followed your tips on my win10 computers and it did exactly as you described ... course I understood about 50% of what you said and have never run a powershell .. so yeah, I feel safer now!
It needs to be said that the Constrained Language will have a large impact on your system ability to run legitimate powershell scripts. I really don't advise this option at all. You should only do this on dedicated computer systems where you know Powershell is not being used as a means to install or manage software or the system itself. This option will otherwise break tools like Chocolatey, the SQL Server installation process, and a lot more. Don't do this on your daily usage computer. There is a lot of Windows software out there that relies on Powershell features for its own maintenance or installation processes.
@@jstephens2758well it would constantly break down, if it ran on mac it wouldn't break but could only drive on one street and I'd it ran linux it wouldn't crash, but the driver needed to do all the maintenance themselves 😂
One of the best things you can do is enable logging for PowerShell, which is disabled by default for some unholy reason. That way when someone does get past any blocks you set up you or someone else can go back and see what was done.
Very nice. I've been a programmer for 40 years now and this is something I didn't know. I am retired now so I am not as up to date as I used to be when working in the IT environment.
Very useful information. I wish Microsoft took Windows security more seriously. Like why have Powershell 2.0 even enabled by default? Anyone who needs it can just enable it on their own. Massive security risk.
This is one of the best examples of why Win11 was a cash grab. They made such big talk about finally breaking backwards compatibility for the sake of security, but left so many gaping security holes because they didn’t want to break backwards compatibility. CMD should be gone, it hasn’t been updated in, let me check, 23 years. PS2 should be gone, heck, even the default PS5 should be gone. There’s still ancient services that still exist for archaic programs that can be exploited.
Method 2, Microsoft's comment: "As part of the implementation of Constrained Language, PowerShell included an environment variable for debugging and unit testing called __PSLockdownPolicy. While we have never documented this, some have discovered it and described this as an enforcement mechanism. This is unwise because an attacker can easily change the environment variable to remove this enforcement. In addition, there are also file naming conventions that enable FullLanguage mode on a script, effectively bypassing Constrained Language."
@@ThioJoe THANKS for creating & posting this helpful video, However, after working on it for 2 hours, I wasn't able to accomplish the 3rd setting. Can you PLEASE help me? I sincerely appreciate your consideration & attention. Best regards, Ben
For many years now I've woken up to youtube autoplaying ThioJoe videos. This time no different, I started watching Warhammer videos, fell asleep and now woke up to the voice of Thio. It's almost nostalgic and homely at the same time. Great video as always, will need to check these tips out.
Your videos are always informative and helpful. I especially appreciate that you take the time to put complicated commands in the description so they may be copied and pasted.
@@Netsuki I don’t think ThioJoe comes across as egotistical, pompous, or blinded by greed, so it is hard for me to draw the parallel between him and Linus.
@@the_dark_defender That's why I said that he is actually useful (instead of being just a YoUTube celebrite). Linus is well known for technical videos, hence the comparison. Technical UA-camr, but the one that actually helps.
What you forgot to mention @ThioJoe is that this will severely disable the ability to use PowerShell and bug out command history, especially when you set the constrained language option. If you're a PowerShell frequent user I advise against this since it will break both it and its usage.
@@themadmallard No. Using even the simplest history keys (eg: up and down) will result in only the commands that you input only in that certain PS session (by that I mean only commands used in that certain window, which will disappear once you close it). Also if you are using `npm` for NodeJs, you'll get error cause using scripts is disabled and/or they are not signed. The `ConstrictedLanguage` will make most Chocolatey scripts also fail due to the fact that you cannot access object members through the `.` notation. If you're a developer and you're using PS as a `terminal` you should stay away from this. The only thing which most likely will have no impact is the `disable PS 2`, all the rest will have an impact on the use of PS as a terminal.
Thx Thio, this was very helpful. A small adjustment with potential big headache savings. You move so fast on your How To Step by Step. I had to pause your instruction several times.
Absolutely Brilliant!! As an I.T engineer, this type of info is invaluable both to myself and my customers. Thank you muchly! Subbed and liked quicker than mouse can click ;)
"You don't have permission..." I created a "New Folder" in my D drive and named it "Policy Definitions", put it into "Windows:\" and it now magically has a grip of files in it. I can do nothing with it including saving anything to it. I also thought I told my pc, when I first built it, to NEVER claim I am not the administrator and to never ask for one. It really sucks that we don't get a save direction. I NEVER put anything I can avoid onto my C drive bc it's only 120 gigs. I now see that there's a ton of stuff that I use that can only be on the C drive. I just want to undo the folder but it tells my I am NOT the admin and it somehow got a grip of files put into it when I moved it from the D drive, where I created it, into the C drive. I'm hyper concerned I just screwed something up and cannot complete the Policy Plus/Definitions step. F me!
