From 75a8e45c1cd9ee96b8ee79e9de9e7c85c098bf46 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 20 May 2019 13:34:44 -0700 Subject: [PATCH 01/19] Draft policy RFC --- 1-Draft/RFCXXXX-Policy.md | 236 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 236 insertions(+) create mode 100644 1-Draft/RFCXXXX-Policy.md diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md new file mode 100644 index 00000000..787569e1 --- /dev/null +++ b/1-Draft/RFCXXXX-Policy.md @@ -0,0 +1,236 @@ +--- +RFC: RFCnnnn +Author: travisez13 +Status: Draft +SupercededBy: N/A +Version: 0.1 +Area: Engine +Comments Due: 6/30/2019 +--- + +# `PowerShell Core` Policy + +## Motivation + +Consumers, developers, and enterprise system administrators should be able to flexibly and reliable way to configure PowerShell 7. + +## Acknowledgement + +I based this off of @iSazonov 's RFC, for just a slightly different purpose. +[PR #111](https://github.com/PowerShell/PowerShell-RFC/pull/111) + +## Specification + +`PowerShell 7` should be configured using the following schemes: + +- On Windows - Group Policy Objects (GPO), Group Policy Preferences (GPP) and settings files. +- On Unix - settings files. + +The settings files have `JSON` format. + +**Warning** The settings files differ from `PowerShell 7` _profile_ files, which are PowerShell scripts run at startup. + +Configuration schemes allow to customize `PowerShell 7` in the most flexible way: + +- Enterprise system administrators can use GPO, + GPP and computer-wide settings files to apply approved configuration settings and mandatory security settings in a centralized manner. + The same settings can be applied at user, application or startup levels. +- Developers and consumers can use user, application and startup level settings files. + +### Configuration defaults + +PowerShell 7 has hard-coded defaults for all configuration options. + +The default values must be `secure-by-default`. + +For release versions hard-coded defaults must be the same as ones in re-installed configuration files. For preview versions they may vary (ex., enable experimental features and so on). + +If during startup PowerShell 7 cannot read system configuration files it fails to startup. + +If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults. + +If during operation PowerShell 7 cannot read configuration files it continue to use _current_ (runtime) configuration values. + +### Settings locations + +`PowerShell 7` settings are grouped into `Policy settings` and `Regular settings`. +Regular settings are normal configuration settings. +Regular settings can be treated as default values. +Policy settings is high priority and overlap regular settings. +Policy settings are used by administrators to centrally manage applications. + +| Location | Policy settings | Regular settings | +|--------------|-----------------------------------------------------------|------------------------------------------------------------| +| File section | "PowerShell": { "PolicySettings": {...} } | "PowerShell": { "RegularSettings": {...} } | +| File section | "OtherPowerShellApplication": { "PolicySettings": {...} } | "OtherPowerShellApplication": { "RegularSettings": {...} } | +| Registry key | Software\Policies\PowerShellCore | Software\PowerShellCore | + +### Policy settings Setting Fall-Back + +#### Motivation - Policy Setting Fall-Back + +This is to allow Fall-back to Windows PowerShell policies. + +#### Implementation + +For Policy Settings, +each policy should have a `Use Windows PowerShell Policy` which will indicate that the policy should the read from +`SOFTWARE\Policies\Microsoft\Windows\PowerShell` instead of `Software\Policies\PowerShellCore`. + +### Precedence of applying settings + +Because a configuration setting can be in several schemes, the setting wins according to the priority of its scheme. + +#### Precedence for Policy settings in descending order + +| Scheme | Windows | Unix | +|-----------------------------|------------------------------------------------------|------------------------------------------------------| +| GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | /etc/powershell.config.json | +| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See `Comment A` below | +| File -> Computer-Wide | %ProgramFiles%/PowerShell/powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | +| File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | +| File -> User-Wide | %APPDATA%/powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | +| File -> Application-Wide | $apphome/powershell.config.json | $apphome/powershell.config.json | + +Defaults: + +`%APPDATA%` - `C:\Users\useraccount\AppData\Roaming` + +`%XDG_CONFIG_HOME%` - `HOME/.config` + +#### Parameter `-settingsfile` + +With `-settingsfile` parameter users can assign custom settings from the config file and overwrite user-wide and application-wide settings. + +##### Computer-wide and user policy settings + +**No** user can overwrite computer-wide and user policy settings using `-settingsfile` + +#### Priorities for Regular settings in descending order + +| Scheme | Windows | Unix | +|-----------------------------|------------------------------------------------------|------------------------------------------------------| +| File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | +| File -> Application-Wide | $apphome\powershell.config.json | $apphome/powershell.config.json | +| File -> User-Wide | %APPDATA%\powershell.config.json | ~/powershell.config.json | +| File -> Computer-Wide | %ProgramFiles%\PowerShell\powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | +| GPO -> User Config | HKCU\Software\PowerShellCore | See `Comment A` below | +| GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | + +### Configuration settings + +A set of configuration settings in GPO scheme and file scheme for policy settings and