I prefer to disable WSH and remove powershell to prevent a possible ransomware or any malware for that matter.
Why not cut the power cord while you are at it. With a plasma cutter. Disabling access to reg, cmd, wsh, powershell and etc is something incompetent sysadmins have historically done. Did not help them against real malware exploiting lnk files, rtf, chm, office, ie, flash, smb, named pipes and dozens of components and lolbins - only against the most boring script-kiddie stuff. All for the unnecessary inconveniences for legitimate window usage. Might as well run a limited cloud edition, or don't use windows at all, period. You want to be safe? RACCINE is not the way to go, it offers a very false sense of security. Always use the most stable windows 10 version (one version behind current, atm 1903/1909) as a daily OS. Stay away from LTS* editions like the plague if you're not subscribed with microsoft for advanced threat protection. Login as a standard (limited) user. Can't stress enough how important this is to prevent silent uac bypasses. Replace Defender with a robust, made in europe AV like Avira or Bitdefender. Prefer microsoft store apps and digitally signed programs, or at least being compiled at least a month prior to pass the test of time. Disable auto-update feature for not popular third-party programs. You never know when it gets bought / hijacked by a malicious actor. As for scripts, only get them for respectable forums like mdl, stackoverflow, reboot.pro, tenforums etc.
ROFL, if you disable something, you will never use, how is it a bad thing? Especially if it is highly effective? Not to mention, that MS and security experts recommend it daily as a temporary or a permanent work-around till the patch is released. When I tested wannacry live, it failed to encrypt my partition, simply because I have disabled System's to access it. Rather then focusing on the damage control, it is easier to prevent the infection. Whitelisting is better than blacklisting (AV).
Personally I like tossing all of my surfing and general use into a VM, banking and online purchases into another VM (off unless needed) and then only do work and gaming on the actual bare metal.
Potatoes, potatos. You're not whitelisting stuff, you're blacklisting reg cmd wsh powershell etc. How can that be better than actually smart heuristics that can block malicious actions on the kernel level (AV)? Application guard is a joke. Constrained execution is a joke. Controlled folders is a joke. Raccine? pff. Disabling powershell & etc is a joke, there are countless frameworks to generate malformed files / shellcodes / "innocuous" binaries to get a full-blown powershell or whatever, even remotely. Don't get me wrong, it's ok to go the extra mile of disabling access to stuff if it does not affect your experience. I'm only commenting on the fact that it introduces and promotes a false sense of security leading to bad practices - people that usually do these steps from the 90's computing, also tend to think of themselves "they know better" and actively seek to refuse assistance of a proper AV backed by real malware analysis labs with thousands of engineers working with the best toolsets and machine learning. No matter how smart and conscious you might be, can't keep up with the vast amount of processing power of your own pc and the ever evolving hive of knowledge shared by malicious actors. It's only by chance nobody has taken real interest in you so far - since there are 1 billion other devices to hack. But lately government-backed malicious actors are poking randomly at the whole internet. You might never get hacked, but just as well it could happen Tuesday. So many prefer living ostrich-style and would have no protection whatsoever if Microsoft did not shovel Defender down heir throats to hamper the proliferation of large scale botnets. But consumers data - be damned. Ramsomware is just a marketing buzzword for them, and speaking of marketing, they have increased their spending thousands-fold on promoting it these past couple years, and popular "comparative" sites as a result paint a much closer picture than actual real life. Defender without the advanced threat subscription sucks ass. Avira or Bitdefender does a much better job, but people don't want to pay for a cheap subscription, and complain about that one popup a day in the fully potent free versions..