But, if our Computer have some error in booting up and want to open CMD or Powershell, We can't change the Group Policy or Language Policy again and we will be completely stuck! I am thinking to enable these settings only for this reason
You can still use --command and specify a ps1 including a function to get around these still I believe. So you can atill run scripts. You can call that from a bat file if you cabt run powershell but can run bats so this would still get around it. Even if cmd was disabled from running
There are like a dozen ways around the execution policy in PowerShell. Setting the policy at the machine level does disable some of them but there are always ways around it. To quote the Microsoft documentation: "The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally." I also wouldn't mess with the constrained language mode honestly. Lots of legitimate installers and updaters use PowerShell and may need access to the APIs and types that are blocked in ConstrainedLanguage mode. By all means remove PS 2.0 if you don't need it (should be disabled by default honestly) but the rest is kind of meh advice. I work in cybersecurity and my global execution policy is set to bypass and my language mode is set to Full. What I have done though is setup multiple layers of PowerShell logging so if PowerShell is abused I will know how.
Lots to think about. I use PS (v7.x) scripts to manage two Windows systems, Home (v 10) and Pro (v 11). I configured an execution policy for PS that gave me some peace of mind. But now I realize that peace of mind was unwarranted. It looks like I will have to sign all my scripts after making the necessary security tweaks.
Thank you!...again lol.. Instead of wishing I has a friend like you, thanks to UA-cam, I now have a friend like you! Amazingly helpful tips, and you teach/convey it all so well x
Great info! You should do a video on the Microsoft Security Baselines sometime; they have an extensive inventory of useful settings like this and they're from Microsoft themselves. Lots of companies use these as a starting point for securing corporate devices.
Excellent video and walk through of all the relevant steps. I was able to stop and restart the video at various points to ensure I undertook all steps in the relevant sequence outlined. Many, many thanks. And, no I had not heard of all this before and quite agree not entirely bullet proof, the steps go a long way to ensure my computer is as safe as possible.
@@jeff__w The video could have been much shorter - and more effective - if it just showed us how to download a bootable Ubuntu ISO onto a USB thumb drive :-)
Joe, I downloaded PS 7 and copied the 2 files. I did not see the 'PowerCore" dropdown in Local Security Policy. But I did find Powershell under Windows Components, and clicked the Disabled button. FYI I have Win10- Pro, so that may be the difference. Been delaying upgrading to Win 11 to allow MS to get the 'bugs' out.
Same. I have Windows 11 (trying to figure it out) and can't even find this "Local Security Policy" option, let alone PowerCore. Everything went fine up to that last point.
For me, doesn't the "PowerShell Core" appear in Policy Plus. Any else have this issue/problem? Note two things; 1. I have my primary language on my PC set to Swedish, because that is my primary language. 2. I haven't restarted my computer, if that is necessary, after you put the files in the Windows directory. (Restart after the files have been copied into the Windows directory, and now you are gonna edit the settings for PowerShell 7 in Policy Plus to disable those settings..)
Wada PITA ! ! The PowerShell Core maneuver just sent me over the edge with frustration. It sucks so much we have to deal with this BS & Microsoft couldn't have baked-in a patch to respect existing Policys. I used to love anything IT & now 20% + of time is either implementing changes like this or chasing the next great preventative measure & by the time I'm done the luster has faded from the heart of a project. BTW - Nice job & always a thorough & high quality video...
Will this cause any side effects though? Especially the disabling PS 2.0? And if any program having problems because of lack of PS 2.0 how can i understand that it is caused by that?
Yeah. Can't wait until all the people who did this blindly suddenly find many programs stop working properly, then blame Microsoft for "breaking" Windows.
Thank you so much for all of your help over the years! I have come to your site many times to have you you do a very thorough explanation for my issues. Keep up the amazing work you do ...I know you are challenged by Windows problems and take pride in what you do. AMAZING WORK and DEDICATION! One note: I followed your instructions to the letter but was not able to change "Full Language" to "Constrained Language" on my PC. Likely other issues preventing me from doing so. No problem ...I'll take my chances. Thanks so much.
You first bring up a PS window to check the current language status. Later, you use a PS window to check the new language status. If you re-use the original PS window, it reports the *old* language status. If you re-check, I expect that your PC is set to "Constrained Language".
Is there a way to set it to signed scripts only and somehow sign your own scripts with your own separate key without needing Microsoft's approval? I write my own PowerShell scripts for some common stuff and this would just break all of that...
Here's an idea. Open a new tab on your browser and navigate to a website called a "Search Engine". Google is an example... Then, type the following words into the search box _"how to sign powershell script"_and then click "Enter".
