Microsoft could disable VBScript in upcoming Windows 11 24H2 and 25H2 updates, with an official guide available

Microsoft’s Feature Deprecation: Understanding the Latest Changes

Microsoft periodically phases out certain features across its applications, a strategy the company asserts ultimately benefits users. This year alone has witnessed numerous announcements regarding the end-of-life for various functionalities, including the Bing Search APIs and several features within the Edge browser.

Significant Changes to Windows Drivers and Tools

Recent announcements included the termination of Windows Device Metadata and the Windows Metadata and Internet Services (WMIS), alongside the discontinuation of an Excel feature deemed unworthy of ongoing support. This structured approach illustrates Microsoft’s commitment to standardizing security features across its platforms.

The Decline of VBScript

Another noteworthy point is the impending removal of VBScript. Initially flagged for deprecation in May 2023, Microsoft officially confirmed its phased withdrawal in October. It is important to clarify that a deprecation announcement does not equate to an immediate removal; instead, it signals a transition period for organizations relying on this functionality.

Understanding the Deprecation Process

The deprecation process entails several timelines that allow users to adapt. In May 2024, Microsoft outlined a roadmap divided into three phases. Currently, VBScript remains enabled by default as a Feature on Demand (FOD).

Projected Timeline for VBScript Removal

Complications arise as Microsoft indicated that the default availability of VBScript as a FOD could cease as early as within Windows 11, versions 24H2 or 25H2—further amendments are anticipated with upcoming Windows updates in 2026 and 2027. Recently, Microsoft shared new insights on this matter:

At the current deprecation phase of VBScript, it’s available as a feature on demand (FOD) and is enabled by default in Windows 11, version 24H2. Before VBScript is disabled by default on these and future OS versions, it’s critical that you identify where and how vbscript.dll is still being used within your enterprise environment.

Proactive Measures for Enterprises

Given the possibility of VBScript being disabled earlier than expected, Microsoft urges companies to proactively disable VBScript features on Windows 11. This guidance includes identifying where VBScript is integrated within their systems to ensure a smooth transition away from its usage.

Detection Mechanisms for VBScript

Microsoft has outlined four specific methods to help enterprises locate instances of VBScript in their workflows. Among the recommendations is the use of Microsoft’s SysMon (System Monitor) utility for tracking VBScript DLLs and analyzing dependencies linked to Group Policy and PowerShell scripts.

PowerShell Scripts for Scanning

To facilitate this transition, Microsoft has provided practical PowerShell scripts. Below is a script that can scan for VBScript files on the system:

$pathsToScan = @("C:\Users", "C:\ProgramData", "C:\Scripts") $logPath = "C:\VBSScriptScan\VbsFiles_$(hostname).csv" $results = foreach ($path in $pathsToScan) { if (Test-Path $path) { Get-ChildItem -Path $path -Filter *.vbs -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length } }

Additionally, another PowerShell script aids in detecting VBScript embedded within Microsoft Installer (MSI) packages:

Get-ChildItem -Path "C:\MSIRepo"-Recurse -Filter *.msi | ForEach-Object { $msiPath = $_. FullName $sql = "SELECT * FROM CustomAction" $installer = New-Object -ComObject WindowsInstaller. Installer $database = $installer. GetType().InvokeMember("OpenDatabase", "InvokeMethod", $null, $installer, @($msiPath, 0)) $view = $database. OpenView($sql) $view. Execute() $record = $view. Fetch() while ($record -ne $null) { $actionName = $record. StringData(1) $actionType = [int]$record. StringData(2) if ($actionType -eq 6 -or $actionType -eq 38 -or $actionType -eq 50) { Write-Output "⚠ VBScript Custom Action: $actionName in $msiPath" } $record = $view. Fetch() } }

Steps to Disable VBScript

To disable VBScript once it has been identified within enterprise systems, Microsoft recommends the following command:

Use the following Deployment Image Servicing and Management (DISM) command to disable it: Dism /Online /Remove-Capability /CapabilityName:VBSCRIPT~~~~

This command can be deployed through Microsoft Intune, GPO Startup Scripts, or Microsoft Configuration Manager across your organization.

Executing this command will prevent all processes from utilizing VBScript, leading either to silent failures or error notifications. For further insights, you can read Microsoft’s detailed blog post on this topic here.

Source & Images