regular settings is the same. This allows to discover and configure settings in the simplest and fastest way. + +#### Registry keys and settings + +| Key | SubKey | Option | Type | Precedence | +|----------------------------------|-----------------------------|------------------------------------|--------|---------------------| +| Software\Policies\PowerShellCore | - | - | | | +| Software\PowerShellCore | - | - | | | +| | | ExecutionPolicy | String | Computer, Then User | +| | ConsoleSessionConfiguration | EnableConsoleSessionConfiguration | DWORD | User, then Computer | +| | ConsoleSessionConfiguration | ConsoleSessionConfigurationName | String | User, then Computer | +| | ModuleLogging | EnableModuleLogging | DWORD | Computer, Then User | +| | ModuleLogging | ModuleNames | String | Computer, Then User | +| | ProtectedEventLogging | EncryptionCertificate | DWORD | Computer Wide | +| | ScriptBlockLogging | EnableScriptBlockInvocationLogging | DWORD | Computer, Then User | +| | ScriptBlockLogging | EnableScriptBlockLogging | DWORD | Computer, Then User | +| | Transcription | EnableTranscripting | DWORD | Computer, Then User | +| | Transcription | EnableInvocationHeader | DWORD | Computer, Then User | +| | Transcription | OutputDirectory | String | Computer, Then User | +| | UpdatableHelp | DefaultSourcePath | String | Computer Wide | + +#### JSON file settings format + +```json +{ + "PowerShell": { + "RegularSettings": { + "ConsoleSessionConfiguration": { + "EnableConsoleSessionConfiguration": true, + "ConsoleSessionConfigurationName": "name" + }, + "ProtectedEventLogging": { + "EnableProtectedEventLogging": false, + "EncryptionCertificate": [ + "Joe" + ] + }, + "ScriptBlockLogging": { + "EnableScriptBlockInvocationLogging": true, + "EnableScriptBlockLogging": false + }, + "ScriptExecution": { + "ExecutionPolicy": "RemoteSigned", + "PipelineMaxStackSizeMB": 10 + }, + "Transcription": { + "EnableTranscripting": true, + "EnableInvocationHeader": true, + "OutputDirectory": "c:\\tmp" + }, + "UpdatableHelp": { + "DefaultSourcePath": "f:\\temp" + } + }, + + "PoliciesSettings": { + ... + } + }, + + "OtherPowerShellApplication": { + "RegularSettings": { + ... + }, + "PolicySettings": { + ... + } +} +``` + +## Alternate Proposals and Considerations + +### Automatically resolve Windows PowerShell policy conflicts + +We could attempt to resolve policy conflicts between PowerShell 7 policy and Windows PowerShell policy. +This would make the `Precedence for Policy settings` not just a simple list but a complex set of rules that would not be easily understood. See [this conversation](https://github.com/PowerShell/PowerShell/issues/9309?#issuecomment-480643922). + +### Allow admins to overwrite computer-wide settings + +In System Lock-down mode, we attempt to protect from the admin, +so allowing computer-wide or policy setting to be overwritten at the command-line is dangerous. + +We could try to check for System Lock-down mode and +admin user and allow `-settingsfile` to overwrite computer-wide settings. + +But, performing the system lock-down check this early would hurt startup performance. + +I don't recommend this approach. + +### Comment A + +Mainly for Unix we'd add `Users` section to computer wide JSON file (`/etc/powershell.config.json`) to allow administrators set policies and regular settings on user level base + +```json +{ + "PowerShell": { + "RegularSettings": { + ... + }, + "PolicySettings": { + ... + }, + "Users": { + "Smith": { + "PowerShell": { + "RegularSettings": { + ... + }, + "PolicySettings": { + ... + } + } + } +} +``` \ No newline at end of file From 4eed70135d7d96d3010a110bde03c55143bec097 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 20 May 2019 16:15:27 -0700 Subject: [PATCH 02/19] Address steve's feedback --- 1-Draft/RFCXXXX-Policy.md | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 787569e1..f7280451 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -104,7 +104,10 @@ With `-settingsfile` parameter users can assign custom settings from the config ##### Computer-wide and user policy settings -**No** user can overwrite computer-wide and user policy settings using `-settingsfile` +Admin/root users can overwrite computer-wide and user policy settings using `-settingsfile`, +only when not in System Lock-down mode. + +This will have performance impact on startup, but only when `-settingsfile` is specified. #### Priorities for Regular settings in descending order @@ -140,6 +143,8 @@ A set of configuration settings in GPO scheme and file scheme for policy setting | | Transcription | OutputDirectory | String | Computer, Then User | | | UpdatableHelp | DefaultSourcePath | String | Computer Wide | +I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on UpdatableHelp-DefaultSourcePath to make it allow User settings. + #### JSON file settings format ```json @@ -196,17 +201,10 @@ A set of configuration settings in GPO scheme and file scheme for policy setting We could attempt to resolve policy conflicts between PowerShell 7 policy and Windows PowerShell policy. This would make the `Precedence for Policy settings` not just a simple list but a complex set of rules that would not be easily understood. See [this conversation](https://github.com/PowerShell/PowerShell/issues/9309?