diff --git a/reference/7.6/Microsoft.PowerShell.Core/About/about_Remote_Requirements.md b/reference/7.6/Microsoft.PowerShell.Core/About/about_Remote_Requirements.md index 2c07dddf7d17..aac25d1e5dc4 100644 --- a/reference/7.6/Microsoft.PowerShell.Core/About/about_Remote_Requirements.md +++ b/reference/7.6/Microsoft.PowerShell.Core/About/about_Remote_Requirements.md @@ -1,7 +1,7 @@ --- description: Describes the system requirements and configuration requirements for running remote commands in PowerShell. Locale: en-US -ms.date: 07/03/2023 +ms.date: 08/18/2025 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_remote_requirements?view=powershell-7.6&WT.mc_id=ps-gethelp schema: 2.0.0 title: about_Remote_Requirements @@ -49,7 +49,7 @@ computers must have the following: - Windows Remote Management 2.0 To be fully supported, you should be using WMF 5.1. For more information about -WMF support, see [Windows Management Framework (WMF)][02]. +WMF support, see [Windows Management Framework (WMF)][03]. You can create a remote session between a computer running Windows PowerShell 2.0 and one running a newer version of PowerShell. However, features that run @@ -90,7 +90,7 @@ configurations with different security descriptors. Users can use the different endpoints. For more information about session configurations, see -[about_Session_Configurations][07]. +[about_Session_Configurations][08]. ## Windows network locations @@ -190,7 +190,11 @@ Id Name ComputerName State ConfigurationName 1 Session1 localhost Opened Microsoft.PowerShell ``` -If the command fails, see [about_Remote_Troubleshooting][04]. +If the command fails, see [about_Remote_Troubleshooting][05]. + +The PowerShell Remoting Protocol (PSRP) requires a secure transport layer for +secure data transfer. For more information, see _Secure data transfer in +PowerShell remoting_ section of [PowerShell security features][02]. ## Understand policies @@ -204,21 +208,22 @@ policies on the remote computer are in effect. ## See also -- [about_Remote][06] -- [about_Remote_Variables][05] -- [about_PSSessions][03] -- [Invoke-Command][09] -- [Enter-PSSession][08] -- [New-PSSession][10] +- [about_Remote][07] +- [about_Remote_Variables][06] +- [about_PSSessions][04] +- [Invoke-Command][10] +- [Enter-PSSession][09] +- [New-PSSession][11] [01]: /powershell/scripting/learn/remoting/ssh-remoting-in-powershell-core -[02]: /powershell/scripting/windows-powershell/wmf/overview -[03]: about_PSSessions.md -[04]: about_Remote_Troubleshooting.md -[05]: about_Remote_Variables.md -[06]: about_Remote.md -[07]: about_Session_Configurations.md -[08]: xref:Microsoft.PowerShell.Core.Enter-PSSession -[09]: xref:Microsoft.PowerShell.Core.Invoke-Command -[10]: xref:Microsoft.PowerShell.Core.New-PSSession +[02]: /powershell/scripting/security/security-features#secure-data-transfer-in-powershell-remoting +[03]: /powershell/scripting/windows-powershell/wmf/overview +[04]: about_PSSessions.md +[05]: about_Remote_Troubleshooting.md +[06]: about_Remote_Variables.md +[07]: about_Remote.md +[08]: about_Session_Configurations.md +[09]: xref:Microsoft.PowerShell.Core.Enter-PSSession +[10]: xref:Microsoft.PowerShell.Core.Invoke-Command +[11]: xref:Microsoft.PowerShell.Core.New-PSSession diff --git a/reference/docs-conceptual/security/security-features.md b/reference/docs-conceptual/security/security-features.md index 550a28eaa55d..7dc199182945 100644 --- a/reference/docs-conceptual/security/security-features.md +++ b/reference/docs-conceptual/security/security-features.md @@ -1,6 +1,6 @@ --- description: PowerShell has several features designed to improve the security of your scripting environment. -ms.date: 05/22/2025 +ms.date: 08/18/2025 title: PowerShell security features --- # PowerShell security features @@ -92,6 +92,45 @@ The creation and publishing of the SBOM is the first step to modernize Federal G cybersecurity and enhance software supply chain security. For more information about this initiative, see the blog post [Generating SBOMs with SPDX at Microsoft][11]. +## Secure data transfer in PowerShell remoting + +Prior to PowerShell v7.6-preview5, a `Session_Key` is used to encrypt a **SecureString** before +sending it a PowerShell remote session. The PowerShell Remoting Protocol (PSRP) performs a +key exchange between client and server when a `SecureString` object needs to be +transferred. The exchange involves the following steps: + +1. The client side generates a public/private key pair and sends the public key to the server. +1. The server generates a session key for symmetric encryption. +1. The server uses the public key to encrypt the session key and sends it to the client. +1. Both the client and server use the new session key to encrypt a **SecureString** object. + +The PowerShell Remoting Protocol (PSRP) uses the `RSAEncryptionPadding.Pkcs1` algorithm during the +key exchange. The algorithm is **NOT** secure, so the key exchange doesn't provide any extra +security. + +> [!IMPORTANT] +> You must use a secure transport layer to ensure secure data transfer over PSRP. + +Beginning in PowerShell v7.6-preview5, the key exchange was deprecated. The version of PSRP was +incremented to v2.4 and includes the following changes: + +- The following PSRP messages are deprecated when both client and server are v2.4 or higher: + + - PUBLIC_KEY + - PUBLIC_KEY_REQUEST + - ENCRYPTED_SESSION_KEY + +- The encryption and decryption steps for `SecureString` are skipped when both client and server are + v2.4 or higher. + +This change is backward compatible. + +- For old clients or servers (v2.3 or lower), the key exchange is still used when needed. +- PSRP can use a named pipe remote sessions when both client and server are on the same machine. + Since it's possible for a remote client to connect to named pipe and the data is no longer + encrypted with a session key, the named pipe (used for `Enter-PSHostProcess`) rejects the remote + client. + ## Security Servicing Criteria PowerShell follows the [Microsoft Security Servicing Criteria for Windows][12]. Only security