关于组策略设置About Group Policy Settings

简短说明Short description

描述 PowerShell 的组策略设置Describes the Group Policy settings for PowerShell

长说明Long description

PowerShell 包括组策略设置,可帮助你为企业环境中的 Windows 计算机定义一致的配置值。PowerShell includes Group Policy settings to help you define consistent configuration values for Windows computers in an enterprise environment.

PowerShell 组策略设置如下组策略路径:The PowerShell Group Policy settings are in the following Group Policy paths:

Computer Configuration\
  Administrative Templates\
    PowerShell Core

User Configuration\
  Administrative Templates\
    PowerShell Core

用户配置路径中的组策略设置优先于计算机配置路径中组策略设置。Group policy settings in the User Configuration path take precedence over Group Policy settings in the Computer Configuration path.

PowerShell 7 在 $PSHOME 中添加组策略模板和安装脚本。PowerShell 7 includes Group Policy templates and an installation script in $PSHOME.

组策略工具使用管理模板文件(.admx.adml),以在用户界面中填充策略设置。Group Policy tools use administrative template files (.admx, .adml) to populate policy settings in the user interface. 这样,管理员就能管理基于注册表的策略设置。This allows administrators to manage registry-based policy settings. InstallPSCorePolicyDefinitions.ps1脚本会在本地计算机上安装 PowerShell Core 管理模板The InstallPSCorePolicyDefinitions.ps1 script installs PowerShell Core Administrative Templates on the local machine.

Get-ChildItem -Path $PSHOME -Filter *Core*Policy*
    Directory: C:\Program Files\PowerShell\7

Mode       LastWriteTime         Length Name
----       -------------         ------ ----
-a---      2/27/2020 12:38 AM     15861 InstallPSCorePolicyDefinitions.ps1
-a---      2/27/2020 12:28 AM      9675 PowerShellCoreExecutionPolicy.adml
-a---      2/27/2020 12:28 AM      6201 PowerShellCoreExecutionPolicy.admx

安装模板后,你可以在组策略编辑器 () 中编辑这些设置 gpedit.mscAfter installing the templates, you can edit these settings in the Group Policy editor (gpedit.msc).

策略如下:The policies are as follows:

  • 控制台会话配置:设置运行 PowerShell 的配置终结点。Console session configuration: Sets a configuration endpoint in which PowerShell is run.
  • 启用模块日志记录:设置模块的 LogPipelineExecutionDetails 属性。Turn on Module Logging: Sets the LogPipelineExecutionDetails property of modules.
  • 启用 Power Shell 脚本块日志记录:启用所有 PowerShell 脚本的详细日志记录。Turn on PowerShell Script Block Logging: Enables detailed logging of all PowerShell scripts.
  • 启用脚本执行:设置 PowerShell 执行策略。Turn on Script Execution: Sets the PowerShell execution policy.
  • 启用 PowerShell 脚本:可便于将 PowerShell 命令输入和输出捕获到基于文本的脚本中。Turn on PowerShell Transcription: enables capturing of input and output of PowerShell commands into text-based transcripts.
  • 设置的默认源路径 Update-Help :将可更新帮助的源设置为目录,而不是 Internet。Set the default source path for Update-Help: Sets the source for Updatable Help to a directory, not the Internet.

每个 PowerShell 组策略设置都有一个选项 ( "使用 Windows PowerShell 策略设置" 字段,) 使用位于以下组策略路径中的类似 Windows PowerShell 组策略设置中的值:Each PowerShell Group Policy setting has an option ('Use Windows PowerShell Policy setting' field) to use the value from a similar Windows PowerShell Group Policy setting that is located in the following Group Policy paths:

Computer Configuration\
  Administrative Templates\
    Windows Components\
      Windows PowerShell

User Configuration\
  Administrative Templates\
    Windows Components\
      Windows PowerShell

备注

这些 Powershell Core 管理模板 不包括适用于 Windows PowerShell 的设置。These PowerShell Core Administrative Templates do not include settings for Windows PowerShell. 有关获取其他模板和配置组策略的详细信息,请参阅 如何在 Windows 中为组策略管理模板创建和管理中心存储For more information about acquiring other templates and configuring Group policy, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

控制台会话配置Console session configuration

控制台会话配置 策略设置指定运行 PowerShell 的配置终结点。The Console session configuration policy setting specifies a configuration endpoint in which PowerShell is run. 这可以是在本地计算机上注册的任何终结点,包括默认 PowerShell 远程处理终结点或具有特定用户角色功能的自定义终结点。This can be any endpoint registered on the local machine including the default PowerShell remoting endpoints or a custom endpoint having specific user role capabilities.