#issuecomment-480643922). -### Allow admins to overwrite computer-wide settings - -In System Lock-down mode, we attempt to protect from the admin, -so allowing computer-wide or policy setting to be overwritten at the command-line is dangerous. - -We could try to check for System Lock-down mode and -admin user and allow `-settingsfile` to overwrite computer-wide settings. - -But, performing the system lock-down check this early would hurt startup performance. +### Allowing environment variable in the JSON -I don't recommend this approach. +A new RFC should be drafted about how to allow environment variables in the JSON. +This would allow consistent files across platforms. ### Comment A From d712d429d8fbefda43c87b086352f9c06c648807 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 13:08:02 -0700 Subject: [PATCH 03/19] Update RFCXXXX-Policy.md Apply suggestions from code review Co-Authored-By: Ilya Update 1-Draft/RFCXXXX-Policy.md Update 1-Draft/RFCXXXX-Policy.md Co-Authored-By: Ilya --- 1-Draft/RFCXXXX-Policy.md | 85 +++++++++++++++------------------------ 1 file changed, 33 insertions(+), 52 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index f7280451..d43c6bbb 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -12,7 +12,7 @@ Comments Due: 6/30/2019 ## Motivation -Consumers, developers, and enterprise system administrators should be able to flexibly and reliable way to configure PowerShell 7. +Consumers, developers, and enterprise system administrators should be able to flexibly and reliable configure PowerShell 7. ## Acknowledgement @@ -43,9 +43,12 @@ PowerShell 7 has hard-coded defaults for all configuration options. The default values must be `secure-by-default`. -For release versions hard-coded defaults must be the same as ones in re-installed configuration files. For preview versions they may vary (ex., enable experimental features and so on). +For release versions hard-coded defaults must be the same as ones in pre-installed configuration files. For preview versions they may vary (ex., enable experimental features and so on). -If during startup PowerShell 7 cannot read system configuration files it fails to startup. +System configuration includes security sensitive setting, +and failing to read those setting could result in an insecure system. +So, if during startup, PowerShell 7 cannot read files read from the Computer-Wide scope, +it fails to startup. If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults. @@ -55,27 +58,28 @@ If during operation PowerShell 7 cannot read configuration files it continue to `PowerShell 7` settings are grouped into `Policy settings` and `Regular settings`. Regular settings are normal configuration settings. -Regular settings can be treated as default values. -Policy settings is high priority and overlap regular settings. -Policy settings are used by administrators to centrally manage applications. +Regular settings can be treated as default and recommended values. +Policy settings is higher precedence. +See [Precedence for Policy settings in descending order](#precedence-for-policy-settings-in-descending-order). +Policy settings are used by administrators to centrally manage PowerShell and hosted applications. | Location | Policy settings | Regular settings | |--------------|-----------------------------------------------------------|------------------------------------------------------------| | File section | "PowerShell": { "PolicySettings": {...} } | "PowerShell": { "RegularSettings": {...} } | -| File section | "OtherPowerShellApplication": { "PolicySettings": {...} } | "OtherPowerShellApplication": { "RegularSettings": {...} } | | Registry key | Software\Policies\PowerShellCore | Software\PowerShellCore | ### Policy settings Setting Fall-Back #### Motivation - Policy Setting Fall-Back -This is to allow Fall-back to Windows PowerShell policies. +This is to allow fall-back to Windows PowerShell policies. #### Implementation For Policy Settings, each policy should have a `Use Windows PowerShell Policy` which will indicate that the policy should the read from `SOFTWARE\Policies\Microsoft\Windows\PowerShell` instead of `Software\Policies\PowerShellCore`. +The default in Group Policy is to have no policy, so it would not fall back to Windows PowerShell Policy, or apply PowerShell 7 policy. ### Precedence of applying settings @@ -85,12 +89,12 @@ Because a configuration setting can be in several schemes, the setting wins acco | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| -| GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | /etc/powershell.config.json | -| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See `Comment A` below | -| File -> Computer-Wide | %ProgramFiles%/PowerShell/powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | +| GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | /etc/powershell/powershell.config.json | +| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See [`Comment A`](#comment-a) below | +| File -> Computer-Wide | %ProgramFiles%/PowerShell/powershell.config.json | /etc/powershell/powershell.config.json | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> User-Wide | %APPDATA%/powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | -| File -> Application-Wide | $apphome/powershell.config.json | $apphome/powershell.config.json | +| File -> Application-Wide | $PSHome/powershell.config.json | $PSHome/powershell.config.json | Defaults: @@ -98,12 +102,17 @@ Defaults: `%XDG_CONFIG_HOME%` - `HOME/.config` +`$PSHome` definition from [about_powershell_config](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-6) - The $PSHOME location is defined as the same directory as the executing System.Management.Automation.dll assembly. +This applies to hosted PowerShell SDK instances as well. #### Parameter `-settingsfile` With `-settingsfile` parameter users can assign custom settings from the config file and overwrite user-wide and application-wide settings. ##### Computer-wide and user policy settings +Definitions: + - System Lock-down mode: When Windows Defender Application Control or AppLocker force PowerShell into Constrained Language mode and only trusted code runs in Full Language mode. See [PowerShell Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) + Admin/root users can overwrite computer-wide and user policy settings using `-settingsfile`, only when not in System Lock-down mode. @@ -115,9 +124,9 @@ This will have performance impact on startup, but only