Mister ThioJoe , Thanks You for taking all this time to do theses videos and share them with us. You explain really well , with clarity and visual and thats from my perspective....the best way to do it. Hope you receive all the best in you're life my friend.
Here's a tip if u don't want for companies to spy on u:break your pc phone and everything electronic then go on some remote island and then maybe no one will spy on u
Btw, the method you showed doesn't really prevent bypassing the execution policy. If a program like policy plus can easily change the execution policy with admin perms, why wouldn't any other program (with admin rights ofcourse) not be able to just turn it off and run the script it wants. Anyways I'm thinking out of the scope here, because if a program is ran with admin perms, it's just gonna do whatever it wants from the exe itself, there's no point in using a powershell script.
If you are running a program as admin that is bot trustworthy, they dont need to run powershell anymore you just gave them permission to do whatever they want from the program itself
How would changing the execution policy affect a package manager like Chocolatey? I use that because I installed tiny10 on my computer and the Microsoft store just isn't available on that stripped down modded version of Windows 10.
~ 1:47 that was for Windows 11 only it seems. For Windows 10, I had to go to Settings. Type in the search box *windows feature* and select it OR at Settings, go to Aps -> Programs and features -> Turn Windows Features On OR Off.
So in Windows you have to make restrictions for possible programs that you don't even have installed on your system? Imagine if Linux allowed a non-privileged script to download it's own sudo version and automatically gave that new version permission to elevate the scripts privileges. It's clear that "Windows" is the perfect name for it, seen as it's so easy to break it and gain access. While other OS'es build strong walls, Microsoft just decorates with thin glass.
It's not at all like sudo. It's more like disabling bash on Linux (for "security" because a lot of malware runs scripts in bash), then being surprised that people can use dash or ksh instead. Powershell is just a convenient interface for running .Net programs without compiling code. Its security boundary is exactly the same as any random exe. Things that require administrator still require administrator. No version of powershell lets you bypass that.
@@letao12 Not quite. If that was the case there would be no need to restrict it. Bash or any other shell has no permissions outside of the user running it. As such you will gain nothing by switching the shell on Linux. Even if you wanted to provide a shell with additional privileges you would still require those privileges first in order to do so. This is not what is said about Windows in this video.
Honestly, if you don't absolutely need Windows, there's no reason to stay on it at this point. Been daily driving Linux on my personal rig for almost a year now and it's been great.
@@danielberglv259 Powershell doesn't have permissions outside of the user running it either. The video never said it does, and in fact it does not. Please get your facts correct and provide evidence.
It's more like making an open flame a little safer. It's still dangerous if mishandled, and will likely cause a greater fire, but these should help keep the fire from spreading... at the moment.
After doing step 2, the syntax highlighting for PowerShell no longer works. Not really an issue since I don't play in powershell that often, but that's kind of strange.
Important addition: There are a couple of important things to do while you are carrying out these simple operations: 1. Be sure you are facing East 2. Wear your best Wizard Robe, and ensure that you have your tungsten wand close at hand. 3. Hum the Microsoft Loyalty Song quietly throughout the process.
Me who always checks that Nr 2 and 3 are FullLanguage and unrestricted: 👁👄👁 (These 2 quite suck as a Dev, but thanks for Nr 1, never gave that one ever a second thought)
What you could theoretically do is have a separate dev account and personal accounts, and set the “CurrentUser” policy instead of MachinePolicy for each. It still can’t be overridden but I believe applies to each user. I think you could also require AllSigned and just self-sign your scripts and set it as a trusted publisher.
@@cheehuigoh9363 If you set group policies correctly, it should be possible to delay feature updates but not security updates (IIRC, and I only tested this on Win 10)
I think this is excellent advice! And not just for home users, but network and corporate admins should review this information to see if it can apply to their computing environments!
Thank you so much. I am very paranoid, so I only try to visit websites I know. I use ad and cookie blockers, and I also employ one of the best total security applications, along with second opinion scanners. I don't download anything I don't know about. I never use pirated software or games, except for movies that I download sometimes to watch. I am very paranoid because everything on my computer, including my passwords, address, bank card details, and important documents, is crucial to me. I find this channel very helpful. Thanks, man, for your work, and please continue doing what you do.
Downloading movies funny enough is one of the most risky types of pirated download. That is the media more business care and put their money into catching including to smoke out torrents, contact ISPs, mark the downloads and more. You want to do this right, get the movies on DVD.
Thanks so much my man. Its one thing that lets Windows OS down its basic fundamentals like this that should be implemented better in the OS. Keep doing what your doing.
I literally just went through a course for my job, learning about Group Policies. I recently built a new PC and this was golden to keep it safe from the simplest vulnerabilities. Thank you for this easy to follow video.
