Disable These 3 Windows Settings Now! (For Security)
You’ll be glad you watched this 🧐
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: kzhead.infojoin
Commands Mentioned:
• Get Language Mode: $ExecutionContext.SessionState.LanguageMode
• Environment Variable Name: __PSLockDownPolicy (Note: You will need to open a new PowerShell window to see if it applied)
Mentioned Links:
• Policy Plus: github.com/Fleex255/PolicyPlus
• PowerShell 7: github.com/PowerShell/PowerShell
• Microsoft Language Mode Article: learn.microsoft.com/en-us/pow...
▼ Time Stamps: ▼
0:00 - Why Though?
1:00 - What We'll Be Doing
1:46 - Remove PowerShell 2.0
2:22 - Constrained Language Mode
4:22 - About Execution Policy
5:41 - Setting Up Execution Policy
8:28 - PowerShell 7 Execution Policy
9:27 - Setting PowerShell 7 Policy
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Also this should work on both Windows 10 and 11
Okay
Of course it would sir
followed your tips on my win10 computers and it did exactly as you described ... course I understood about 50% of what you said and have never run a powershell .. so yeah, I feel safer now!
First step mine was 3.0 instead of 2.0, still should remove?
It works on my windows 11 machine
It needs to be said that the Constrained Language will have a large impact on your system ability to run legitimate powershell scripts. I really don't advise this option at all. You should only do this on dedicated computer systems where you know Powershell is not being used as a means to install or manage software or the system itself. This option will otherwise break tools like Chocolatey, the SQL Server installation process, and a lot more. Don't do this on your daily usage computer. There is a lot of Windows software out there that relies on Powershell features for its own maintenance or installation processes.
Thank you for mentioning Chocolatey. I use it and did not think of that watching ThioJoe's video.
If you are not doing any developing with your daily driver Windows, can you list any other common software that would be affected?
@@themadmallard"daily driver Windows" luckily my daily driver doesn't use windows since it's an old VW Golf
@@neetop1557 That reminds me of an old joke: Can you imagine if your car's software ran on Windows?
@@jstephens2758well it would constantly break down, if it ran on mac it wouldn't break but could only drive on one street and I'd it ran linux it wouldn't crash, but the driver needed to do all the maintenance themselves 😂
Thio never dissapoints
But he just did 🤔
he did to many people some years ago
@@KryzysXhe didn’t
@@ag4640 that one overwatch video:
@@denamolio nope
One of the best things you can do is enable logging for PowerShell, which is disabled by default for some unholy reason. That way when someone does get past any blocks you set up you or someone else can go back and see what was done.
how do you do that?
How?
How
@@MarcusWagnerBMW at 6:00 you can see options: Module Logging and Script Block Logging, i think those two are responsible for that
@@Aspirinium tysm
Thio Joe may not be a driver, but he never fails to deliver 💯💯💥💯
Here, are you Proudly about the Amazon Driver or just Encouraging ThioJoe?
👍
@@AbhishekMTCyou dont get it
@@TheAndroidGingerbreadGuy ..... 😶 okay!
He ain't pregnant but never fails to deliver 🗿
Thio never disapponts at making me tired by waking me up at 3 am
Very useful information. I wish Microsoft took Windows security more seriously. Like why have Powershell 2.0 even enabled by default? Anyone who needs it can just enable it on their own. Massive security risk.
Powershell 7 not respecting settings too
This is one of the best examples of why Win11 was a cash grab. They made such big talk about finally breaking backwards compatibility for the sake of security, but left so many gaping security holes because they didn’t want to break backwards compatibility. CMD should be gone, it hasn’t been updated in, let me check, 23 years. PS2 should be gone, heck, even the default PS5 should be gone. There’s still ancient services that still exist for archaic programs that can be exploited.
two words: backward compatibility, you'd be surprised how old some companies use.
@@GBR9794 Those people can download/enable it on their own. It should not be enabled by default.
@@GBR9794 let them download it
If only Microsoft had somebody like ThioJoe on the team...
💯
They'd have to pay him too much. :D
Thio would loose his job the first day for removing microsoft edge since its "the best browser ever"
@@dumbfloppa i feel sorry for any microsoft employees then... damn
they have dozens of people more knowledgeable than him
Very nice. I've been a programmer for 40 years now and this is something I didn't know. I am retired now so I am not as up to date as I used to be when working in the IT environment.