when `-settingsfile` is s |-----------------------------|------------------------------------------------------|------------------------------------------------------| | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> Application-Wide | $apphome\powershell.config.json | $apphome/powershell.config.json | -| File -> User-Wide | %APPDATA%\powershell.config.json | ~/powershell.config.json | +| File -> User-Wide | %APPDATA%\powershell.config.json | ~/.config/powershell/powershell.config.json | | File -> Computer-Wide | %ProgramFiles%\PowerShell\powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | -| GPO -> User Config | HKCU\Software\PowerShellCore | See `Comment A` below | +| GPO -> User Config | HKCU\Software\PowerShellCore | ~/.config/powershell/powershell.config.json | | | GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | ### Configuration settings @@ -182,15 +191,7 @@ I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on Updatab "PoliciesSettings": { ... } - }, - - "OtherPowerShellApplication": { - "RegularSettings": { - ... - }, - "PolicySettings": { - ... - } + } } ``` @@ -198,37 +199,17 @@ I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on Updatab ### Automatically resolve Windows PowerShell policy conflicts -We could attempt to resolve policy conflicts between PowerShell 7 policy and Windows PowerShell policy. -This would make the `Precedence for Policy settings` not just a simple list but a complex set of rules that would not be easily understood. See [this conversation](https://github.com/PowerShell/PowerShell/issues/9309?#issuecomment-480643922). +#### Motivation -### Allowing environment variable in the JSON +This is a description of the alternative to [Policy settings Setting Fall-Back](#policy-settings-setting-fall-back). +The main purpose of describing the alternative is to describe why it should not be pursued. -A new RFC should be drafted about how to allow environment variables in the JSON. -This would allow consistent files across platforms. +#### Description -### Comment A +PowerShell could attempt to resolve policy conflicts between PowerShell 7 policy and Windows PowerShell policy. +This would make the `Precedence for Policy settings` not just a simple list but a complex set of rules that would not be easily understood. See [this conversation](https://github.com/PowerShell/PowerShell/issues/9309?#issuecomment-480643922). -Mainly for Unix we'd add `Users` section to computer wide JSON file (`/etc/powershell.config.json`) to allow administrators set policies and regular settings on user level base +### Allowing environment variable in the JSON -```json -{ - "PowerShell": { - "RegularSettings": { - ... - }, - "PolicySettings": { - ... - }, - "Users": { - "Smith": { - "PowerShell": { - "RegularSettings": { - ... - }, - "PolicySettings": { - ... - } - } - } -} -``` \ No newline at end of file +A new RFC should be drafted about how to allow environment variables in the values in the JSON. +This would allow consistent files across platforms. From 39b29cf8ee87ea2d7d85739843c0ec2225a45fda Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:13:21 -0700 Subject: [PATCH 04/19] offline updates --- 1-Draft/RFCXXXX-Policy.md | 55 ++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 18 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index d43c6bbb..ea098ef9 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -19,6 +19,18 @@ Consumers, developers, and enterprise system administrators should be able to fl I based this off of @iSazonov 's RFC, for just a slightly different purpose. [PR #111](https://github.com/PowerShell/PowerShell-RFC/pull/111) +## Goals + +1. Specify how PowerShell 7 will deal with having both Windows PowerShell and PowerShell Core Group Policy. + - This is covered in [Policy settings Setting Fall-Back](#policy-settings-setting-fall-back). +1. Correct how the `pwsh -settingsfile` switch behaves. + - This is covered in [Parameter `-settingsfile`](#Parameter--settingsfile) + +## Definitions + +- **Computer-Wide settings/policy** - setting or policy applied to the entire operating system. +- **User settings/policy** - setting or policy applied only to the user. + ## Specification `PowerShell 7` should be configured using the following schemes: @@ -34,8 +46,8 @@ Configuration schemes allow to customize `PowerShell 7` in the most flexible way - Enterprise system administrators can use GPO, GPP and computer-wide settings files to apply approved configuration settings and mandatory security settings in a centralized manner. - The same settings can be applied at user, application or startup levels. -- Developers and consumers can use user, application and startup level settings files. + Most settings can be applied either to the user or computer-wide. +- Developers and consumers can use user, or computer-wide level setting files. ### Configuration defaults @@ -45,7 +57,7 @@ The default values must be `secure-by-default`. For release versions hard-coded defaults must be the same as ones in pre-installed configuration files. For preview versions they may vary (ex., enable experimental features and so on). -System configuration includes security sensitive setting, +Computer-wide configuration includes security sensitive setting, and failing to read those setting could result in an insecure system. So, if during startup, PowerShell 7 cannot read files read from the Computer-Wide scope, it fails to startup. @@ -61,7 +73,7 @@ Regular settings are normal configuration settings. Regular settings can be treated as default and recommended values. Policy settings is higher precedence. See [Precedence for Policy settings in descending order](#precedence-for-policy-settings-in-descending-order). -Policy settings are used by administrators to centrally manage PowerShell and hosted applications. +Policy settings are used by administrators to centrally