Powershell 2.0 DISA STIG
Posted by NurglesToes@reddit | sysadmin | View on Reddit | 7 comments
Morning everyone, my org has been on a big DISA STIG push, and weve made quite a bit of progress. at this point we're down to just a few doozies. One of them being this STIG:
WN11-00-000155 - The Windows PowerShell 2.0 feature must be disabled on the system. (1003669)
For context, Ive created an SCCM collection using a query / CM Pivot to group all of the machines that have the windows Optional feature enabled. Only about 4% of our machines fall into this category, the only issue is, we dont have a local pilot group to test this on before deploying it to end users which is obv a big no-no. Im working some other angles, but in the mean time, has anyone been able to Re-Install Powershell 2.0 in a test environment in such a way that Tenable is looking for?
Specifically, the plugin is calling for the "WindowsOptionalFeature" Command to invoke whether or not PS2.0 is enabled, but reinstalling that version of powershell only enables the binary, and doesnt add it to the Optional Features list, so when Tenable scans the machines, it returns (If following the microsoft sanctioned reinstall instructions)
FAILED - PowerShellv2:
POWERSHELL_NO_RESULT: powershell command returned no result
Any advice to a junior Sys guy? Thanks!
Barrowork@reddit
Make sure you are using the latest STIG from DISA. They specifically updated WN11-00-000155 in Version 2 Release 6 (Jan 05, 2026) with the statement in the Check Text: For Windows 11 version 24H2 and newer, this requirement is Not Applicable.
So for all Windows 11 Machines with 24H2 and higher, mark them Not Applicable. If your team requires comments on NA findings, then point it back at their own check text stating that the system is 24H2 or higher.
NurglesToes@reddit (OP)
Sick. I’ll bring this up with my team lead in the AM
AppIdentityGuy@reddit
What OS is this 2.0 hasn't shipped in ages
jborean93@reddit
The jump from PowerShell 2 to 3 had a major CLR runtime change and 3 also introduced some larger internal engine changes and how it compiled scriptblocks. A lot of the underlying assemblies weren't backwards compatible so for compatibility sakes Microsoft keep the 2.0 engine components and allowed you to start a process in 2.0 mode by doing
powershell.exe -Version 2.0.Unfortunately this is dangerous because PowerShell 2.0 doesn't include pretty much all the components that PowerShell has around security like logging, AMSI integration, WDAC, etc. This is why it's recommended to remove the 2.0 bits so that bad actors can't hide behind this old 2.0 mode and it's been years since 2.0 was thing. It's only recently that Microsoft has started to stop shipping it with Windows by default https://support.microsoft.com/en-us/topic/powershell-2-0-removal-from-windows-fe6d1edc-2ed2-4c33-b297-afe82a64200a.
NurglesToes@reddit (OP)
win 11 24H2, why the hell there’s still powershell 2.0 machines is a fuckin mystery to me lol
AppIdentityGuy@reddit
Are these 24h2 machines failing the Test? Is so are they clean installs or multiple generations of upgrades?
NurglesToes@reddit (OP)
im ngl ive only been in the org a few months, but id assume theyre multiple gen upgrades. All machines are currently failing bc of how tenable checks the STIG, so ultimately we'll need an exemption either way but we still want the vulnerability remediated either way