How to Disable PowerShell Completely on Windows 10 (GPO)

To restrict access to the PowerShell command-line tool, you can manually block or disable it. Here’re the steps to disable PowerShell using GPO (Group Policy Editor).

With PowerShell, you can run command-line scripts and automate almost any part of Windows or application tasks. Compared to the good old Command Prompt, PowerShell is a full package with a lot of usability albeit with a steep learning curve. Considering how powerful PowerShell is, there might be scenarios that require you to restrict its access to the users. This is especially true if you don’t want the system running malicious commands or scripts. To restrict user access to PowerShell, you have to block or disable or PowerShell via the Group Policy or GPO (Group Policy Object).

Unlike the PowerShell execution policy restrictions, once you block the access, no user can access PowerShell or run its scripts. In this quick and simple post, let me show you the steps to disable PowerShell using GPO in Windows.

Jump to:

Note: If you are looking to disable just PowerShell 2.0. i.e, older version of PowerShell then follow that guide.

Important Note: You should be using the Pro or Enterprise version. The home version doesn’t include the Local Security Policy. You need administrative rights to completely disable PowerShell.

Steps to Disable PowerShell with GPO / Group Policy

These are steps to create GPO to completely disable PowerShell on Windows 10. The steps listed below will work in Windows 7 and Windows 8 too.

  1. Launch the Start menu with windows key press.
  2. Type “Windows Administrative Tools” and press Enter.
    Open-administrative-tools-050720
  3. Find and double-click on the “Local Security Policies” file.
    Open-local-security-policies-050720
  4. Right-click on the “Software Restriction Policies” folder.
  5. Select “New Software Restriction Policies“.
    Software-restriction-policies-050720
  6. Expand the “Software Restriction Policies” folder.
  7. Right-click on the “Additional Rules” folder.
  8. Select the “New Hash Rule” option.
    New-hash-rule-050720
  9. Click the “Browse” button under the General tab.
    Click-browse-050720
  10. Go to the below location in the Browse window.
    C:\Windows\System32\WindowsPowerShell\v1.0
  11. Select the “PowerShell.exe” file and click “Open“.
    Disable-powershell-gpo-050720
  12. Click “Apply” and “Ok” buttons.
    Block-powershell-gpo-050720
  13. Close the “Local Security Policies” window.
  14. Restart Windows.

After restarting, Windows will block the PowerShell application according to the local security policies. If any user tries to open the PowerShell application, Windows will show the “This app has been blocked by the system administrator” message.

Powershell-blocked-050720

Let Administrators Access PowerShell

To allow certain users access to the PowerShell, you need to create exceptions.

First, create a custom Active Directory Security Group in the Group Policy Management console. Next, add all users you want to exclude. Then delegate them to the policy we created in the steps above. Once you do that, only the users in the security group can open the PowerShell.

Enable PowerShell on Windows

You just need to delete the software restriction policy to enable the PowerShell after disabling it via the GPO local security policies.

  1. Open Start.
  2. Search for “Local Security Policies“.
  3. Expand the “Software Restriction Policies” folder.
  4. Select “Additional Rules“.
  5. Right-click on the PowerShell policy.
  6. Select “Delete“.
    Delete-gpo-050720
  7. Click “Yes” in the warning window.
  8. Close the Local Security Policy window.
  9. Restart Windows.

After restarting, the PowerShell application will no longer be blocked. This is because we removed the policy that is blocking the access to PowerShell.

That is all. I hope that helps. If you are stuck or need some help, comment below and I will try to help as much as possible.

Leave a Comment

Scroll to Top