Your videos are always informative and helpful. I especially appreciate that you take the time to put complicated commands in the description so they may be copied and pasted.
Damn it. I knew I should've checked.
@@ninjakiwigames5418 He even said it in the video o.0
He is like Linus, but *actually* helpful.
@@Netsuki I don’t think ThioJoe comes across as egotistical, pompous, or blinded by greed, so it is hard for me to draw the parallel between him and Linus.
@@the_dark_defender That's why I said that he is actually useful (instead of being just a YoUTube celebrite). Linus is well known for technical videos, hence the comparison. Technical KZheadr, but the one that actually helps.
Nice security tips! I wasn't aware of these settings. Thanks!
Well delivered and concise, thanks Thio
Great info! You should do a video on the Microsoft Security Baselines sometime; they have an extensive inventory of useful settings like this and they're from Microsoft themselves. Lots of companies use these as a starting point for securing corporate devices.
For many years now I've woken up to youtube autoplaying ThioJoe videos. This time no different, I started watching Warhammer videos, fell asleep and now woke up to the voice of Thio. It's almost nostalgic and homely at the same time. Great video as always, will need to check these tips out.
Mister ThioJoe , Thanks You for taking all this time to do theses videos and share them with us. You explain really well , with clarity and visual and thats from my perspective....the best way to do it. Hope you receive all the best in you're life my friend.
Mate great community service and well instructed! Thanks
What you forgot to mention @ThioJoe is that this will severely disable the ability to use PowerShell and bug out command history, especially when you set the constrained language option. If you're a PowerShell frequent user I advise against this since it will break both it and its usage.
In such a situation, would Windows alert you to the fact that ps is disabled in an obvious way?
@@themadmallard No. Using even the simplest history keys (eg: up and down) will result in only the commands that you input only in that certain PS session (by that I mean only commands used in that certain window, which will disappear once you close it). Also if you are using `npm` for NodeJs, you'll get error cause using scripts is disabled and/or they are not signed. The `ConstrictedLanguage` will make most Chocolatey scripts also fail due to the fact that you cannot access object members through the `.` notation. If you're a developer and you're using PS as a `terminal` you should stay away from this. The only thing which most likely will have no impact is the `disable PS 2`, all the rest will have an impact on the use of PS as a terminal.
@@TheFr33LaNc3 thanks. Would this be more reasonable a setting tweak if the user has never even heard of power shell and is not a dev?
Yes@@themadmallard, it's a decent tweak for people that never use PS.
@@themadmallardfor someone who has never heard of PS it's reasonable to keep the malware gates closed
Method 2, Microsoft's comment: "As part of the implementation of Constrained Language, PowerShell included an environment variable for debugging and unit testing called __PSLockdownPolicy. While we have never documented this, some have discovered it and described this as an enforcement mechanism. This is unwise because an attacker can easily change the environment variable to remove this enforcement. In addition, there are also file naming conventions that enable FullLanguage mode on a script, effectively bypassing Constrained Language."
Thanks!! Love you videos and your delivery and technique is awesome. Keep up the great work.
This is so good! Easy to follow video and thanks for the tips.
Very useful information! I appreciated how crystal clear the video is-it’s extremely easy to follow. Thanks!
this video does not specify what versions of windows it applies to. there are different versions of windows...
@@BobBob-nr1zt That’s fair enough. But for those people like me, with Windows 11-admittedly, still, a small percentage of users-it was very clear.
@@jeff__w The video could have been much shorter - and more effective - if it just showed us how to download a bootable Ubuntu ISO onto a USB thumb drive :-)
Lots to think about. I use PS (v7.x) scripts to manage two Windows systems, Home (v 10) and Pro (v 11). I configured an execution policy for PS that gave me some peace of mind. But now I realize that peace of mind was unwarranted. It looks like I will have to sign all my scripts after making the necessary security tweaks.
I literally just went through a course for my job, learning about Group Policies. I recently built a new PC and this was golden to keep it safe from the simplest vulnerabilities. Thank you for this easy to follow video.
Excellent video and walk through of all the relevant steps. I was able to stop and restart the video at various points to ensure I undertook all steps in the relevant sequence outlined. Many, many thanks. And, no I had not heard of all this before and quite agree not entirely bullet proof, the steps go a long way to ensure my computer is as safe as possible.
