Introduction
Group policy is a feature of Windows Server Active Directory which automagically deploys groups of policies to users and computers. A policy is some computer setting you wish to enforce, such as which screen saver to use, what desktop background to use, or what the default execution policy should be.
Windows PowerShell has for a while allowed you to set certain group policies to control how PowerShell works. Windows PowerShell 5.1 provides five specific policy settings. PowerShell 7 provides all the Windows PowerShell policies, plus one more. I describe each policy below.
One neat feature of PowerShell 7 is that you can enable independent policy values for PowerShell 7 and Windows PowerShell. Or you can enable a PowerShell 7 policy and take any values, such as the Execution Policy from Windows PowerShell policies.
You can set policies for a computer or a user. I base the Group Policy Editor and the PowerShell cmdlets make use of administrative templates stored C:\Windows\PolicyDefinitions folder in your DC (or to a central policy store shared on all DCs). The templates include an XML file that defines a policy or set of policy, which has the extension ADMX. Each template definition a localised set of strings stored in an ADML file. The ADMX file contains pointers to strings defined in the ADML file. Having both files enables the GP Editor to use localised language.
After you apply a policy, the group policy agent on the computer creates entries in the user or computer's registry policy area. You can see the policy if you use registry editor or PowerShell and navigate to HKCU:\Software\Policies\Microsoft\PowerShellCore for user settings, or you can navigate to HKLM:\Software\Policies\Microsoft\PowerShellCore for computer settings.
The group policy agent runs each time the computer starts, and each time a user logs on. The agent also runs at intervals of 2 hours (less a random time up to 30 minutes). To immediately invoke the agent, you can use the gpupdate.exe console application.
NOTE: This article started out simple, but as it grew, I've had to split it into two. In this article, I look at the GPO settings you can specify and which registry key(s) and value entries they use. Armed with this information, the next article looks at how you set each policy using PowerShell 7.
PowerShell Group Policy settings
There are six PowerShell 7 related group policies you can deploy
- Execution Policy
- Console Session Configuration (new with PowerShell 7)
- Module Logging
- Script block logging
- Transcription
- Updatable Help.
Setting Policies
Execution Policy
HKCU:\Software\Policies\Microsoft\PowerShellCore
- EnableScripts - This value entry enables this policy. It is of type dword and has a value of 1 if the policy is enabled
- ExecutionPolicy - This is the execution policy to be applied. It is a string and can contain any valid PowerShell execution policy
# 1. Set Execution Policy# Create Key$Key = 'HKCU:\Software\Policies\Microsoft\PowerShellCore'if (Test-Path $Key) {Write-Verbose "Registry Key exists [$key]"}Else {Write-Verbose "Creating registry key [$key]"New-Item -Path $Key}# Set value for execution policyWrite-Verbose 'Setting Execution Policy On'$CVHT1 = @{ Path = $KeyName = 'EnableScripts'Type = 'Dword'Value = 1 }Set-ItemProperty @CVHT1Write-Verbose 'Setting Execution Policy to Unrestricted'$CVHT2 = @{ Path = $KeyName = 'ExecutionPolicy'Type = 'String'Value = 'Unrestricted'}Set-ItemProperty @CVHT2
Console Session Configuration
The Console Session Configuration specifies a remoting configuration endpoint to use. Remote sessions then run against that endpoint. You can specify any endpoint, include a JEA endpoint.- EnableConsoleSessionConfiguration - this entry enables the policy. It is of type dword and has a value of 1 to indicate that the policy is applied.
- ConsoleSessionConfigurationName - this entry is the remoting endpoint that is used. It is a string, such as "PowerShell.7".
Module Logging
- EnableModuleLogging - This entry enables the policy. It is of type dword and has a value of 1 to indicate that the policy is applied.
Script block logging
You use the Script block logging policy to turn on PowerShell's logging of any important script blocks. PowerShell does not log all script blocks only those that change something. Nevertheless, this policy can generate a lot of logging. In Windows PowerShell, setting this policy could result in performance degradation although has been much improved in PowerShell 7.- EnableScriptBlockLogging - This entry enables the policy. It is of type dword and has a value of 1 to indicate that the policy is applied.
Transcription
- EnableTranscripting - This entry enables the policy. It is of type dword and has a value of 1 to indicate that the policy is applied.
- OutputDirectory - this is a string and specifies the folder in which PowerShell writes session transcripts.
Updatable Help
- EnableUpdateHelpDefaultSourcePath - This entry enables the policy. It is of type dword and has a value of 1 to indicate that the policy is applied.
- DefaultSourcePath -This parameter defines the location to be used as the default source path and is of type String. You would probably use a network share. Irrespective, you should note that in this string you must escape any back slash character with aqn additional backslash. If the default source path is \\dc1\help, you see it as "\\\\dc1\\help".
Using Windows PowerShell Settings
- UseWindowsPowerShellPolicySetting - This value entry indicates that the policy details should come from Windows PowerShell policies. It is of type dword and has a value of 1.
No comments:
Post a Comment