diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index e19efce2..ceb2d5f0 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -112,6 +112,18 @@ wmic.exe shadowcopy delete
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
+##### Check Prereq Commands:
+```powershell
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+wmic shadowcopy call create Volume='C:\'
+```
+
+
 
 
 <br/>
diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index d923bf5e..8703ff18 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -29,7 +29,10 @@ atomic_tests:
   auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
   description: |
     Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
-    Shadow copies can only be created on Windows server or Windows 8.
+    prereq_command: |
+      if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      wmic shadowcopy call create Volume='C:\'
   supported_platforms:
   - windows
   executor: