🛡️ Disable Windows Script Host (WSH) for Better Endpoint Protection Using Intune

Windows Script Host (WSH) has been a part of the Windows operating system since the late 1990s, providing the ability to run VBScript and JScript files. While it serves some legacy administrative and scripting purposes, WSH is rarely used in modern enterprise environments and is frequently exploited in cyberattacks.

In this post, I’ll walk you through:

• ✅ Why disabling WSH improves security

• ✅ How to disable WSH using Intune PowerShell scripts

• ✅ A step-by-step guide with screenshots

1 - Why You Should Disable Windows Script Host (WSH) ❓

WSH enables execution of .vbs and .js scripts, which are often leveraged by attackers to :

• Deliver ransomware payloads

• Drop additional malware

• Bypass traditional antivirus tools

• Run fileless malware directly in memory

📌 Most modern organizations no longer use WSH for legitimate purposes. Leaving it enabled unnecessarily increases your attack surface.

Disabling WSH helps block many common phishing and malware-based attacks, especially those embedded in malicious email attachments or delivered via compromised websites.

2 - Disable WSH via Microsoft Intune

To deploy this security setting across your Windows 10 and 11 devices, we will use Intune PowerShell scripts.

The following registry modification disables WSH system-wide, so save it in ps1 file, we'll use it in the following configuration section with Intune :

3 - Step-by-Step Deployment with Microsoft Intune

Go to Microsoft Intune Admin Center

1. Navigate to: https://intune.microsoft.com

2. Click Devices

3. Select Scripts and Remediations

4. Select the Platform scripts tab

5. Click + Add > Windows 10 and later

Configure Script Basics

1. Enter a name like: Disables Windows Script Host

2. Optional: Add a description

3. Click Next

Upload the PowerShell Script

1. Upload your .ps1 script file

2. Configure settings as follows :

• Run this script using the logged on credentials : No

• Enforce script signature check : No

• Run script in 64-bit PowerShell Host : No

Click Next

Assign to Device Groups

1. Assign the script to All devices or a specific group of your choice

2. Click Next

Review + Create

1. Review your configuration

2. Click Create to deploy

4 - Result

Once deployed, this script ensures that WSH is disabled via the registry on all targeted Windows devices. Users (or malware) attempting to run .vbs or .js files will receive an error such as :

"Windows Script Host access is disabled on this machine. Contact your administrator for details."

If we check Registry path in our previous PowerShell script, we'll see a new registry key "Enabled" with value = 0.

🔒 Final Thoughts

Disabling WSH is a simple yet powerful way to reduce attack vectors across your Windows fleet. Combined with other hardening measures (ASR rules, Smart App Control, etc.), this policy adds a layer of protection against script-based threats.

🔁 Roll it out with confidence using Intune and stay one step ahead of attackers.

Thanks

Aymen EL JAZIRI

System Administrator