diff --git a/lib/bolt/config/transport/ssh.rb b/lib/bolt/config/transport/ssh.rb
index 3c4db232a5..b52047d17a 100644
--- a/lib/bolt/config/transport/ssh.rb
+++ b/lib/bolt/config/transport/ssh.rb
@@ -17,6 +17,12 @@ class SSH < Base
                                     desc: "Host name." },
           "host-key-check"     => { type: TrueClass,
                                     desc: "Whether to perform host key validation when connecting." },
+          "extensions"         => { type: Array,
+                                    desc: "List of file extensions that are accepted for scripts or tasks on Windows. "\
+                                         "Scripts with these file extensions rely on the target's file type "\
+                                         "association to run. For example, if Python is installed on the system, "\
+                                         "a `.py` script runs with `python.exe`. The extensions `.ps1`, `.rb`, and "\
+                                         "`.pp` are always allowed and run via hard-coded executables." },
           "interpreters"       => { type: Hash,
                                     desc: "A map of an extension name to the absolute path of an executable, "\
                                           "enabling you to override the shebang defined in a task executable. The "\
@@ -109,6 +115,15 @@ class SSH < Base
                     "run-as-command must be an Array of Strings, received #{run_as_cmd.class} #{run_as_cmd.inspect}"
             end
           end
+
+          if @config['login-shell'] == 'powershell'
+            %w[tty run-as].each do |key|
+              if @config[key]
+                raise Bolt::ValidationError,
+                      "#{key} is not supported when using PowerShell"
+              end
+            end
+          end
         end
       end
     end
diff --git a/spec/bolt/config/transport/ssh_spec.rb b/spec/bolt/config/transport/ssh_spec.rb
index 2ea04550a5..539a13c521 100644
--- a/spec/bolt/config/transport/ssh_spec.rb
+++ b/spec/bolt/config/transport/ssh_spec.rb
@@ -62,5 +62,26 @@
         expect(config['private-key']).to eq(File.expand_path('path/to/key', boltdir))
       end
     end
+
+    context "when using powershell" do
+      before :each do
+        data['login-shell'] = 'powershell'
+      end
+
+      it "fails if tty is true" do
+        data['tty'] = true
+        expect { transport.new(data) }.to raise_error(Bolt::ValidationError, /tty is not supported/)
+      end
+
+      it "fails if run-as is set" do
+        data['run-as'] = 'soandso'
+        expect { transport.new(data) }.to raise_error(Bolt::ValidationError, /run-as is not supported/)
+      end
+
+      it "doesn't fail if other run-as options are set" do
+        data['run-as-command'] = %w[foo bar baz]
+        expect { transport.new(data) }.not_to raise_error
+      end
+    end
   end
 end