Turn on PowerShell Transcription This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. If you disable this policy setting, transcription of PowerShell-based applications is disabled by default, although transcription can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Transcription of PowerShell-based applications is disabled.

(1) GPO: User Configuration\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Transcription (2) REG: HKEY_USERS\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting,EnableInvocationHeader,OutputDirectory (3) WMI: ###