启用模块日志记录Turn on module logging

" 打开模块日志记录 " 策略设置为所选 PowerShell 模块启用日志记录。The Turn on Module Logging policy setting turns on logging for selected PowerShell modules. 此设置在所有受影响的计算机上的所有会话中都有效。The setting is effective in all sessions on all affected computers.

如果启用此策略设置并指定一个或多个模块,则会在事件查看器的 Windows PowerShell 日志中记录指定模块的管道执行事件。If you enable this policy setting and specify one or more modules, pipeline execution events for the specified modules are recorded in the Windows PowerShell log in Event Viewer.

如果禁用此策略设置,则会为所有 PowerShell 模块禁用执行事件的日志记录。If you disable this policy setting, logging of execution events is disabled for all PowerShell modules.

如果未配置此策略设置,则每个模块的 LogPipelineExecutionDetails 属性将确定是否记录模块的执行事件。If this policy setting is not configured, the LogPipelineExecutionDetails property of each module determines whether the execution events of a module are logged. 默认情况下,所有模块的 LogPipelineExecutionDetails 属性都设置为 False。By default, the LogPipelineExecutionDetails property of all modules is set to False.

若要为模块启用模块日志记录,请使用以下命令格式。To turn on module logging for a module, use the following command format. 必须将模块导入到会话中,并且该设置仅在当前会话中有效。The module must be imported into the session and the setting is effective only in the current session.

Import-Module <Module-Name>
(Get-Module <Module-Name>).LogPipelineExecutionDetails = $true

若要为特定计算机上的所有会话启用模块日志记录,请将前面的命令添加到 "所有用户的 PowerShell 配置文件 ($Profile.AllUsersAllHosts) 。To turn on module logging for all sessions on a particular computer, add the previous commands to the 'All Users' PowerShell profile ($Profile.AllUsersAllHosts).

有关模块日志记录的详细信息,请参阅 about_ModulesFor more information about module logging, see about_Modules.

启用 PowerShell 脚本块日志记录Turn on PowerShell script block logging

" 打开 Powershell 脚本块日志记录 " 策略设置可将所有 PowerShell 脚本输入的日志记录到 Microsoft Windows PowerShell/操作事件日志中。The Turn on PowerShell Script Block Logging policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. 如果启用此策略设置,则 PowerShell Core 将记录命令、脚本块、函数和脚本的处理方式,无论是以交互方式调用还是通过自动化来处理。If you enable this policy setting, PowerShell Core will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation.

如果禁用此策略设置,则将禁止记录 PowerShell 脚本输入。If you disable this policy setting, logging of PowerShell script input is disabled. 如果启用脚本块调用日志记录,则 PowerShell 在调用命令、脚本块、函数或脚本启动或停止时还会记录事件。If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. 启用调用日志记录时会生成大量事件日志。Enabling Invocation Logging generates a high volume of event logs.

启用脚本执行Turn on script execution

" 打开脚本执行 " 策略设置可为计算机和用户设置执行策略,这将确定允许运行哪些脚本。The Turn on Script Execution policy setting sets the execution policy for computers and users, which determines which scripts are permitted to run.

如果启用策略设置,则可以从以下策略设置中进行选择。If you enable the policy setting, you can select from among the following policy settings.

  • 允许已签名的脚本 仅允许脚本通过受信任的发布者签名。Allow only signed scripts allows scripts to execute only if they are signed by a trusted publisher. 此策略设置等效于 AllSigned 执行策略。This policy setting is equivalent to the AllSigned execution policy.

  • 允许本地脚本和远程签名的脚本 允许运行所有本地脚本。Allow local scripts and remote signed scripts allows all local scripts to run. 来自 Internet 的脚本必须由受信任的发布者签名。Scripts that originate from the Internet must be signed by a trusted publisher. 此策略设置等效于 RemoteSigned 执行策略。This policy setting is equivalent to the RemoteSigned execution policy.

  • 允许 所有脚本都允许运行所有脚本。Allow all scripts allows all scripts to run. 此策略设置等效于不受限制的执行策略。This policy setting is equivalent to the Unrestricted execution policy.

如果禁用此策略设置,则不允许运行脚本。If you disable this policy setting, no scripts are allowed to run. 此策略设置等效于受限制的执行策略。This policy setting is equivalent to the Restricted execution policy.

如果禁用或未配置此策略设置,则由 cmdlet 为计算机或用户设置的执行策略将 Set-ExecutionPolicy 确定是否允许运行脚本。If you disable or do not configure this policy setting, the execution policy that is set for the computer or user by the Set-ExecutionPolicy cmdlet determines whether scripts are permitted to run. 默认值为 Restricted。The default value is Restricted.

有关详细信息,请参阅 about_Execution_PoliciesFor more information, see about_Execution_Policies.

