Microsoft

Microsoft announced today that it will start deprecating VBScript in the second half of 2024 by making it an on-demand feature until it's completely removed.

Features on Demand (FODs) are optional Windows features (e.g., .NET Framework (.NetFx3), Hyper-V, Windows Subsystem for Linux) that aren't installed by default but can be added if needed.

"Technology has advanced over the years, giving rise to more powerful and versatile scripting languages such as JavaScript and PowerShell. These languages offer broader capabilities and are better suited for modern web development and automation tasks," said Microsoft program manager Naveen Shankar.

"Beginning with the new OS release slated for later this year, VBScript will be available as features on demand (FODs). The feature will be completely retired from future Windows OS releases, as we transition to the more efficient PowerShell experiences," said Microsoft program manager Naveen Shankar.

Microsoft's deprecation plan consists of three phases. The first phase will begin in the second half of 2024, with VBScript enabled by default as an optional feature in Windows 11 24H2.

During the second phase, which will start around 2027, VBScript will still be available as an on-demand feature but will no longer be pre-installed.

VBScript will be retired and eliminated from future versions of Windows as part of phase three of the deprecation process. As a result, all VBScript dynamic link libraries (.dll files) will be removed, and projects that use VBScript will stop functioning.

VBScript deprecation timeline
VBScript deprecation timeline (Microsoft)

​The company first revealed in October that it would kill off VBScript (also known as Visual Basic Script or Microsoft Visual Basic Scripting Edition) in Windows after 30 years of availability as a system component.

This programming language comes bundled with Internet Explorer (disabled on some Windows 10 versions in February 2023) and helps automate tasks and control applications using Windows Script.

Microsoft disabled VBScript by default in Internet Explorer 11 on Windows 10 with the July 2019 Patch Tuesday cumulative updates.

This move is part of a broader strategy to remove Windows and Office features threat actors use as attack vectors to infect users with malware.

Attackers have also used VBScript in malware campaigns, delivering strains like Lokibot, Emotet, Qbot, and, more recently, DarkGate malware.

This effort traces back to 2018 when Redmond extended support for its Antimalware Scan Interface (AMSI) to Office 365 client applications, thus curbing attacks that utilized Office VBA macros.

Since then, Microsoft has also disabled Excel 4.0 (XLM) macros, mandated default blocking of VBA Office macros, introduced XLM macro protection, and began blocking untrusted XLL add-ins by default across Microsoft 365 tenants worldwide.

Related Articles:

Microsoft deprecates Windows DirectAccess, recommends Always On VPN

Microsoft deprecates Windows NTLM authentication protocol

Microsoft: New Outlook security changes coming to personal accounts

New attack uses MSC files and Windows XSS flaw to breach networks

Learn how to protect yourself with these tips and online courses