How to block powershell using group policy

HM 26 Reputation points
2021-04-29T21:41:58.013+00:00

We blocked the powershell using GPO "Don't run specified Windows applications" but if a user rename the powershell.exe to something else then he is allowed to run it. We found another method in URL "https://activedirectorypro.com/disable-powershell-with-group-policy/" , It is blocking the path "C:\Windows\System32\WindowsPowerShell\v1.0" which means user can it from a different location. Wondering if anyt=one has blocked it using group policy and which method did you use. Please suggest

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,724 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Daisy Zhou 18,701 Reputation points Microsoft Vendor
    2021-04-30T09:48:10.107+00:00

    Hello @HM ,

    Thank you for posting here.

    We can try to create a task schedule: run this task schedule every short time to kill/end the PS process.

    Then push task schedule via GPO to all machines.

    Hope the information above is helpful

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. HM 26 Reputation points
    2021-04-30T23:03:57.323+00:00

    Can we do something to not even allow it.

    0 comments No comments

  3. Thameur-BOURBITA 32,496 Reputation points
    2021-04-30T23:27:52.477+00:00

    Hi,

    You can uninstall windows powershell using one of the method mentioned on the link below:

    uninstall-powershell-windows-10.html

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  4. HM 26 Reputation points
    2021-05-03T15:59:16.727+00:00

    We actually need some users to run it so we cannot completely uninstall it. We were thinking to have a group of those users and we will deny this AD group on GPO. For ex : User A login to machine with his regular account (Non admin account) and he should not be able to run powershell (it should be completely blocked even from launching) and he runas powershell as a different userid (which is also a local admin) and should be able to run powershell on same machine.


  5. MotoX80 31,566 Reputation points
    2021-05-05T12:55:00.767+00:00

    This is actually counted as vulnerability by our security scanners and therefore to satisfy Audit needs

    My experience with security scanners is that when they find a vulnerability they point us to a knowledge base article that describes the issue and also provides instructions on how to fix it. Go back to your auditors and ask them to review the scan report and contact the scanner software support team if you have to, and ask them for instructions on how they expect you to fix this.

    Powershell is Microsoft's solution to provide a common framework for supporting the Windows OS. The problem that they recognized was that there were multiple executables like ipconfig.exe and netsh.exe and they all had different command line interfaces. And the classic .bat/.cmd language was just archaic. But they had to leave those programs in place to allow for compatibility for existing users.

    I've seen malware that uses Powershell to do a base64 encoding and hide itself inside of WMI. That is likely what the scanner is trying to address. But if Powershell.exe is a vulnerability, then so is cmd.exe, and cscript.exe, and csc.exe, and wmic.exe and just about about every other executable in Windows\System32.

    0 comments No comments