Windows PowerShell 5.1 now stops and asks for confirmation before it will parse web pages in a way that could execute scripts found in that content — a safety-first change that will affect interactive use and any automation that previously relied on the old, IE‑backed HTML DOM parsing behavior.
Windows updates released on and after December 9, 2025 change the default behavior of Invoke‑WebRequest in PowerShell 5.1 so that, when no explicit parsing mode is chosen, PowerShell pauses and displays a security confirmation prompt warning that parsing the page may run scripts found in the page. The default, safe option cancels the operation; if you accept the risk you can continue and allow legacy parsing. Microsoft’s guidance is to use the -UseBasicParsing switch for non‑interactive workflows and to refactor code that depends on full DOM parsing for long‑term safety. This article explains what changed, why Microsoft implemented the prompt, the practical impact on interactive and automated workflows, concrete remediation steps for admins and scripters, and longer‑term migration options to avoid dependency on obsolete IE‑based parsing. It also highlights real risks and common pitfalls that administrators should test for before wide deployment.
PowerShell is a powerful automation tool; this update forces a safer default when consuming web content — a change that reduces attack surface at the cost of predictable, manageable migration work for automation owners. Prioritize inventory, apply -UseBasicParsing where DOM parsing isn’t required, and plan a staged refactor or PowerShell 7 migration for the remaining cases.
Source: Microsoft Support PowerShell 5.1: Preventing script execution from web content - Microsoft Support
Overview
Windows updates released on and after December 9, 2025 change the default behavior of Invoke‑WebRequest in PowerShell 5.1 so that, when no explicit parsing mode is chosen, PowerShell pauses and displays a security confirmation prompt warning that parsing the page may run scripts found in the page. The default, safe option cancels the operation; if you accept the risk you can continue and allow legacy parsing. Microsoft’s guidance is to use the -UseBasicParsing switch for non‑interactive workflows and to refactor code that depends on full DOM parsing for long‑term safety. This article explains what changed, why Microsoft implemented the prompt, the practical impact on interactive and automated workflows, concrete remediation steps for admins and scripters, and longer‑term migration options to avoid dependency on obsolete IE‑based parsing. It also highlights real risks and common pitfalls that administrators should test for before wide deployment.Background: how Invoke‑WebRequest parsed pages before
The old model (PowerShell 5.1 and earlier)
Historically, when you used Invoke‑WebRequest without opting into basic parsing, PowerShell 5.1 attempted to populate a DOM object (the ParsedHtml property) using the Internet Explorer engine (mshtml). That approach offered a convenient DOM-like object model accessible from PowerShell, but it carried two structural problems:- It relied on an Internet Explorer component that is deprecated and fragile on modern systems.
- DOM population can cause execution of page scripts (or trigger first‑run IE dialogs), creating a trust boundary where untrusted web content could lead to code execution consequences.
The safe alternative: -UseBasicParsing
The -UseBasicParsing switch instructs Invoke‑WebRequest to not attempt DOM parsing with the IE engine. Instead it returns raw content, headers, status codes and simple properties without executing or loading scripts from web pages. Historically it was a quick workaround for server‑core environments (or when IE hadn’t been initialized for the account running the script), and in PowerShell Core (6+) basic parsing is the default. Microsoft now recommends using -UseBasicParsing as the safe default in PowerShell 5.1 scripts.What Microsoft changed (concise summary)
- PowerShell 5.1 will now display a security prompt during Invoke‑WebRequest calls that would otherwise trigger DOM parsing with the IE engine, warning that script code might execute during parsing. The default answer is to cancel.
- Interactive users can opt in to legacy behavior by confirming the prompt (not recommended for untrusted pages). For automation, Microsoft recommends explicitly specifying safe parameters so the prompt does not block non‑interactive runs.
- The single recommended mitigation for existing scripts is to update Invoke‑WebRequest invocations to include -UseBasicParsing; for code that truly needs DOM features, refactor to safer parsing libraries or migrate to PowerShell 7+ which avoids IE altogether.
Practical impact: interactive sessions vs. automated scripts
Interactive sessions (admins, pundits, one‑liners)
- You will see a one‑time prompt when running Invoke‑WebRequest without specifying parsing mode. Pressing Enter (or choosing No) cancels the operation; choosing Yes resumes legacy parsing. This is intentional — it forces a conscious decision when the session would allow DOM parsing of potentially hostile content.
- For frequent interactive tasks where DOM parsing is unnecessary, make a habit of adding -UseBasicParsing to your commands or set a session default (see below). This preserves the convenience of the response object’s essential fields while avoiding script execution risks.
