Describes the Group Policy settings for PowerShell
PowerShell includes Group Policy settings to help you define consistent configuration values for Windows computers in an enterprise environment.
The PowerShell Group Policy settings are in the following Group Policy paths:
Computer Configuration\ Administrative Templates\ PowerShell Core User Configuration\ Administrative Templates\ PowerShell Core
Group policy settings in the User Configuration path take precedence over Group Policy settings in the Computer Configuration path.
PowerShell 7 includes Group Policy templates and an installation script in
Group Policy tools use administrative template files (
populate policy settings in the user interface. This allows administrators to
manage registry-based policy settings. The
script installs PowerShell Core Administrative Templates on the local
Get-ChildItem -Path $PSHOME -Filter *Core*Policy*
Directory: C:\Program Files\PowerShell\7 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 2/27/2020 12:38 AM 15861 InstallPSCorePolicyDefinitions.ps1 -a--- 2/27/2020 12:28 AM 9675 PowerShellCoreExecutionPolicy.adml -a--- 2/27/2020 12:28 AM 6201 PowerShellCoreExecutionPolicy.admx
After installing the templates, you can edit these settings in the Group Policy
The policies are as follows:
- Console session configuration: Sets a configuration endpoint in which PowerShell is run.
- Turn on Module Logging: Sets the LogPipelineExecutionDetails property of modules.
- Turn on PowerShell Script Block Logging: Enables detailed logging of all PowerShell scripts.
- Turn on Script Execution: Sets the PowerShell execution policy.
- Turn on PowerShell Transcription: enables capturing of input and output of PowerShell commands into text-based transcripts.
- Set the default source path for
Update-Help: Sets the source for Updatable Help to a directory, not the Internet.
Each PowerShell Group Policy setting has an option ('Use Windows PowerShell Policy setting' field) to use the value from a similar Windows PowerShell Group Policy setting that is located in the following Group Policy paths:
Computer Configuration\ Administrative Templates\ Windows Components\ Windows PowerShell User Configuration\ Administrative Templates\ Windows Components\ Windows PowerShell
These PowerShell Core Administrative Templates do not include settings for Windows PowerShell. For more information about acquiring other templates and configuring Group policy, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.
Console session configuration
The Console session configuration policy setting specifies a configuration endpoint in which PowerShell is run. This can be any endpoint registered on the local machine including the default PowerShell remoting endpoints or a custom endpoint having specific user role capabilities.
Turn on module logging
The Turn on Module Logging policy setting turns on logging for selected PowerShell modules. The setting is effective in all sessions on all affected computers.
If you enable this policy setting and specify one or more modules, pipeline execution events for the specified modules are recorded in the Windows PowerShell log in Event Viewer.
If you disable this policy setting, logging of execution events is disabled for all PowerShell modules.
If this policy setting is not configured, the LogPipelineExecutionDetails property of each module determines whether the execution events of a module are logged. By default, the LogPipelineExecutionDetails property of all modules is set to False.
To turn on module logging for a module, use the following command format. The module must be imported into the session and the setting is effective only in the current session.
Import-Module <Module-Name> (Get-Module <Module-Name>).LogPipelineExecutionDetails = $true
To turn on module logging for all sessions on a particular computer, add the
previous commands to the 'All Users' PowerShell profile
For more information about module logging, see about_Modules.
Turn on PowerShell script block logging
The Turn on PowerShell Script Block Logging policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, PowerShell Core will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled. If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs.
Turn on script execution
The Turn on Script Execution policy setting sets the execution policy for computers and users, which determines which scripts are permitted to run.
If you enable the policy setting, you can select from among the following policy settings.
Allow only signed scripts allows scripts to execute only if they are signed by a trusted publisher. This policy setting is equivalent to the AllSigned execution policy.
Allow local scripts and remote signed scripts allows all local scripts to run. Scripts that originate from the Internet must be signed by a trusted publisher. This policy setting is equivalent to the RemoteSigned execution policy.
Allow all scripts allows all scripts to run. This policy setting is equivalent to the Unrestricted execution policy.
If you disable this policy setting, no scripts are allowed to run. This policy setting is equivalent to the Restricted execution policy.
If you disable or do not configure this policy setting, the execution policy
that is set for the computer or user by the
determines whether scripts are permitted to run. The default value is
For more information, see about_Execution_Policies.
Turn on powershell transcription
The Turn on PowerShell Transcription policy setting lets you capture the input and output of PowerShell Core commands into text-based transcripts. If you enable this policy setting, PowerShell Core will enable transcription logging for PowerShell Core and any other applications that leverage the PowerShell Core engine. By default, PowerShell Core will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each PowerShell Core session.
If you disable this policy setting, transcription logging of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet.
If you use the OutputDirectory setting to enable transcription logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers.
Set the default source path for Update-Help
The Set the Default Source Path for Update-Help policy setting sets a
default value for the SourcePath parameter of the
This setting prevents users from using the
Update-Help cmdlet to download
help files from the Internet.
This Group Policy setting appears under Computer Configuration and User Configuration. However, only the Group Policy setting under Computer Configuration is effective. The Group Policy setting under User Configuration is ignored.
Update-Help cmdlet downloads and installs the newest help files for
PowerShell modules and installs them on the computer. By default,
downloads new help files from an Internet location specified by the module.
However, you can use the
Save-Help cmdlet to download the newest help files
to a file system location, such as a network share, and then use the
Update-Help cmdlet to get the help files from the file system location and
install them on the computer. The SourcePath parameter of the
cmdlet specifies the file system location.
By providing a default value for the SourcePath parameter, this Group
Policy setting implicitly adds the SourcePath parameter to all
Update-Help commands. Users can override the particular file system location
specified as the default value by entering a different file system location.
But they cannot remove the SourcePath parameter from the
If you enable this policy setting, you can specify a default value for the SourcePath parameter. Enter a file system location.
If this policy setting is disabled or not configured, there is no default value
for the SourcePath parameter of the
Update-Help cmdlet. Users can
download help from the Internet or from any file system location.
For more information, see about_Updatable_Help.