The Windows PowerShell 2.0 feature must be disabled on the system.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253285 | WN11-00-000155 | SV-253285r958478_rule | CCI-000381 | medium |
| Description | ||||
| Windows PowerShell 5.0 added advanced logging features which can provide additional detail when malware has been run on a system. Disabling the Windows PowerShell 2.0 mitigates against a downgrade attack that evades the Windows PowerShell 5.0 script block logging feature. | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2025-05-15 | |||
Details
Check Text (C-253285r958478_chk)
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Get-WindowsOptionalFeature -Online | Where FeatureName -like *PowerShellv2*
If either of the following have a "State" of "Enabled", this is a finding.
FeatureName : MicrosoftWindowsPowerShellV2
State : Enabled
FeatureName : MicrosoftWindowsPowerShellV2Root
State : Enabled
Alternately:
Search for "Features".
Select "Turn Windows features on or off".
If "Windows PowerShell 2.0" (whether the subcategory of "Windows PowerShell 2.0 Engine" is selected or not) is selected, this is a finding.
Fix Text (F-56688r828938_fix)
Disable "Windows PowerShell 2.0" on the system.
Run "Windows PowerShell" with elevated privileges (run as administrator).
Enter the following:
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
This command must disable both "MicrosoftWindowsPowerShellV2Root" and "MicrosoftWindowsPowerShellV2" which correspond to "Windows PowerShell 2.0" and "Windows PowerShell 2.0 Engine" respectively in "Turn Windows features on or off".
Alternately:
Search for "Features".
Select "Turn Windows features on or off".
De-select "Windows PowerShell 2.0".