2

I have configured a Windows 7 domain workstation and a Windows server 2012r2 server as the domain controller. After fully updating both machines, I followed the instructions here: https://msdn.microsoft.com/en-us/powershell/wmf/5.0/requirements to configure the Powershell transcription, block, and module logging features. To be clear, I updated Windows 7 fully, installed the latest .NET framwork (4.6.1) installed WMF 4.0, then installed WMF 5.0. On Server 2012r2 I fully updated and then installed WMF 5.0. Also, on the Windows 7 box, the options for Powershell logging were present after installing WMF 4.0, but then vanished completely after installing WMF 5.0. I have reverted to prior snapshots and repeated with the same results.

Windows 7: Windows Powershell missing completely in group policy editor.

Server 2012r2: Windows Powershell present in group policy editor, however only containing 3 settings:

  • Turn on Module Logging
  • Turn on Script Execution
  • Set the default source path for Update-Help

The other settings that SHOULD be present, but are missing are:

  • Turn on PowerShell Script Block Logging
  • Turn on PowerShell Transcription

Any help is appreciated. Thanks.

Windows 7 Missing Powershell logging options

Beetle
  • 303
  • 2
  • 9

2 Answers2

3

You'll need to update your Group Policy administrative templates (the best way to maintain this is to have a centralized ADMX template store on your DCs).

Download the most up to date templates from here: https://www.microsoft.com/en-us/download/details.aspx?id=48257

The installer will just create a file structure of the current ADMX templates for windows - have it install the files into a temp directory that you can pull files out of. Instead of wholesale replacing all of your templates, you can cherry pick the ADMX / ADML templates that you want to update - in this case the "PowershellExecutionPolicy" template.

Copy the file "PowershellExecutionPolicy.admx" from the New Templates\PolicyDefinitions directory into your Group Policy Template store for the domain. Then go into the applicable language directories for your AD environment (my Org is US only, so I just use "en-US") and copy the PowershellExecutionPolicy.adml file into the same directories in your domain GP Template store. You will probably be prompted to overwrite existing files with the new ones, this is expected (since you're updating the templates).

After replicating between your DCs, the new options should be available.

Info on creating an AD Group Policy Template store here: https://support.microsoft.com/en-us/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows

claidheamh
  • 432
  • 2
  • 6
1

Here are some introductions to the PowerShell Script Block Logging and the PowerShell Transcription capabilities in WMF5 for Windows 7 (and later) -- https://adsecurity.org/?p=2277

You'll notice that instead of Local Policy it's network GPO available under:

  • Windows Components -> Administrative Templates -> Windows PowerShell
  • This Group Policy setting configures the registry keys -- HKLM:\Software\Policies\Microsoft\Windows\PowerShell\
atdre
  • 18,885
  • 6
  • 58
  • 107