启用 powershell 脚本Turn on powershell transcription

" 打开 powershell 脚本" 策略设置允许你将 PowerShell 核心命令的输入和输出捕获到基于文本的脚本中。The Turn on PowerShell Transcription policy setting lets you capture the input and output of PowerShell Core commands into text-based transcripts. 如果启用此策略设置,则 PowerShell Core 将为 PowerShell Core 和任何其他利用 PowerShell 核心引擎的应用程序启用脚本日志记录。If you enable this policy setting, PowerShell Core will enable transcription logging for PowerShell Core and any other applications that leverage the PowerShell Core engine. 默认情况下,PowerShell Core 会将脚本输出记录到每个用户的 "我的文档" 目录中,文件名中包含 "PowerShell_transcript",以及计算机名称和启动时间。By default, PowerShell Core will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. 启用此策略等效于对每个 PowerShell 核心会话调用 Start-Transcript cmdlet。Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each PowerShell Core session.

如果禁用此策略设置,则默认情况下将禁用基于 PowerShell 的应用程序的脚本日志记录,不过,脚本之外仍可通过 Start-Transcript cmdlet 启用。If you disable this policy setting, transcription logging of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet.

如果使用 OutputDirectory 设置启用到共享位置的脚本日志记录,请确保限制对该目录的访问,以防止用户查看其他用户或计算机的脚本。If you use the OutputDirectory setting to enable transcription logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers.

为 Update-Help 设置默认源路径Set the default source path for Update-Help

" 设置 update-help 的默认源路径 " 策略设置为 Cmdlet 的 SourcePath 参数设置默认值 Update-HelpThe Set the Default Source Path for Update-Help policy setting sets a default value for the SourcePath parameter of the Update-Help cmdlet. 此设置可防止用户使用 Update-Help cmdlet 从 Internet 下载帮助文件。This setting prevents users from using the Update-Help cmdlet to download help files from the Internet.

备注

此组策略设置将出现在 " 计算机配置 " 和 " 用户配置 " 下。This Group Policy setting appears under Computer Configuration and User Configuration . 但是,只有 " 计算机配置 " 下的组策略设置才有效。However, only the Group Policy setting under Computer Configuration is effective. " 用户配置 " 下的组策略设置将被忽略。The Group Policy setting under User Configuration is ignored.

Update-HelpCmdlet 将下载并安装最新的 PowerShell 模块帮助文件,并将它们安装在计算机上。The Update-Help cmdlet downloads and installs the newest help files for PowerShell modules and installs them on the computer. 默认情况下, Update-Help 从模块指定的 Internet 位置下载新帮助文件。By default, Update-Help downloads new help files from an Internet location specified by the module.

但是,可以使用 cmdlet 将 Save-Help 最新的帮助文件下载到文件系统位置(如网络共享),然后使用 Update-Help cmdlet 从文件系统位置获取帮助文件,并将它们安装在计算机上。However, you can use the Save-Help cmdlet to download the newest help files to a file system location, such as a network share, and then use the Update-Help cmdlet to get the help files from the file system location and install them on the computer. 此 cmdlet 的 SourcePath 参数 Update-Help 指定文件系统位置。The SourcePath parameter of the Update-Help cmdlet specifies the file system location.

通过为 SourcePath 参数提供默认值,此组策略设置会将 sourcepath 参数隐式添加到所有 Update-Help 命令。By providing a default value for the SourcePath parameter, this Group Policy setting implicitly adds the SourcePath parameter to all Update-Help commands. 用户可以通过输入其他文件系统位置,替代指定为默认值的特定文件系统位置。Users can override the particular file system location specified as the default value by entering a different file system location. 但不能从命令中删除 SourcePath 参数 Update-HelpBut they cannot remove the SourcePath parameter from the Update-Help command.

如果启用此策略设置,则可以为 SourcePath 参数指定默认值。If you enable this policy setting, you can specify a default value for the SourcePath parameter. 输入文件系统位置。Enter a file system location.

如果禁用或未配置此策略设置,则不会对此 cmdlet 的 SourcePath 参数提供默认值 Update-HelpIf this policy setting is disabled or not configured, there is no default value for the SourcePath parameter of the Update-Help cmdlet. 用户可以从 Internet 或任何文件系统位置下载帮助。Users can download help from the Internet or from any file system location.

有关详细信息,请参阅 about_Updatable_HelpFor more information, see about_Updatable_Help.

KeywordsKeywords

about_Group_Policies about_GroupPolicyabout_Group_Policies about_GroupPolicy

另请参阅See also

PowerShell Core 策略 RFCPowerShell Core Policy RFC

about_Execution_Policiesabout_Execution_Policies

about_Modulesabout_Modules

about_Updatable_Helpabout_Updatable_Help

Get-ExecutionPolicyGet-ExecutionPolicy

Set-ExecutionPolicySet-ExecutionPolicy

Get-ModuleGet-Module

Update-HelpUpdate-Help

Save-HelpSave-Help