c:\it\ it would be blocked due to the hash rule, not the file path.
The only drawback to this is you would need a hash rule for every version of PowerShell.
Further info here: https://activedirectorypro.com/disable-powershell-with-group-policy/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @HM ,
Thank you for posting here.
We can try to create a task schedule: run this task schedule every short time to kill/end the PS process.
Then push task schedule via GPO to all machines.
Hope the information above is helpful
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Can we do something to not even allow it.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
You can uninstall windows powershell using one of the method mentioned on the link below:
uninstall-powershell-windows-10.html
Please don't forget to mark helpful reply as answer
We actually need some users to run it so we cannot completely uninstall it. We were thinking to have a group of those users and we will deny this AD group on GPO. For ex : User A login to machine with his regular account (Non admin account) and he should not be able to run powershell (it should be completely blocked even from launching) and he runas powershell as a different userid (which is also a local admin) and should be able to run powershell on same machine.
Why do you want to block Powershell? There could be applications that use it "under the covers" on behalf of the desktop user.
Anything that the user can do with Powershell they can do with other utilities like schtasks.exe and icacls.exe and every .exe in system32. Or they could write a VB script or good old .bat file.
And if you have a determined user who wants to write their own program then you also need to block the VB.Net (vbc.exe) and C# (csc.exe) compilers in the C:\Windows\Microsoft.NET\ subfolders.
Let me guess.... you had one user who did something dumb with Powershell and now your manager is asking you to block it. Did I get it right?
This is actually counted as vulnerability by our security scanners and therefore to satisfy Audit needs we needs to disable it for a regular user id and same user should be able to runas powershell if he is using the id which is in exception list.
Wondering if someone has implemented it and have the steps which they followed.
Hello @HM ,
Thank you for your reply.
Based on my experience, it seems it is hard to achieve your requirement.
We hope that those who have implemented this can provide some suggestions here.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
This is actually counted as vulnerability by our security scanners and therefore to satisfy Audit needs
My experience with security scanners is that when they find a vulnerability they point us to a knowledge base article that describes the issue and also provides instructions on how to fix it. Go back to your auditors and ask them to review the scan report and contact the scanner software support team if you have to, and ask them for instructions on how they expect you to fix this.
Powershell is Microsoft's solution to provide a common framework for supporting the Windows OS. The problem that they recognized was that there were multiple executables like ipconfig.exe and netsh.exe and they all had different command line interfaces. And the classic .bat/.cmd language was just archaic. But they had to leave those programs in place to allow for compatibility for existing users.
I've seen malware that uses Powershell to do a base64 encoding and hide itself inside of WMI. That is likely what the scanner is trying to address. But if Powershell.exe is a vulnerability, then so is cmd.exe, and cscript.exe, and csc.exe, and wmic.exe and just about about every other executable in Windows\System32.