Is it just me, or his head and neck are different videos from his body? I noticed it on arround 4:40 where his neck overlaps his shirt on the left a bit in a weird way
Can you make an in-depth video about Rectify11? I would love to know something more about its security, influence on performance, uninstallation etc. :))
2:22 and 4:22 If you do these, be sure to keep a good note that you did it, and how to reverse the process, because it will save a lot of headache months later when you try to do something that runs a powershell script and you have no idea why it's not working :) I thought I'd never need to allow powershell scripts, and for a few months it was true, long enough for me to forget I did this :D
Can we have a vid about having windows keep the tags we select in file explorer? Eg: when i need to sort by file TYPE it is quite a tedious process to make it visible. Then the next time u need to sort by file type again u have to manually & tediously reselect it again!
Also this should work on both Windows 10 and 11
Okay
Of course it would sir
followed your tips on my win10 computers and it did exactly as you described ... course I understood about 50% of what you said and have never run a powershell .. so yeah, I feel safer now!
First step mine was 3.0 instead of 2.0, still should remove?
It works on my windows 11 machine
It needs to be said that the Constrained Language will have a large impact on your system ability to run legitimate powershell scripts. I really don't advise this option at all. You should only do this on dedicated computer systems where you know Powershell is not being used as a means to install or manage software or the system itself. This option will otherwise break tools like Chocolatey, the SQL Server installation process, and a lot more. Don't do this on your daily usage computer. There is a lot of Windows software out there that relies on Powershell features for its own maintenance or installation processes.
Thank you for mentioning Chocolatey. I use it and did not think of that watching ThioJoe's video.
If you are not doing any developing with your daily driver Windows, can you list any other common software that would be affected?
@@themadmallard"daily driver Windows"
luckily my daily driver doesn't use windows since it's an old VW Golf
@@neetop1557 That reminds me of an old joke: Can you imagine if your car's software ran on Windows?
@@jstephens2758well it would constantly break down, if it ran on mac it wouldn't break but could only drive on one street and I'd it ran linux it wouldn't crash, but the driver needed to do all the maintenance themselves 😂
One of the best things you can do is enable logging for PowerShell, which is disabled by default for some unholy reason. That way when someone does get past any blocks you set up you or someone else can go back and see what was done.
how do you do that?
How?
How
@@MarcusWagnerBMW at 6:00 you can see options: Module Logging and Script Block Logging, i think those two are responsible for that
@@Aspirinium tysm
Very nice. I've been a programmer for 40 years now and this is something I didn't know. I am retired now so I am not as up to date as I used to be when working in the IT environment.
Fantastic. I've been an IT consultant for 30 years. These are the best Windows informational videos. Thank you so much!!
Thio never dissapoints
But he just did 🤔
he did to many people some years ago
@@KryzysXhe didn’t
@@ag4640 that one overwatch video:
@@denamolio nope
Very useful information. I wish Microsoft took Windows security more seriously. Like why have Powershell 2.0 even enabled by default? Anyone who needs it can just enable it on their own. Massive security risk.
Powershell 7 not respecting settings too
This is one of the best examples of why Win11 was a cash grab. They made such big talk about finally breaking backwards compatibility for the sake of security, but left so many gaping security holes because they didn’t want to break backwards compatibility.
CMD should be gone, it hasn’t been updated in, let me check, 23 years. PS2 should be gone, heck, even the default PS5 should be gone. There’s still ancient services that still exist for archaic programs that can be exploited.
two words: backward compatibility, you'd be surprised how old some companies use.
@@GBR9794 Those people can download/enable it on their own. It should not be enabled by default.
@@GBR9794 let them download it
Method 2, Microsoft's comment: "As part of the implementation of Constrained Language, PowerShell included an environment variable for debugging and unit testing called __PSLockdownPolicy. While we have never documented this, some have discovered it and described this as an enforcement mechanism. This is unwise because an attacker can easily change the environment variable to remove this enforcement. In addition, there are also file naming conventions that enable FullLanguage mode on a script, effectively bypassing Constrained Language."
Really good video, it always amazes me how easy it is to bypass security features in Windows.
Glad it was helpful and thank you! 🙏
@@ThioJoe THANKS for creating & posting this helpful video,
However, after working on it for 2 hours, I wasn't able to accomplish the
3rd setting.
Can you PLEASE help me?
I sincerely appreciate your consideration & attention.
Best regards,
Ben
Thio Joe may not be a driver, but he never fails to deliver 💯💯💥💯
Here, are you Proudly about the Amazon Driver or just Encouraging ThioJoe?
👍
@@TheAndroidGingerbreadGuy ..... 😶 okay!