"You don't have permission..." I created a "New Folder" in my D drive and named it "Policy Definitions", put it into "Windows:\" and it now magically has a grip of files in it. I can do nothing with it including saving anything to it. I also thought I told my pc, when I first built it, to NEVER claim I am not the administrator and to never ask for one. It really sucks that we don't get a save direction. I NEVER put anything I can avoid onto my C drive bc it's only 120 gigs. I now see that there's a ton of stuff that I use that can only be on the C drive. I just want to undo the folder but it tells my I am NOT the admin and it somehow got a grip of files put into it when I moved it from the D drive, where I created it, into the C drive. I'm hyper concerned I just screwed something up and cannot complete the Policy Plus/Definitions step. F me!
Thanks also for the context 👍🏻
I think this is excellent advice! And not just for home users, but network and corporate admins should review this information to see if it can apply to their computing environments!
Thx Thio, this was very helpful. A small adjustment with potential big headache savings. You move so fast on your How To Step by Step. I had to pause your instruction several times.
thats why the pause exists. why wait for people to do it when they can keep the video short and allow the users to pause when they need to
life saver in the computer world. great job as always. bonus is thio is really good looking guy.
Congratulations for 3M subscriber!!!!🎉🎉🎉
Also what happened to the rounded corners, why did you remove them?
Thank you so much Thio! I def have to share it with my friends
Thank you Joe these types for videos are so helpful. Keep up the good work.
But, if our Computer have some error in booting up and want to open CMD or Powershell, We can't change the Group Policy or Language Policy again and we will be completely stuck! I am thinking to enable these settings only for this reason
Must share this to everyone who has a windows pc
Billions of people? No fucking way.
Never heard about this, and it was so easy to fix! Thanks Dude!
Thank you so much for all of your help over the years! I have come to your site many times to have you you do a very thorough explanation for my issues. Keep up the amazing work you do ...I know you are challenged by Windows problems and take pride in what you do. AMAZING WORK and DEDICATION! One note: I followed your instructions to the letter but was not able to change "Full Language" to "Constrained Language" on my PC. Likely other issues preventing me from doing so. No problem ...I'll take my chances. Thanks so much.
You first bring up a PS window to check the current language status. Later, you use a PS window to check the new language status. If you re-use the original PS window, it reports the *old* language status. If you re-check, I expect that your PC is set to "Constrained Language".
he never fails to help us secure our computers
Never enough safety! Thank you.
Awesome tips ThioJoe! Thank you for this.
You've tought me alot since Ive been watching your channel.. Thanx 👌
Joe, I downloaded PS 7 and copied the 2 files. I did not see the 'PowerCore" dropdown in Local Security Policy. But I did find Powershell under Windows Components, and clicked the Disabled button. FYI I have Win10- Pro, so that may be the difference. Been delaying upgrading to Win 11 to allow MS to get the 'bugs' out.
I have the same issue!
Same. I have Windows 11 (trying to figure it out) and can't even find this "Local Security Policy" option, let alone PowerCore. Everything went fine up to that last point.
Done doing the 3 steps. Thank you
True..👍
I was expecting this video to be 3 very basic settings that I would skip instantly but this was surprisingly interesting! Thanks
Did all of this when watching your applocker video. Great content man!
You can still use --command and specify a ps1 including a function to get around these still I believe. So you can atill run scripts. You can call that from a bat file if you cabt run powershell but can run bats so this would still get around it. Even if cmd was disabled from running
There are like a dozen ways around the execution policy in PowerShell. Setting the policy at the machine level does disable some of them but there are always ways around it. To quote the Microsoft documentation: "The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally." I also wouldn't mess with the constrained language mode honestly. Lots of legitimate installers and updaters use PowerShell and may need access to the APIs and types that are blocked in ConstrainedLanguage mode. By all means remove PS 2.0 if you don't need it (should be disabled by default honestly) but the rest is kind of meh advice. I work in cybersecurity and my global execution policy is set to bypass and my language mode is set to Full. What I have done though is setup multiple layers of PowerShell logging so if PowerShell is abused I will know how.
Will this cause any side effects though? Especially the disabling PS 2.0? And if any program having problems because of lack of PS 2.0 how can i understand that it is caused by that?