manage PowerShell. | Location | Policy settings | Regular settings | |--------------|-----------------------------------------------------------|------------------------------------------------------------| @@ -89,12 +101,11 @@ Because a configuration setting can be in several schemes, the setting wins acco | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| -| GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | /etc/powershell/powershell.config.json | -| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See [`Comment A`](#comment-a) below | -| File -> Computer-Wide | %ProgramFiles%/PowerShell/powershell.config.json | /etc/powershell/powershell.config.json | +| GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | See [Moving configuration out of PSHome][moving] | +| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See [`Comment A`](#comment-a) below | +| File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | [Moving configuration out of PSHome][moving] | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> User-Wide | %APPDATA%/powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | -| File -> Application-Wide | $PSHome/powershell.config.json | $PSHome/powershell.config.json | Defaults: @@ -102,17 +113,19 @@ Defaults: `%XDG_CONFIG_HOME%` - `HOME/.config` -`$PSHome` definition from [about_powershell_config](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-6) - The $PSHOME location is defined as the same directory as the executing System.Management.Automation.dll assembly. -This applies to hosted PowerShell SDK instances as well. #### Parameter `-settingsfile` -With `-settingsfile` parameter users can assign custom settings from the config file and overwrite user-wide and application-wide settings. +With `-settingsfile` parameter users can assign custom settings from the config file and overwrite user-wide settings. + +##### More definitions + +- System Lock-down mode: + When Windows Defender Application Control or AppLocker force PowerShell into Constrained Language mode and + only trusted code runs in Full Language mode. + See [PowerShell Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) ##### Computer-wide and user policy settings -Definitions: - - System Lock-down mode: When Windows Defender Application Control or AppLocker force PowerShell into Constrained Language mode and only trusted code runs in Full Language mode. See [PowerShell Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) - Admin/root users can overwrite computer-wide and user policy settings using `-settingsfile`, only when not in System Lock-down mode. @@ -123,10 +136,9 @@ This will have performance impact on startup, but only when `-settingsfile` is s | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | -| File -> Application-Wide | $apphome\powershell.config.json | $apphome/powershell.config.json | -| File -> User-Wide | %APPDATA%\powershell.config.json | ~/.config/powershell/powershell.config.json | +| File -> User-Wide | %APPDATA%\powershell.config.json | ~/.config/powershell/powershell.config.json | | File -> Computer-Wide | %ProgramFiles%\PowerShell\powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | -| GPO -> User Config | HKCU\Software\PowerShellCore | ~/.config/powershell/powershell.config.json | | +| GPO -> User Config | HKCU\Software\PowerShellCore | ~/.config/powershell/powershell.config.json| | | GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | ### Configuration settings @@ -199,7 +211,7 @@ I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on Updatab ### Automatically resolve Windows PowerShell policy conflicts -#### Motivation +#### Motivation - Automatically policy This is a description of the alternative to [Policy settings Setting Fall-Back](#policy-settings-setting-fall-back). The main purpose of describing the alternative is to describe why it should not be pursued. @@ -213,3 +225,10 @@ This would make the `Precedence for Policy settings` not just a simple list but A new RFC should be drafted about how to allow environment variables in the values in the JSON. This would allow consistent files across platforms. + +### Moving configuration out of PSHome + +Per issues [9278](https://github.com/PowerShell/PowerShell/issues/9278) we need to move configuration out of PSHome, +follow that issue for issues related to new locations of files. + +[moving]:#moving-configuration-out-of-pshome From 40857e44739608e17486c3585b307d4c85c8a079 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:28:37 -0700 Subject: [PATCH 05/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index ea098ef9..204a2f04 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -28,14 +28,14 @@ I based this off of @iSazonov 's RFC, for just a slightly different purpose. ## Definitions -- **Computer-Wide settings/policy** - setting or policy applied to the entire operating system. -- **User settings/policy** - setting or policy applied only to the user. +- **Computer-Wide settings/policy** - setting or policy applied to an operating system environment (OSE), affecting all users of the OSE. +- **User settings/policy** - setting or policy applied to a specific user of an OSE, and not applied to the OSE as a whole. ## Specification `PowerShell 7` should be configured using the following schemes: -- On Windows - Group Policy Objects (GPO), Group Policy Preferences (GPP) and settings files. +- On Windows - Group Policy Objects (GPO), and settings files. - On Unix - settings files. The settings files have `JSON` format. From 49db15fde1c03b1d81216dae588c5290ec3df1d8 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:33:52 -0700 Subject: [PATCH 06/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 204a2f04..6fc64a7f 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -51,14 +51,14 @@ Configuration schemes allow to customize `PowerShell 7` in the most flexible way ### Configuration