He ain't pregnant but never fails to deliver 🗿
Daaaaad...
For many years now I've woken up to youtube autoplaying ThioJoe videos. This time no different, I started watching Warhammer videos, fell asleep and now woke up to the voice of Thio. It's almost nostalgic and homely at the same time. Great video as always, will need to check these tips out.
Thio never disapponts at making me tired by waking me up at 3 am
lol
Your videos are always informative and helpful. I especially appreciate that you take the time to put complicated commands in the description so they may be copied and pasted.
Damn it. I knew I should've checked.
@@ninjakiwigames5418 He even said it in the video o.0
He is like Linus, but *actually* helpful.
@@Netsuki I don’t think ThioJoe comes across as egotistical, pompous, or blinded by greed, so it is hard for me to draw the parallel between him and Linus.
@@the_dark_defender That's why I said that he is actually useful (instead of being just a YoUTube celebrite). Linus is well known for technical videos, hence the comparison. Technical UA-camr, but the one that actually helps.
Nice security tips! I wasn't aware of these settings. Thanks!
If only Microsoft had somebody like ThioJoe on the team...
💯
They'd have to pay him too much. :D
Thio would loose his job the first day for removing microsoft edge since its "the best browser ever"
@@dumbfloppa i feel sorry for any microsoft employees then... damn
they have dozens of people more knowledgeable than him
What you forgot to mention @ThioJoe is that this will severely disable the ability to use PowerShell and bug out command history, especially when you set the constrained language option. If you're a PowerShell frequent user I advise against this since it will break both it and its usage.
In such a situation, would Windows alert you to the fact that ps is disabled in an obvious way?
@@themadmallard No. Using even the simplest history keys (eg: up and down) will result in only the commands that you input only in that certain PS session (by that I mean only commands used in that certain window, which will disappear once you close it). Also if you are using `npm` for NodeJs, you'll get error cause using scripts is disabled and/or they are not signed.
The `ConstrictedLanguage` will make most Chocolatey scripts also fail due to the fact that you cannot access object members through the `.` notation.
If you're a developer and you're using PS as a `terminal` you should stay away from this. The only thing which most likely will have no impact is the `disable PS 2`, all the rest will have an impact on the use of PS as a terminal.
@@TheFr33LaNc3 thanks. Would this be more reasonable a setting tweak if the user has never even heard of power shell and is not a dev?
Yes@@themadmallard, it's a decent tweak for people that never use PS.
@@themadmallardfor someone who has never heard of PS it's reasonable to keep the malware gates closed
Thx Thio, this was very helpful. A small adjustment with potential big headache savings. You move so fast on your How To Step by Step. I had to pause your instruction several times.
thats why the pause exists. why wait for people to do it when they can keep the video short and allow the users to pause when they need to
Absolutely Brilliant!! As an I.T engineer, this type of info is invaluable both to myself and my customers. Thank you muchly! Subbed and liked quicker than mouse can click ;)
"You don't have permission..."
I created a "New Folder" in my D drive and named it "Policy Definitions", put it into "Windows:\" and it now magically has a grip of files in it. I can do nothing with it including saving anything to it. I also thought I told my pc, when I first built it, to NEVER claim I am not the administrator and to never ask for one.
It really sucks that we don't get a save direction. I NEVER put anything I can avoid onto my C drive bc it's only 120 gigs. I now see that there's a ton of stuff that I use that can only be on the C drive. I just want to undo the folder but it tells my I am NOT the admin and it somehow got a grip of files put into it when I moved it from the D drive, where I created it, into the C drive. I'm hyper concerned I just screwed something up and cannot complete the Policy Plus/Definitions step. F me!
Thanks!
Thank you as well!🙏
But, if our Computer have some error in booting up and want to open CMD or Powershell, We can't change the Group Policy or Language Policy again and we will be completely stuck! I am thinking to enable these settings only for this reason
You can still use --command and specify a ps1 including a function to get around these still I believe. So you can atill run scripts.
You can call that from a bat file if you cabt run powershell but can run bats so this would still get around it. Even if cmd was disabled from running
There are like a dozen ways around the execution policy in PowerShell. Setting the policy at the machine level does disable some of them but there are always ways around it.
To quote the Microsoft documentation: "The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script. Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally."
I also wouldn't mess with the constrained language mode honestly. Lots of legitimate installers and updaters use PowerShell and may need access to the APIs and types that are blocked in ConstrainedLanguage mode.
By all means remove PS 2.0 if you don't need it (should be disabled by default honestly) but the rest is kind of meh advice. I work in cybersecurity and my global execution policy is set to bypass and my language mode is set to Full. What I have done though is setup multiple layers of PowerShell logging so if PowerShell is abused I will know how.
