Reduce your attack surface by uninstalling PowerShell version 2 using PowerShell and Microsoft Intune

by
post views: 2,671

Introduction

PowerShell version 2 is to this day still preinstalled on Windows 11 and all Windows Server versions with the exception of Windows Server 2022.

As the reader may know, PowerShell is a powerful tool that plays an important role in administering Windows systems. However, it also contains various features that can be leveraged by attackers with ill intentions.

If PowerShell version 2 is installed, it’s possible to bypass the constrained language mode, which normally is being enforced by application control solutions like AppLocker and similar.

PowerShell Constrained Language is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs

If you haven’t removed PowerShell version 2 already, you should consider looking into it today as an early Christmas present. 🙂

Ps. this solution is only targeting workstations. If you need to remove PowerShell version 2 from servers, you cannot leverage Microsoft Intune. You should instead look into Configuration Manager or similar.

Constrained Language Mode

The language mode of PowerShell can be queried using $ExecutionContext.SessionState.LanguageMode as shown below.

When using AppLocker or similar, this is forced into ConstrainedLanguage as a regular user:

If PowerShell version 2 is installed, you can switch over to using this version, effectively bypassing Constrained Language Mode. See below:

Uninstall PowerShell version 2

In order to uninstall PowerShell version 2 using Microsoft Intune, I use 2 separate scripts. The scripts are located on my GitHub repository.

Detect-PoShv2.ps1: PowerShell/Detect-PoShv2.ps1 at master · imabdk/PowerShell (github.com)

  • This script detects if PowerShell v2 is currently installed/enabled on the system
    • If PoShv2 enabled, exit the script with error code 1

Disable-PoShv2.ps1: PowerShell/Disable-PoShV2.ps1 at master · imabdk/PowerShell (github.com)

  • This script detects if PowerShell v2 is currently installed/enabled on the system
    • If PoShv2 installed/enabled, PoShv2 is uninstalled/disabled.

Microsoft Intune

Put the 2 scripts to use in Microsoft Intune with the Remediations options (formerly known as Proactive Remediations) as shown below:

Notice how your devices gradually reports back that PowerShell version 2 is no longer present on the systems.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.