Microsoft’s latest Windows update, released on December 9, 2025, introduces a security confirmation prompt in PowerShell 5.1 that stops Invoke-WebRequest whenever it would parse a web page using the old Internet Explorer DOM engine. The change is tied to CVE-2025-54100 and will hang any unattended script that does not explicitly opt into safe parsing, breaking scheduled tasks and automation workflows until scripts are updated.

A New Warning Before Web Pages Execute Code

The prompt appears when Invoke-WebRequest runs without the -UseBasicParsing or -UseBasicParsing:$false parameters, and the command would otherwise engage IE’s HTML parser. The dialog reads:

Security Warning: Script Execution Risk
Invoke-WebRequest parses the content of the web page. Script code in the web page might be run when the page is parsed.
RECOMMENDED ACTION: Use the -UseBasicParsing switch to avoid script code execution.
Do you want to continue?

The default answer is “No,” which cancels the request. An explicit “Yes” does allow the legacy DOM parsing to proceed, but Microsoft strongly recommends against relying on that for automation.

The change applies to Windows PowerShell 5.1 on all supported Windows clients and servers that have installed updates released on or after December 9, 2025. PowerShell Core (versions 6 and 7) is untouched; those versions already default to basic parsing and never invoke the IE engine.

Who Is Affected — and How

Home users will rarely see this prompt. Microsoft’s advisory says that web-content scripting scenarios are uncommon outside IT-managed environments, so no action is needed for most personal devices.

IT professionals and power users who run interactive Invoke-WebRequest commands will suddenly encounter the prompt in their console sessions. A one-time confirmation is not crippling, but the real pain hits when the prompt blocks an unattended script.

Automated scripts, scheduled tasks, and CI/CD pipelines are the primary victims. Any script running under a service account, scheduled by Task Scheduler, or executed in a non-interactive session will stall completely because it cannot reply to the prompt. These hang silently — there is no error message — making the breakage difficult to detect in advance.

Code that depends on the ParsedHtml DOM property faces a longer road. Adding -UseBasicParsing removes the IE-backed object model, so scripts that access .ParsedHtml, .Images, .Forms, or other DOM-derived members will break in a different way. Those scripts need a refactor, not a quick parameter fix.

The Long Road to a Safer Web Cmdlet

PowerShell 5.1’s Invoke-WebRequest has always been able to return a full HTML document object model, a convenience that came from using Internet Explorer’s MSHTML component under the hood. The feature was handy for quick web scraping directly within PowerShell, but it carried well-known risks:

  • The IE engine is deprecated and has been removed from many Windows Server installations and modern client SKUs.
  • Populating the DOM could execute page scripts — a dangerous side effect when fetching content from untrusted or compromised sites.
  • The dependency on a first-run IE configuration created fragile, inconsistent behavior across server environments.

For over a decade, the community workaround was the -UseBasicParsing switch, which told the cmdlet to fetch the raw response without ever touching IE. In PowerShell Core 6.0 (released in 2018), the team made basic parsing the default and dropped IE-backed DOM support entirely.

Microsoft has been nudging 5.1 users toward the same posture for years. The December 2025 update transforms that nudge into a hard enforcement: if you haven’t explicitly chosen a safe parsing mode, PowerShell will now ask you to confirm that you’re willing to accept the risk. This is consistent with broader PowerShell security guidance that treats all web content as untrusted input.

What to Do Right Now: A Fix-It Guide for Scripts

The most important task is finding every automation artifact that uses Invoke-WebRequest and updating it before the update lands on production machines.

1. Find every call to Invoke-WebRequest

Scan source control repositories, scheduled task definitions, SQL Agent jobs, and configuration management data. Search for Invoke-WebRequest in all ".ps1", ".psm1", and inline script blocks. Tag each occurrence as either “simple download / text retrieval” or “depends on DOM.”

2. Apply the quick fix for simple downloads

For scripts that only need the response body, status code, or headers, add -UseBasicParsing to the command:

Invoke-WebRequest -Uri 'https://example.com/data' -OutFile 'C:\temp\data.html' -UseBasicParsing

This stops the prompt and avoids script execution risks. The returned object still has .Content, .StatusCode, .Headers, and .RawContentStream, so most download-and-save or text-scraping logic continues to work.

If a script calls Invoke-WebRequest many times, set a session-wide default at the top:

$PSDefaultParameterValues['Invoke-WebRequest:UseBasicParsing'] = $true

You can persist that line in the service account’s $PROFILE or in the script itself to make every call behave safely without individual edits.

3. Test, then roll out

Run the updated scripts in a staging environment that has the December update installed. Verify that all downstream logic still works — some code may have silently relied on properties that only exist when IE parsing was active. Common pitfalls include scripts that accessed .ParsedHtml.getElementById(...) or iterated over .Images.

4. Handle the DOM-dependent holdouts

Not everything can be fixed with a parameter switch. If a script truly needs to parse HTML, query a form field, or interact with a page’s structure, you have three supported paths:

  • Migrate to PowerShell 7+. Its Invoke-WebRequest is already safe by default, and because the cmdlet never touches IE, you can pair it with a dedicated .NET HTML parser without triggering any prompts.
  • Use a safe HTML parsing library. HtmlAgilityPack and AngleSharp are mature, script-safe alternatives. The pattern is:
  • Fetch the raw content with Invoke-WebRequest -UseBasicParsing.
  • Pass .Content into the parser’s LoadHtml method.
  • Navigate the resulting document object — no browser engine, no script execution.
  • Convert to an API call. If the web service offers a REST or JSON endpoint, switch to Invoke-RestMethod and avoid HTML parsing entirely. This reduces fragility and removes the IE attack surface.

Beyond the Quick Fix: Operational Safeguards

Enterprise administrators should treat this as a breaking change window. A few additional steps will reduce risk:

  • Roll the Windows update to a test ring first, then to production only after all automation has been validated.
  • Use Group Policy or configuration management to enforce script signing and PowerShell logging; the new prompt is a hardening measure, not a replacement for comprehensive execution policy controls.
  • For service accounts that must interact with trusted HTML content, build hardened automation hosts with preconfigured profiles that set safe defaults. Consider blocking mshta.exe and restricting Internet Explorer’s use in those environments.
  • Communicate clearly with application owners. A script that quietly hung on a Saturday morning backup task is a lot less stressful when the team knows it’s coming and has a one-line fix ready.

What’s Next for PowerShell and Web Parsing

This update is unlikely to be rolled back. Microsoft’s support article frames the prompt as a security hardening, not an optional feature, and the underlying CVE underscores the risk of unattended script execution from web content. The direction of travel is clear: Windows PowerShell 5.1 will continue to receive security-focused hardening, but its IE-dependent features are on a path to eventual removal, just as they were in PowerShell Core.

Future Windows updates may further restrict legacy DOM parsing or remove the ability to opt in entirely. The safest long-term strategy is to adopt the pattern that PowerShell 7 already enforces: never let a browser engine touch web responses unless you explicitly opt into a third-party parser under your control.

For now, the priority is triage — find the scripts that would hang, add -UseBasicParsing to everything that doesn’t need the DOM, and schedule refactors for the rest. The work is mechanical, but it closes a real security gap and aligns your automation fleet with the modern, IE-free reality Microsoft has been steering toward for years.