Hey folks! My organization has been working hard on meeting the DISA STIG requirements, and we've made good progress so far. Right now, we have just a few challenging items left to tackle, one of which is WN11-00-000155. This STIG states that the Windows PowerShell 2.0 feature must be disabled on systems.
I've set up an SCCM collection using a query via CM Pivot to group all machines with the Windows Optional feature enabled. Only about 4% of our systems fall into this category. The catch is, we don't have a local pilot group to test this out before rolling it out to end users, which is obviously a big concern. I'm exploring other options, but in the meantime, has anyone managed to reinstall PowerShell 2.0 in a test environment so that Tenable can accurately check for its status?
To be specific, the Tenable plugin checks for the "WindowsOptionalFeature" command to see if PS 2.0 is enabled. However, when I reinstall PowerShell 2.0, it only enables the binary without adding it to the Optional Features list. Therefore, when Tenable scans the machines using Microsoft's reinstallation instructions, it results in a failure with the message `FAILED - PowerShellv2:` and `POWERSHELL_NO_RESULT: powershell command returned no result`.
Any tips or advice for a junior sysadmin tackling this issue? Thanks!
3 Answers
It’s pretty wild that some machines are still running PowerShell 2.0. It’s been obsolete for a while now! Just so you know, Microsoft changed a lot from PowerShell 2 to 3, and PowerShell 2 lacks many security features. You really need to get rid of it to avoid risks; it’s not safe anymore.
You could try running `powershell.exe -Version 2.0`, but that’s not ideal due to the security issues I mentioned. It’s best to get rid of PowerShell 2.0 altogether. Keep pushing for an upgrade—there are better options that won’t leave you vulnerable.
Double-check with the latest DISA STIG updates. They’ve actually updated WN11-00-000155 for Windows 11 version 24H2 and later, stating that this requirement is not applicable. Just mark those 24H2 machines as Not Applicable, and if anyone needs comments on it, point to the check text from DISA. It simplifies things a lot!
Absolutely! It’s crazy how some systems still have it. But yeah, sticking to newer versions helps with compliance and security.