Lots to think about. I use PS (v7.x) scripts to manage two Windows systems, Home (v 10) and Pro (v 11). I configured an execution policy for PS that gave me some peace of mind. But now I realize that peace of mind was unwarranted. It looks like I will have to sign all my scripts after making the necessary security tweaks.
Wow! There are so many giant holes in Windows security. Thank you for this. Subscribed.
Congratulations for 3M subscriber!!!!🎉🎉🎉
Also what happened to the rounded corners, why did you remove them?
Thank you!...again lol..
Instead of wishing I has a friend like you, thanks to UA-cam, I now have a friend like you! Amazingly helpful tips, and you teach/convey it all so well x
Great info! You should do a video on the Microsoft Security Baselines sometime; they have an extensive inventory of useful settings like this and they're from Microsoft themselves. Lots of companies use these as a starting point for securing corporate devices.
Excellent video and walk through of all the relevant steps. I was able to stop and restart the video at various points to ensure I undertook all steps in the relevant sequence outlined. Many, many thanks. And, no I had not heard of all this before and quite agree not entirely bullet proof, the steps go a long way to ensure my computer is as safe as possible.
Very useful information! I appreciated how crystal clear the video is-it’s extremely easy to follow. Thanks!
this video does not specify what versions of windows it applies to. there are different versions of windows...
@@BobBob-nr1zt That’s fair enough. But for those people like me, with Windows 11-admittedly, still, a small percentage of users-it was very clear.
@@jeff__w The video could have been much shorter - and more effective - if it just showed us how to download a bootable Ubuntu ISO onto a USB thumb drive :-)
Thank you so very much. I have followed all the instructions. Your video was very helpful. Thanks a ton. Great Video 👍
life saver in the computer world. great job as always. bonus is thio is really good looking guy.
Thanks for taking time to create this video. Much appreciated 🙂
Joe, I downloaded PS 7 and copied the 2 files. I did not see the 'PowerCore" dropdown in Local Security Policy. But I did find Powershell under Windows Components, and clicked the Disabled button. FYI I have Win10- Pro, so that may be the difference. Been delaying upgrading to Win 11 to allow MS to get the 'bugs' out.
I have the same issue!
Same. I have Windows 11 (trying to figure it out) and can't even find this "Local Security Policy" option, let alone PowerCore. Everything went fine up to that last point.
For me, doesn't the "PowerShell Core" appear in Policy Plus. Any else have this issue/problem?
Note two things;
1. I have my primary language on my PC set to Swedish, because that is my primary language.
2. I haven't restarted my computer, if that is necessary, after you put the files in the Windows directory. (Restart after the files have been copied into the Windows directory, and now you are gonna edit the settings for PowerShell 7 in Policy Plus to disable those settings..)
Must share this to everyone who has a windows pc
Billions of people? No fucking way.
Wada PITA ! ! The PowerShell Core maneuver just sent me over the edge with frustration. It sucks so much we have to deal with this BS & Microsoft couldn't have baked-in a patch to respect existing Policys.
I used to love anything IT & now 20% + of time is either implementing changes like this or chasing the next great preventative measure & by the time I'm done the luster has faded from the heart of a project.
BTW - Nice job & always a thorough & high quality video...
Will this cause any side effects though? Especially the disabling PS 2.0? And if any program having problems because of lack of PS 2.0 how can i understand that it is caused by that?
Yeah. Can't wait until all the people who did this blindly suddenly find many programs stop working properly, then blame Microsoft for "breaking" Windows.
Thank you so much for all of your help over the years! I have come to your site many times to have you you do a very thorough explanation for my issues. Keep up the amazing work you do ...I know you are challenged by Windows problems and take pride in what you do. AMAZING WORK and DEDICATION! One note: I followed your instructions to the letter but was not able to change "Full Language" to "Constrained Language" on my PC. Likely other issues preventing me from doing so. No problem ...I'll take my chances. Thanks so much.
You first bring up a PS window to check the current language status. Later, you use a PS window to check the new language status. If you re-use the original PS window, it reports the *old* language status. If you re-check, I expect that your PC is set to "Constrained Language".
Never enough safety! Thank you.
6:00 POLICY PLUS - does this alleviate the need for Windows Professional Edition? (Group Policy Open Source Add-in.)
Is there a way to set it to signed scripts only and somehow sign your own scripts with your own separate key without needing Microsoft's approval? I write my own PowerShell scripts for some common stuff and this would just break all of that...
Here's an idea. Open a new tab on your browser and navigate to a website called a "Search Engine". Google is an example... Then, type the following words into the search box _"how to sign powershell script"_and then click "Enter".
