I’ve written the following piece of code to automate the creation of a Group Policy that would configure all the new PowerShell 5 settings – ScriptBlock Logging, Protected EventLog and Transcripts – that Lee Holmes mentioned in the PowerShell ♥ the Blue Team post.
It should be run from a Windows 10 computer joined to the domain where you’ve the Remote Server Administration Tools (RSAT) installed because of the New-SelfsignedCertificate cmdlet and the GroupPolicy module requirement. If you’ve a PKI, you don’t need the self-signed certificate and may prefer using a certificate issued by your PKI. In this case, you start by enrolling the certificate from your PKI and the demo code below will use that one instead.
Last warning, the C:\Transcripts folder should exist on the computer targeted by the GPO and the NTFS security should be adjusted before applying the GPO.
Unfortunately the GPO doesn’t handle that requirement.