Yeah. Can't wait until all the people who did this blindly suddenly find many programs stop working properly, then blame Microsoft for "breaking" Windows.
Thanks ThioJoe, good explanations and easy to follow (even for a windows Home user) Great job!
i think this is great and thank you. I'm learning about coding now and it's good to learn about these means of protections.
Trying to make windows safer feels like trying to make an open flame waterproof 😢
It's more like making an open flame a little safer. It's still dangerous if mishandled, and will likely cause a greater fire, but these should help keep the fire from spreading... at the moment.
Is there a way to set it to signed scripts only and somehow sign your own scripts with your own separate key without needing Microsoft's approval? I write my own PowerShell scripts for some common stuff and this would just break all of that...
Here's an idea. Open a new tab on your browser and navigate to a website called a "Search Engine". Google is an example... Then, type the following words into the search box _"how to sign powershell script"_and then click "Enter".
Thank you ThioJoe I appreciate the tips!
Great stuff definitely going to improve security with this. The these are all techniques I use when pentesting. I will now have to figure out the powershell syntax to edit those GPOs 😜
Btw, the method you showed doesn't really prevent bypassing the execution policy. If a program like policy plus can easily change the execution policy with admin perms, why wouldn't any other program (with admin rights ofcourse) not be able to just turn it off and run the script it wants. Anyways I'm thinking out of the scope here, because if a program is ran with admin perms, it's just gonna do whatever it wants from the exe itself, there's no point in using a powershell script.
If you are running a program as admin that is bot trustworthy, they dont need to run powershell anymore you just gave them permission to do whatever they want from the program itself
@@128Gigabytes that's what I said in the comment.....
Here's a tip if u don't want for companies to spy on u:break your pc phone and everything electronic then go on some remote island and then maybe no one will spy on u
You can sell them instead of breaking and get some cash😅
Google maps got you covered
This comment was sponsored by the Amish
@@Thomas-VA oh shit
@kaushik6371 true but as I see at the end money will spy on you
Thanks for the info dude!
Waoh! I enjoyed how you were able to articulate the instructions clearly. Thanks bro. You're a Godsend
Will this cause incopatibility with any program?
Unlikely, and you could temporarily change it back if necessary
@@ThioJoe Oh ok thanks!
@@ThioJoe How do you do that ?
So in Windows you have to make restrictions for possible programs that you don't even have installed on your system? Imagine if Linux allowed a non-privileged script to download it's own sudo version and automatically gave that new version permission to elevate the scripts privileges. It's clear that "Windows" is the perfect name for it, seen as it's so easy to break it and gain access. While other OS'es build strong walls, Microsoft just decorates with thin glass.
It's not at all like sudo. It's more like disabling bash on Linux (for "security" because a lot of malware runs scripts in bash), then being surprised that people can use dash or ksh instead. Powershell is just a convenient interface for running .Net programs without compiling code. Its security boundary is exactly the same as any random exe. Things that require administrator still require administrator. No version of powershell lets you bypass that.
@@letao12 Not quite. If that was the case there would be no need to restrict it. Bash or any other shell has no permissions outside of the user running it. As such you will gain nothing by switching the shell on Linux. Even if you wanted to provide a shell with additional privileges you would still require those privileges first in order to do so. This is not what is said about Windows in this video.
Honestly, if you don't absolutely need Windows, there's no reason to stay on it at this point. Been daily driving Linux on my personal rig for almost a year now and it's been great.
@@danielberglv259 Powershell doesn't have permissions outside of the user running it either. The video never said it does, and in fact it does not. Please get your facts correct and provide evidence.
What he said ! 🤣😅😂
Thank you so very much. I have followed all the instructions. Your video was very helpful. Thanks a ton. Great Video 👍
Me who always checks that Nr 2 and 3 are FullLanguage and unrestricted: 👁👄👁 (These 2 quite suck as a Dev, but thanks for Nr 1, never gave that one ever a second thought)
What you could theoretically do is have a separate dev account and personal accounts, and set the “CurrentUser” policy instead of MachinePolicy for each. It still can’t be overridden but I believe applies to each user. I think you could also require AllSigned and just self-sign your scripts and set it as a trusted publisher.