Mister ThioJoe , Thanks You for taking all this time to do theses videos and share them with us.
You explain really well , with clarity and visual and thats from my perspective....the best way to do it.
Hope you receive all the best in you're life my friend.
Here's a tip if u don't want for companies to spy on u:break your pc phone and everything electronic then go on some remote island and then maybe no one will spy on u
You can sell them instead of breaking and get some cash😅
Google maps got you covered
This comment was sponsored by the Amish
@@Thomas-VA oh shit
@kaushik6371 true but as I see at the end money will spy on you
Hi thank you for being my favorite UA-camr for a long time
Btw, the method you showed doesn't really prevent bypassing the execution policy.
If a program like policy plus can easily change the execution policy with admin perms, why wouldn't any other program (with admin rights ofcourse) not be able to just turn it off and run the script it wants. Anyways I'm thinking out of the scope here, because if a program is ran with admin perms, it's just gonna do whatever it wants from the exe itself, there's no point in using a powershell script.
If you are running a program as admin that is bot trustworthy, they dont need to run powershell anymore you just gave them permission to do whatever they want from the program itself
@@128Gigabytes that's what I said in the comment.....
How would changing the execution policy affect a package manager like Chocolatey? I use that because I installed tiny10 on my computer and the Microsoft store just isn't available on that stripped down modded version of Windows 10.
he never fails to help us secure our computers
~ 1:47 that was for Windows 11 only it seems. For Windows 10, I had to go to Settings. Type in the search box *windows feature* and select it OR at Settings, go to Aps -> Programs and features -> Turn Windows Features On OR Off.
So in Windows you have to make restrictions for possible programs that you don't even have installed on your system? Imagine if Linux allowed a non-privileged script to download it's own sudo version and automatically gave that new version permission to elevate the scripts privileges. It's clear that "Windows" is the perfect name for it, seen as it's so easy to break it and gain access. While other OS'es build strong walls, Microsoft just decorates with thin glass.
It's not at all like sudo. It's more like disabling bash on Linux (for "security" because a lot of malware runs scripts in bash), then being surprised that people can use dash or ksh instead.
Powershell is just a convenient interface for running .Net programs without compiling code. Its security boundary is exactly the same as any random exe. Things that require administrator still require administrator. No version of powershell lets you bypass that.
@@letao12 Not quite. If that was the case there would be no need to restrict it. Bash or any other shell has no permissions outside of the user running it. As such you will gain nothing by switching the shell on Linux. Even if you wanted to provide a shell with additional privileges you would still require those privileges first in order to do so. This is not what is said about Windows in this video.
Honestly, if you don't absolutely need Windows, there's no reason to stay on it at this point.
Been daily driving Linux on my personal rig for almost a year now and it's been great.
@@danielberglv259 Powershell doesn't have permissions outside of the user running it either. The video never said it does, and in fact it does not. Please get your facts correct and provide evidence.
What he said ! 🤣😅😂
Excellent content Thio, any ideas for LoJac? coming our way? thanks in advance.
Thanks also for the context 👍🏻
This is so good! Easy to follow video and thanks for the tips.
Will this cause incopatibility with any program?
Unlikely, and you could temporarily change it back if necessary
@@ThioJoe Oh ok thanks!
@@ThioJoe How do you do that ?
Nice segment. Thank you for posting!
Trying to make windows safer feels like trying to make an open flame waterproof 😢
It's more like making an open flame a little safer. It's still dangerous if mishandled, and will likely cause a greater fire, but these should help keep the fire from spreading... at the moment.
After doing step 2, the syntax highlighting for PowerShell no longer works. Not really an issue since I don't play in powershell that often, but that's kind of strange.
Done doing the 3 steps. Thank you
True..👍
Waoh! I enjoyed how you were able to articulate the instructions clearly. Thanks bro. You're a Godsend
Important addition: There are a couple of important things to do while you are carrying out these simple operations:
1. Be sure you are facing East
2. Wear your best Wizard Robe, and ensure that you have your tungsten wand close at hand.
3. Hum the Microsoft Loyalty Song quietly throughout the process.
That was funny. He goes way over my head on most things. 🤣
Thanks ThioJoe, good explanations and easy to follow (even for a windows Home user) Great job!
Me who always checks that Nr 2 and 3 are FullLanguage and unrestricted: 👁👄👁 (These 2 quite suck as a Dev, but thanks for Nr 1, never gave that one ever a second thought)
What you could theoretically do is have a separate dev account and personal accounts, and set the “CurrentUser” policy instead of MachinePolicy for each. It still can’t be overridden but I believe applies to each user. I think you could also require AllSigned and just self-sign your scripts and set it as a trusted publisher.
