about_Group_Policy_Settings

Short description

Describes the Group Policy settings for PowerShell

Long description

PowerShell includes Group Policy settings to help you define consistent configuration values for Windows computers in an enterprise environment.

The PowerShell Group Policy settings are in the following Group Policy paths:

Computer Configuration\
  Administrative Templates\
    PowerShell Core

User Configuration\
  Administrative Templates\
    PowerShell Core

Group policy settings in the Computer Configuration path take precedence over Group Policy settings in the User Configuration path.

PowerShell 7 includes Group Policy templates and an installation script in $PSHOME.

Group Policy tools use administrative template files (.admx, .adml) to populate policy settings in the user interface. This allows administrators to manage registry-based policy settings. The InstallPSCorePolicyDefinitions.ps1 script installs PowerShell Core Administrative Templates on the local machine.

Get-ChildItem -Path $PSHOME -Filter *Core*Policy*
    Directory: C:\Program Files\PowerShell\7

Mode       LastWriteTime         Length Name
----       -------------         ------ ----
-a---      2/27/2020 12:38 AM     15861 InstallPSCorePolicyDefinitions.ps1
-a---      2/27/2020 12:28 AM      9675 PowerShellCoreExecutionPolicy.adml
-a---      2/27/2020 12:28 AM      6201 PowerShellCoreExecutionPolicy.admx

After installing the templates, you can edit these settings in the Group Policy editor (gpedit.msc).

The policies are as follows:

  • Console session configuration: Sets a configuration endpoint that PowerShell runs in.
  • Turn on Module Logging: Sets the LogPipelineExecutionDetails property of modules.
  • Turn on PowerShell Script Block Logging: Enables detailed logging of all PowerShell scripts.
  • Turn on Script Execution: Sets the PowerShell execution policy.
  • Turn on PowerShell Transcription: Enables capturing of input and output of PowerShell commands into text-based transcripts.
  • Set the default source path for Update-Help: Sets the source for Updatable Help to a directory, not the Internet.

Each PowerShell Group Policy setting has the 'Use Windows PowerShell Policy setting' field. This option enables using the value from a similar Windows PowerShell Group Policy setting that's located in the following Group Policy paths:

Computer Configuration\
  Administrative Templates\
    Windows Components\
      Windows PowerShell

User Configuration\
  Administrative Templates\
    Windows Components\
      Windows PowerShell

Note

These PowerShell Core Administrative Templates don't include settings for Windows PowerShell. For more information about acquiring other templates and configuring Group policy, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Console session configuration

The Console session configuration policy setting specifies a configuration endpoint that PowerShell runs in. This can be any endpoint registered on the local machine including the default PowerShell remoting endpoints or a custom endpoint having specific user role capabilities.

Turn on module logging

The Turn on Module Logging policy setting turns on logging for selected PowerShell modules. The setting is effective in all sessions on all affected computers.

If you enable this policy setting and specify one or more modules, PowerShell records pipeline execution events for the specified modules in the Windows PowerShell log in Event Viewer.

If you disable this policy setting, PowerShell doesn't log execution events for any PowerShell modules.

If this policy setting isn't configured, the LogPipelineExecutionDetails property of each module determines whether PowerShell logs the execution events of that module. By default, the LogPipelineExecutionDetails property of all modules is set to $False.

To turn on module logging for a module, use the following command format. The module must be imported into the session and the setting is effective only in the current session.

Import-Module <Module-Name>
(Get-Module <Module-Name>).LogPipelineExecutionDetails = $true

To turn on module logging for all sessions on a particular computer, add the previous commands to the 'All Users' PowerShell profile ($Profile.AllUsersAllHosts).

For more information about module logging, see about_Modules.

Turn on PowerShell script block logging

The Turn on PowerShell Script Block Logging policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, PowerShell logs the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.

If you disable this policy setting, PowerShell script input isn't logged. If you enable the Script Block Invocation Logging, PowerShell also logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs.

Turn on script execution

The Turn on Script Execution policy setting sets the execution policy for computers and users. The execution policy determines whether to permit scripts to run.

If you enable the policy setting, you can select from among the following policy settings.

  • Allow only signed scripts allows scripts to execute only if they're signed by a trusted publisher. This policy setting is equivalent to the AllSigned execution policy.

  • Allow local scripts and remote signed scripts allows all local scripts to run. Scripts that originate from the Internet must be signed by a trusted publisher. This policy setting is equivalent to the RemoteSigned execution policy.

  • Allow all scripts allows all scripts to run. This policy setting is equivalent to the Unrestricted execution policy.

If you disable this policy setting, no scripts are allowed to run. This policy setting is equivalent to the Restricted execution policy.

If you don't configure this policy setting, the execution policy that's set for the computer or user by the Set-ExecutionPolicy cmdlet determines whether scripts are permitted to run. The default value is Restricted.

For more information, see about_Execution_Policies.

Turn on PowerShell transcription

The Turn on PowerShell Transcription policy setting lets you capture the input and output of PowerShell commands into text-based transcripts. If you enable this policy setting, PowerShell enables transcription logging for PowerShell and any other applications that leverage the PowerShell engine. By default, PowerShell records transcript output to each users' My Documents directory, with a filename that includes PowerShell_transcript, along with the computer name and time started. Enabling this policy has the same effect as calling the Start-Transcript cmdlet on each PowerShell session.

If you disable this policy setting, PowerShell-based applications don't write transcript logs by default. The Start-Transcript cmdlet can still enable transcription logging.

Limit access to the directory when setting OutputDirectory to a shared location for transcript logging to prevent users from viewing the transcripts of other users or computers.

Set the default source path for Update-Help

The Set the Default Source Path for Update-Help policy setting sets a default value for the SourcePath parameter of the Update-Help cmdlet. This setting prevents users from using the Update-Help cmdlet to download help files from the Internet.

Note

This Group Policy setting appears under Computer Configuration and User Configuration. However, only the Group Policy setting under Computer Configuration is effective. The Group Policy setting under User Configuration is ignored.

The Update-Help cmdlet downloads and installs the newest help files for PowerShell modules and installs them on the computer. By default, Update-Help downloads new help files from an Internet location specified by the module.

However, you can use the Save-Help cmdlet to download the newest help files to a file system location, such as a network share, and then use the Update-Help cmdlet to get the help files from the file system location and install them on the computer. The SourcePath parameter of the Update-Help cmdlet specifies the file system location.

By providing a default value for the SourcePath parameter, this Group Policy setting implicitly adds the SourcePath parameter to all Update-Help commands. Users can override the particular file system location specified as the default value by entering a different file system location. But they can't remove the SourcePath parameter from the Update-Help command.

If you enable this policy setting, you can specify a default value for the SourcePath parameter. Enter a file system location.

If this policy setting is disabled or not configured, there is no default value for the SourcePath parameter of the Update-Help cmdlet. Users can download help from the Internet or from any file system location.

For more information, see about_Updatable_Help.

Keywords

about_Group_Policies about_GroupPolicy

See also