Unfortunately I'm at school so I can't disable these features now. I'll keep this video in mind so I can watch it when I get home
The problem I had was from copying the files directly from the zip folder instead from the extracted one. After I realized my mistake everything worked fine. Thank you ThioJoe!
Pretty helpful stuff, well done.
Important addition: There are a couple of important things to do while you are carrying out these simple operations: 1. Be sure you are facing East 2. Wear your best Wizard Robe, and ensure that you have your tungsten wand close at hand. 3. Hum the Microsoft Loyalty Song quietly throughout the process.
That was funny. He goes way over my head on most things. 🤣
I think the most important one is "turn off the auto update to windows 11"
Turning off windows update is the worst thing you can do if you care about security
@@cheehuigoh9363 Don't feed the troll, bro. xD
Luckily win11 not supported on my HW, no need to worry about that.
@@cheehuigoh9363 If you set group policies correctly, it should be possible to delay feature updates but not security updates (IIRC, and I only tested this on Win 10)
@@cheehuigoh9363 nah, Windows update bricked my computer weeks ago, so turning off auto-update is necessary.
Excellent video thank you, I tend to be slack with my PC, but for some reason when i saw this video I followed it and it was nice and easy to follow. and thank you for the context, very valuable.
Do NOT run these steps! I couldn't install programs like Epic games.
Step 1: don't use windows
😂😂
What are you using then
Linux or mac os
They are very complicated operating system compared to windows
A non technically knowledged person or someone new to pc can start only with windows as it is user friendly and very easy to use
Thank you Thio, for helping many, be safer with our devices and programs. You are Fantastic!!!
Just what I needed, thank you Thio
Excellent explanation and easy to follow instructions. My PC is usually managed well enough but family's PCs do require some extra security settings ^_^. Thanks.
Thank you Joe, your video tutorials are always pertinent, and easy to follow, I now feel a little more secure with my Win 11 Surface Pro.
big up bro you always killed it keep the good work
Thank you for your great channel! ❤
I had no idea about this but I got it all set up now thanks very much.
Thank you kindly ThioJoe, appreciate this information.
As always great video, I have a suggestion it would be great if you had a doc with full procedures on this fix. Keep up the good work,
The information is very educational. I might take notes
Love this video ! Need more of this videos.
Thank you for his one, Sir! Very practical recommendations.
Awesome work Joe!
Good stuff Joe!! Thanks!
Really good video, it always amazes me how easy it is to bypass security features in Windows.
Glad it was helpful and thank you! 🙏
@@ThioJoe THANKS for creating & posting this helpful video, However, after working on it for 2 hours, I wasn't able to accomplish the 3rd setting. Can you PLEASE help me? I sincerely appreciate your consideration & attention. Best regards, Ben
It´s nice you share this info on your videos ! 👍 What font you are using ?
Just done this, thank you Sir!
thank you! I appreciate this video, helping with my security.
Great Job Thio!!
Excellent content Thio, any ideas for LoJac? coming our way? thanks in advance.
Thank you For such a useful video sharing
Good looking out Joe, hope more people see this video
Great job, man! Thanks a lot.
As always great and simple explanation and a great video, “something to grow on....” that old NBC advertisement...lol
Thanks - great tips (until a few months from now when I go to run some script and forgot I set it to "signed" policies only haha)
Awesome, thank you!
Thanks - found this very useful. For anyone that uses Norton however, and specifically Norton VPN on Windows 11, from what I can tell, the 3rd step seemed to cause my system to become unstable. Windows crashed 3 times. So I reset the script to not configured. So far, it's back to being stable. I think there's some Norton VPN conflict going on, but not sure if it's a Norton/Chrome issue or just a Norton issue. Grief.
Thanks ThioJoe for the amazing content i managed to disable the script execution...but the other protective measures i wasnt able to cause apparently im not well versed with computers and you where kinda too fast in explaining
Very handy. Thanks
Great video thanks !
great advices joe :)
Wada PITA ! ! The PowerShell Core maneuver just sent me over the edge with frustration. It sucks so much we have to deal with this BS & Microsoft couldn't have baked-in a patch to respect existing Policys. I used to love anything IT & now 20% + of time is either implementing changes like this or chasing the next great preventative measure & by the time I'm done the luster has faded from the heart of a project. BTW - Nice job & always a thorough & high quality video...