You've tought me alot since Ive been watching your channel.. Thanx 👌
I think the most important one is "turn off the auto update to windows 11"
Turning off windows update is the worst thing you can do if you care about security
@@cheehuigoh9363 Don't feed the troll, bro. xD
Luckily win11 not supported on my HW, no need to worry about that.
@@cheehuigoh9363 If you set group policies correctly, it should be possible to delay feature updates but not security updates (IIRC, and I only tested this on Win 10)
@@cheehuigoh9363 nah, Windows update bricked my computer weeks ago, so turning off auto-update is necessary.
I think this is excellent advice! And not just for home users, but network and corporate admins should review this information to see if it can apply to their computing environments!
Unfortunately I'm at school so I can't disable these features now. I'll keep this video in mind so I can watch it when I get home
Mate great community service and well instructed! Thanks
Do NOT run these steps! I couldn't install programs like Epic games.
I think that's a blessing in disguise tbh LOL
@@Tuii You literally couldn’t run any installers… not really a blessing
Thank you so much Thio!
I def have to share it with my friends
Step 1: don't use windows
😂😂
What are you using then
Linux or mac os
They are very complicated operating system compared to windows
A non technically knowledged person or someone new to pc can start only with windows as it is user friendly and very easy to use
Just what I needed, thank you Thio
i think this is great and thank you. I'm learning about coding now and it's good to learn about these means of protections.
Hackers watching this 4:00 be like thank you for the tip.
will this walkthrough break/disable the Windows debloat/privacy scripts?
10:33 I was not able to open my group policy. i searched different methods online to do this. I just couldn't locate it.
Thank you so much. I am very paranoid, so I only try to visit websites I know. I use ad and cookie blockers, and I also employ one of the best total security applications, along with second opinion scanners. I don't download anything I don't know about. I never use pirated software or games, except for movies that I download sometimes to watch. I am very paranoid because everything on my computer, including my passwords, address, bank card details, and important documents, is crucial to me. I find this channel very helpful. Thanks, man, for your work, and please continue doing what you do.
Downloading movies funny enough is one of the most risky types of pirated download. That is the media more business care and put their money into catching including to smoke out torrents, contact ISPs, mark the downloads and more. You want to do this right, get the movies on DVD.
Did all of this when watching your applocker video. Great content man!
Does this just apply to Windows 11? No mention was made of other versions.
From how to speed up your PC troll vid(BIOS Settings) to very useful, helpful tips that everyone needs.
Thanks so much my man. Its one thing that lets Windows OS down its basic fundamentals like this that should be implemented better in the OS. Keep doing what your doing.
Never heard about this, and it was so easy to fix! Thanks Dude!
Thank you Joe these types for videos are so helpful. Keep up the good work.
This is real research not just parroting other, subscribed
🤔🤔On my laptop for the 2nd settings i have follow all the instructions but it shows full language again!!??
Thank you for your great channel! ❤
I literally just went through a course for my job, learning about Group Policies. I recently built a new PC and this was golden to keep it safe from the simplest vulnerabilities. Thank you for this easy to follow video.
Thank you ThioJoe I appreciate the tips!
Is it just me, or his head and neck are different videos from his body?
I noticed it on arround 4:40 where his neck overlaps his shirt on the left a bit in a weird way
10:36 Restart of Local Group Policy Editor required for "PowerShell Core" folder to appear.
yeah also, I did not unzip the PS7 in C drive just on Desktop and have no access to another tab to be able to apply to the Policy Definitions
Can you make an in-depth video about Rectify11? I would love to know something more about its security, influence on performance, uninstallation etc. :))
3:27 Below "system variables" the options new-edit-delete are not enabled.
I had no idea about this but I got it all set up now thanks very much.
How would this affect the use of things such as Christ Titius' Window DeBloat and Configuration Script?
Does removing and restricting PowerShell break any apps for the average user?
Great public service tutorial, thanks!
Will these changes stop me from running a script for auto updating windows firewall? Thanx loved the video
2:22 and 4:22 If you do these, be sure to keep a good note that you did it, and how to reverse the process, because it will save a lot of headache months later when you try to do something that runs a powershell script and you have no idea why it's not working :)
I thought I'd never need to allow powershell scripts, and for a few months it was true, long enough for me to forget I did this :D
Are you using Adobe Podcast's Enhance Speech?
Right off, I need to get to Turn Windows Feature On or Off. Your explanation at the very start was lacking.....Can you please advise ? Thanks.
Theo have you discussed Intel VMD and that's why the drives don't show up when reloading windows.
Can we have a vid about having windows keep the tags we select in file explorer? Eg: when i need to sort by file TYPE it is quite a tedious process to make it visible. Then the next time u need to sort by file type again u have to manually & tediously reselect it again!