Automated scripts, scheduled tasks, CI/CD pipelines
- Scripts that run unattended will hang on the security prompt unless updated. Microsoft explicitly warns that this prompt will stop non‑interactive runs if the script does not pre‑select a safe behavior. Administrators must update scripts to include -UseBasicParsing or implement a different parsing solution.
- The required change is typically a one‑line edit: add -UseBasicParsing to every Invoke‑WebRequest call that does not require the ParsedHtml DOM. For scripts that do require DOM features, plan a refactor or migration (see the migration section).
Immediate remediation steps (checklist for sysadmins)
- Inventory scripts that call Invoke‑WebRequest.
- Search repositories, scheduled tasks, and automation platforms for Invoke‑WebRequest usage.
- Prioritize automation runs and service‑account scripts where a prompt could hang execution.
- Quick fix for simple downloads / text retrieval:
- Add -UseBasicParsing to the Invoke‑WebRequest call.
- Example: Invoke‑WebRequest -Uri 'https://example.com/data' -OutFile 'C:\temp\data.html' -UseBasicParsing
- If you must preserve DOM parsing in a trusted, interactive context:
- Leave user workflows to explicitly consent to the prompt when they intentionally run interactive DOM parsing; do not automate consent.
- Document trusted sites and limit usage to internal, controlled endpoints.
- For session‑wide convenience (temporary): set a default parameter for the current session or profile so -UseBasicParsing is applied automatically:
- Example (session or add to user profile):
$PSDefaultParameterValues['Invoke-WebRequest:UseBasicParsing'] = $true - This ensures every Invoke‑WebRequest call in that session uses basic parsing unless explicitly overridden. Persist that line in your $PROFILE to make it permanent for that account.
- Test changes in a staging environment before rolling to production.
- Validate that the script’s downstream logic does not depend on properties that exist only when DOM parsing is used (such as .ParsedHtml or .Images). If they do, refactor (next section).
When -UseBasicParsing is not enough: refactor paths
If your code relies on DOM features — for example to populate form fields, query complex HTML nodes, or interact with scripts/forms in the page — you have three safe, supported alternatives:- Modernize to PowerShell 7+ (PowerShell Core): its web cmdlets use basic parsing by default and do not depend on Internet Explorer, eliminating the IE‑based attack surface. Microsoft calls out that PowerShell 7 already defaults to safe parsing.
- Use a dedicated HTML parsing library:
- HtmlAgilityPack (via .NET) or AngleSharp are well‑known, robust HTML parsers that do not execute scripts. The pattern is: fetch raw content with Invoke‑WebRequest (or Invoke‑RestMethod), then parse it with a library that treats HTML as data rather than executable code.
- Rework automation to use APIs:
- If the web service exposes an API (REST/JSON), switch to Invoke‑RestMethod or direct HTTP libraries and parse JSON responses. Where possible, prefer API endpoints to scraped HTML — they are less fragile and inherently safer.
Concrete examples and patterns
Simple download (safe)
- Before (might trigger prompt):
Invoke-WebRequest -Uri 'https://example.com/file.zip' -OutFile 'C:\temp\file.zip' - After (explicit safe mode):
Invoke-WebRequest -Uri 'https://example.com/file.zip' -OutFile 'C:\temp\file.zip' -UseBasicParsing
Session default (convenience, add to profile)
- Add this to the user or service account profile to make basic parsing automatic for Invoke‑WebRequest in that session:
$PSDefaultParameterValues['Invoke‑WebRequest:UseBasicParsing'] = $true
(Persist the same line in $PROFILE to apply it every time that account starts PowerShell.
When DOM is required (refactor pattern)
- Fetch raw HTML safely:
$resp = Invoke-WebRequest -Uri 'https://intranet.example.local/page' -UseBasicParsing - Parse with a library (pseudocode):
$doc = [HtmlAgilityPack.HtmlDocument]::new
$doc.LoadHtml($resp.Content)
$node = $doc.DocumentNode.SelectSingleNode("//div[@id='data']")
Operational guidance for enterprises
- Run a short discovery sweep: find all occurrences of Invoke‑WebRequest across codebases and scheduled job definitions, and classify them by whether they need DOM parsing. Use source control search and configuration management data to accelerate discovery.
- Treat the update as a breaking‑change window for legacy scraping code. Plan test cycles and contact module maintainers for third‑party code that relies on ParsedHtml.
- Use group policy / configuration management to roll the PowerShell update to a test ring first, then to production once scripts have been adapted. Microsoft’s support guidance explicitly positions this change as a security hardening and recommends staged rollout.
- Consider blocking mshta.exe or restricting script interpreters in higher‑risk environments and instead provide approved service accounts and hardened automation hosts with controlled profiles for tasks that must interact with trusted HTML only. This aligns with broader PowerShell hardening guidance from the PowerShell team.
Known edge cases and migration pain points
- First‑run Internet Explorer prompts: some service accounts or system contexts have never completed the IE first‑run config. Legacy Invoke‑WebRequest calls could previously produce those dialogs; -UseBasicParsing avoids that, but scripts depending on IE session artifacts will break. This is common in SQL Agent jobs and system service contexts. Test service accounts explicitly.
- Differences in returned object model: switching to -UseBasicParsing changes what properties the cmdlet returns. Scripts that access .ParsedHtml, .Images, or similar DOM‑derived properties will no longer find them. Expect to modify subsequent code that relied on those properties.
- Some legacy internal tools may have been written around behaviors that implicitly relied on scripts running during parsing. Those tools should be refactored or run in a strictly controlled, manual way where the prompt’s confirmation is acceptable. Microsoft warns against re‑enabling legacy parsing broadly.
- Bugs and inconsistent behavior in 5.1: Invoke‑WebRequest has historically shown inconsistent behavior across OS versions because of the IE dependency; this change reduces that class of flakiness but can expose code that had accidentally relied on IE side effects. Test across OS/builds.
Detection, monitoring and security context
This change is part of a broader PowerShell hardening movement: treat web content as untrusted input and avoid executing code from the network without explicit consent. The PowerShell team and security practitioners emphasize:- Enable Script Block Logging and PowerShell logging in enterprise telemetry to detect suspicious invocations.
- Assume web‑fetched content may be hostile, and require explicit developer/owner sign‑offs for any legacy parsing opt‑ins.
- Use allow‑listing and least privilege for automation hosts that must interact with web content.
Cross‑reference and verification
- Microsoft’s official support note explains the security prompt behavior, the recommended use of -UseBasicParsing, and the suggested migration/refactor options. The article was published alongside the Windows update rollout and documents the behavior for PowerShell 5.1 on supported Windows versions.
- The PowerShell team has long documented the threat model around script execution and the rationale for treating downloaded web content as untrusted input; their security guidance frames this change as consistent with long‑standing security principles for the shell.
- Community resources and Q&A (for example, expert answers on widely used forums) capture the historical behavior of Invoke‑WebRequest using IE’s DOM and the practical role -UseBasicParsing has played as a workaround. Those community discussions also record common migration headaches administrators have encountered. When planning migration, validate behavior in your environment — community reports illustrate the kinds of problems you may see and offer pragmatic fixes.
Recommended next actions (prioritized)
- Immediately scan automation repositories and scheduled tasks for Invoke‑WebRequest and tag each occurrence as “download/text only” or “requires DOM”.
- For “download/text only”, add -UseBasicParsing and run test suites; commit changes and update deployment artifacts.
- For “requires DOM”, catalog those scripts and plan one of:
- refactor to use a safe HTML parser;
- migrate the job to PowerShell 7 on a host where core is supported; or
- run interactively only after explicit human confirmation (not recommended for automation).
- For service accounts, ensure $PROFILE contains session defaults as appropriate, or centrally manage profile config in automation images.
- Communicate the change to application owners and operators, highlighting that unattended scripts will hang if they are not updated.
Final analysis: benefits, tradeoffs, and risk summary
- Benefits
- Security first: The new prompt prevents silent execution of scripts embedded in web content, closing a class of surprising attack vectors that could be abused by social engineering or malicious web content.
- Consistency with PowerShell Core: Aligns PowerShell 5.1 behavior toward the safer default used in PowerShell 6/7, reducing surprises when migrating to modern PowerShell.
- Tradeoffs / Risks
- Automation breakage: Unupdated unattended scripts will hang; this requires careful inventory and patching before updates roll out broadly.
- Refactoring cost: Scripts that relied on DOM parsing may need non‑trivial rewrites or library additions to preserve functionality without reintroducing risk. Plan and budget for this work.
- Operational friction: Admins used to one‑liners that scrape pages interactively will now need to be explicit about their risk choices, which is safer but initially disruptive.
- Overall assessment
- The change is security appropriate and aligns with long‑term goals (remove dependence on deprecated IE components and avoid executing untrusted page scripts). The immediate operational burden is real but manageable: a disciplined inventory, a few mechanical script edits (adding -UseBasicParsing), and targeted refactoring will resolve the bulk of issues.
PowerShell is a powerful automation tool; this update forces a safer default when consuming web content — a change that reduces attack surface at the cost of predictable, manageable migration work for automation owners. Prioritize inventory, apply -UseBasicParsing where DOM parsing isn’t required, and plan a staged refactor or PowerShell 7 migration for the remaining cases.
Source: Microsoft Support PowerShell 5.1: Preventing script execution from web content - Microsoft Support