defaults -PowerShell 7 has hard-coded defaults for all configuration options. +PowerShell 7 has hard-coded defaults for all configuration policies and settings. The default values must be `secure-by-default`. For release versions hard-coded defaults must be the same as ones in pre-installed configuration files. For preview versions they may vary (ex., enable experimental features and so on). Computer-wide configuration includes security sensitive setting, -and failing to read those setting could result in an insecure system. +and failing to read those setting, for example if the file is locked or corrupted, could result in an insecure system. So, if during startup, PowerShell 7 cannot read files read from the Computer-Wide scope, it fails to startup. From c7dfff9334048208baf2d89dbbe40cb888b99bf5 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:41:16 -0700 Subject: [PATCH 07/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 6fc64a7f..ad9aa2ef 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -12,7 +12,7 @@ Comments Due: 6/30/2019 ## Motivation -Consumers, developers, and enterprise system administrators should be able to flexibly and reliable configure PowerShell 7. +Consumers, developers, and enterprise system administrators should be able to flexibly and reliably configure PowerShell 7. ## Acknowledgement @@ -71,7 +71,7 @@ If during operation PowerShell 7 cannot read configuration files it continue to `PowerShell 7` settings are grouped into `Policy settings` and `Regular settings`. Regular settings are normal configuration settings. Regular settings can be treated as default and recommended values. -Policy settings is higher precedence. +Policy settings have a higher precedence than regular settings. See [Precedence for Policy settings in descending order](#precedence-for-policy-settings-in-descending-order). Policy settings are used by administrators to centrally manage PowerShell. From 75644d87a33855980923a1f7327a8927928113ab Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:53:44 -0700 Subject: [PATCH 08/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index ad9aa2ef..b0af71b1 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -23,7 +23,7 @@ I based this off of @iSazonov 's RFC, for just a slightly different purpose. 1. Specify how PowerShell 7 will deal with having both Windows PowerShell and PowerShell Core Group Policy. - This is covered in [Policy settings Setting Fall-Back](#policy-settings-setting-fall-back). -1. Correct how the `pwsh -settingsfile` switch behaves. +1. Define how the `pwsh -settingsfile` switch should behave. - This is covered in [Parameter `-settingsfile`](#Parameter--settingsfile) ## Definitions @@ -64,7 +64,7 @@ it fails to startup. If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults. -If during operation PowerShell 7 cannot read configuration files it continue to use _current_ (runtime) configuration values. +PowerShell 7 does not update configuration values from modified configuration files during a given session after the configuration has been loaded. ### Settings locations From b04ebc7cadb4460aa6e8ee80a4ed6d724b80d10f Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 14:58:23 -0700 Subject: [PATCH 09/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index b0af71b1..ed6a45da 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -47,6 +47,7 @@ Configuration schemes allow to customize `PowerShell 7` in the most flexible way - Enterprise system administrators can use GPO, GPP and computer-wide settings files to apply approved configuration settings and mandatory security settings in a centralized manner. Most settings can be applied either to the user or computer-wide. + We will cover the precedence of these in [Registry keys and settings](#registry-keys-and-settings). - Developers and consumers can use user, or computer-wide level setting files. ### Configuration defaults From e98fc1c238ba27590a383497c1921aee40952513 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 15:45:40 -0700 Subject: [PATCH 10/19] offline updates --- 1-Draft/RFCXXXX-Policy.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index ed6a45da..90059ba8 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -60,8 +60,11 @@ For release versions hard-coded defaults must be the same as ones in pre-install Computer-wide configuration includes security sensitive setting, and failing to read those setting, for example if the file is locked or corrupted, could result in an insecure system. -So, if during startup, PowerShell 7 cannot read files read from the Computer-Wide scope, +So, if during startup, PowerShell 7 cannot read settings files from the Computer-Wide scope, it fails to startup. +Because registry reads are more atomic, +this is not an issue for group policy settings, +but if we faced the same issues for these settings the solution would be the similar. If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults. @@ -103,7 +106,7 @@ Because a configuration setting can be in several schemes, the setting wins acco | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| | GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | See [Moving configuration out of PSHome][moving] | -| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | See [`Comment A`](#comment-a) below | +| GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | | File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | [Moving configuration out of PSHome][moving] | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> User-Wide | %APPDATA%/powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | @@ -132,14 +135,14 @@ only when not in System Lock-down mode. This will have performance impact on startup, but only when `-settingsfile` is specified. -#### Priorities for Regular settings in descending order +#### Precedence for Regular settings in descending order | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | -| File -> User-Wide | %APPDATA%\powershell.config.json | ~/.config/powershell/powershell.config.json | -| File -> Computer-Wide | %ProgramFiles%\PowerShell\powershell.config.json | /opt/Microsoft/powershell/powershell.config.json | -| GPO -> User Config | HKCU\Software\PowerShellCore | ~/.config/powershell/powershell.config.json| | +| File -> User-Wide | %APPDATA%\powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | +| File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | /opt/Microsoft/powershell/powershell.config.json | +| GPO -> User Config | HKCU\Software\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | | GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | ### Configuration settings From 227f56a36a559871ce3c6de9fab10e85c36ce708 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 31 May 2019 16:05:57 -0700 Subject: [PATCH 11/19] remove accidental new behavior. --- 1-Draft/RFCXXXX-Policy.md | 65 ++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 21 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 90059ba8..7796f99a 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -82,7 +82,7 @@ Policy settings are used by administrators to centrally manage PowerShell. | Location | Policy settings | Regular settings | |--------------|-----------------------------------------------------------|------------------------------------------------------------| | File section | "PowerShell": { "PolicySettings": {...} } | "PowerShell": { "RegularSettings": {...} } | -| Registry key | Software\Policies\PowerShellCore | Software\PowerShellCore | +| Registry key | Software\Policies\PowerShellCore | Not Applicable | ### Policy settings Setting Fall-Back @@ -101,14 +101,16 @@ The default in Group Policy is to have no policy, so it would not fall back to W Because a configuration setting can be in several schemes, the setting wins according to the priority of its scheme. -#### Precedence for Policy settings in descending order +#### Precedence for Computer-Wide settings in descending order + +Note, this is listed as `Computer, Then User` in [Registry keys and settings](#registry-keys-and-settings). | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| | GPO -> Computer Policy | HKLM\Software\Policies\PowerShellCore | See [Moving configuration out of PSHome][moving] | | GPO -> User Policy | HKCU\Software\Policies\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | -| File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | [Moving configuration out of PSHome][moving] | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | +| File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | [Moving configuration out of PSHome][moving] | | File -> User-Wide | %APPDATA%/powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | Defaults: @@ -135,15 +137,27 @@ only when not in System Lock-down mode. This will have performance impact on startup, but only when `-settingsfile` is specified. -#### Precedence for Regular settings in descending order +#### Precedence for User settings in descending order + +Note, this is listed as `User, then Computer` in [Registry keys and settings](#registry-keys-and-settings). | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| +| GPO -> User Config | HKCU\Software\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | +| GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> User-Wide | %APPDATA%\powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | | File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | /opt/Microsoft/powershell/powershell.config.json | -| GPO -> User Config | HKCU\Software\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | + +#### Precedence for UpdatableHelp in descending order + +Note, this is listed as `Computer` in [Registry keys and settings](#registry-keys-and-settings). + +| Scheme | Windows | Unix | +|-----------------------------|------------------------------------------------------|------------------------------------------------------| | GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | +| File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | +| File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | /opt/Microsoft/powershell/powershell.config.json | ### Configuration settings @@ -151,22 +165,27 @@ A set of configuration settings in GPO scheme and file scheme for policy setting #### Registry keys and settings -| Key | SubKey | Option | Type | Precedence | -|----------------------------------|-----------------------------|------------------------------------|--------|---------------------| -| Software\Policies\PowerShellCore | - | - | | | -| Software\PowerShellCore | - | - | | | -| | | ExecutionPolicy | String | Computer, Then User | -| | ConsoleSessionConfiguration | EnableConsoleSessionConfiguration | DWORD | User, then Computer | -| | ConsoleSessionConfiguration | ConsoleSessionConfigurationName | String | User, then Computer | -| | ModuleLogging | EnableModuleLogging | DWORD | Computer, Then User | -| | ModuleLogging | ModuleNames | String | Computer, Then User | -| | ProtectedEventLogging | EncryptionCertificate | DWORD | Computer Wide | -| | ScriptBlockLogging | EnableScriptBlockInvocationLogging | DWORD | Computer, Then User | -| | ScriptBlockLogging | EnableScriptBlockLogging | DWORD | Computer, Then User | -| | Transcription | EnableTranscripting | DWORD | Computer, Then User | -| | Transcription | EnableInvocationHeader | DWORD | Computer, Then User | -| | Transcription | OutputDirectory | String | Computer, Then User | -| | UpdatableHelp | DefaultSourcePath | String | Computer Wide | +Notes: + +- All policies are in `Software\Policies\PowerShellCore`. +- `ExecutionPolicy` is not in any SubKey. + +| SubKey | Option | Type | Precedence | +|-----------------------------|------------------------------------|--------|---------------------| +| - | - | | | +| - | - | | | +| | ExecutionPolicy | String | Computer, Then User | +| ConsoleSessionConfiguration | EnableConsoleSessionConfiguration | DWORD | User, then Computer | +| ConsoleSessionConfiguration | ConsoleSessionConfigurationName | String | User, then Computer | +| ModuleLogging | EnableModuleLogging | DWORD | Computer, Then User | +| ModuleLogging | ModuleNames | String | Computer, Then User | +| ProtectedEventLogging | EncryptionCertificate | DWORD | Computer Wide | +| ScriptBlockLogging | EnableScriptBlockInvocationLogging | DWORD | Computer, Then User | +| ScriptBlockLogging | EnableScriptBlockLogging | DWORD | Computer, Then User | +| Transcription | EnableTranscripting | DWORD | Computer, Then User | +| Transcription | EnableInvocationHeader | DWORD | Computer, Then User | +| Transcription | OutputDirectory | String | Computer, Then User | +| UpdatableHelp | DefaultSourcePath | String | Computer Wide | I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on UpdatableHelp-DefaultSourcePath to make it allow User settings. @@ -236,3 +255,7 @@ Per issues [9278](https://github.com/PowerShell/PowerShell/issues/9278) we need follow that issue for issues related to new locations of files. [moving]:#moving-configuration-out-of-pshome + +### Allowing Regular settings from the registry in Windows + +This is out of scope of this RFCs From 18b3a6fb7d9ee98b6ff4422692819f519c907c5a Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 3 Jun 2019 12:26:23 -0700 Subject: [PATCH 12/19] Update RFCXXXX-Policy.md --- 1-Draft/RFCXXXX-Policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 7796f99a..f1afbf4c 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -144,7 +144,7 @@ Note, this is listed as `User, then Computer` in [Registry keys and settings](#r | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| | GPO -> User Config | HKCU\Software\PowerShellCore | %XDG_CONFIG_HOME%/powershell.config.json | -| GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | +| GPO -> Computer Config | HKLM\Software\PowerShellCore | See [Moving configuration out of PSHome][moving] | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> User-Wide | %APPDATA%\powershell.config.json | %XDG_CONFIG_HOME%/powershell.config.json | | File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | /opt/Microsoft/powershell/powershell.config.json | @@ -155,7 +155,7 @@ Note, this is listed as `Computer` in [Registry keys and settings](#registry-key | Scheme | Windows | Unix | |-----------------------------|------------------------------------------------------|------------------------------------------------------| -| GPO -> Computer Config | HKLM\Software\PowerShellCore | /etc/powershell.config.json | +| GPO -> Computer Config | HKLM\Software\PowerShellCore | See [Moving configuration out of PSHome][moving] | | File -> Application-Startup | pwsh -settingsfile `somepath/powershell.config.json` | pwsh -settingsfile `somepath/powershell.config.json` | | File -> Computer-Wide | See [Moving configuration out of PSHome][moving] | /opt/Microsoft/powershell/powershell.config.json | From a254268acdfe536886ecd0a1ef577cda017631cf Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 1 Jul 2019 14:28:49 -0700 Subject: [PATCH 13/19] Update 1-Draft/RFCXXXX-Policy.md --- 1-Draft/RFCXXXX-Policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index f1afbf4c..d9ce0061 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -88,7 +88,7 @@ Policy settings are used by administrators to centrally manage PowerShell. #### Motivation - Policy Setting Fall-Back -This is to allow fall-back to Windows PowerShell policies. +Help to transition from Windows PowerShell to PowerShell 7. #### Implementation From d042bccdffe393bad7f9eff1889624c3cb97db6b Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 1 Jul 2019 14:29:38 -0700 Subject: [PATCH 14/19] Update 1-Draft/RFCXXXX-Policy.md --- 1-Draft/RFCXXXX-Policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index d9ce0061..7507ae94 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -45,7 +45,7 @@ The settings files have `JSON` format. Configuration schemes allow to customize `PowerShell 7` in the most flexible way: - Enterprise system administrators can use GPO, - GPP and computer-wide settings files to apply approved configuration settings and mandatory security settings in a centralized manner. + Computer-wide settings files to apply approved configuration settings and mandatory security settings in a centralized manner. Most settings can be applied either to the user or computer-wide. We will cover the precedence of these in [Registry keys and settings](#registry-keys-and-settings). - Developers and consumers can use user, or computer-wide level setting files. From df882859fce9387448aae6f0ddf19c8fbbad78a2 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 1 Jul 2019 14:33:16 -0700 Subject: [PATCH 15/19] Apply suggestions from code review --- 1-Draft/RFCXXXX-Policy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 7507ae94..b7362966 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -29,7 +29,7 @@ I based this off of @iSazonov 's RFC, for just a slightly different purpose. ## Definitions - **Computer-Wide settings/policy** - setting or policy applied to an operating system environment (OSE), affecting all users of the OSE. -- **User settings/policy** - setting or policy applied to a specific user of an OSE, and not applied to the OSE as a whole. +- **Per-User settings/policy** - setting or policy applied to a specific user of an OSE, and not applied to the OSE as a whole. ## Specification @@ -130,14 +130,14 @@ With `-settingsfile` parameter users can assign custom settings from the config only trusted code runs in Full Language mode. See [PowerShell Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) -##### Computer-wide and user policy settings +##### Computer-wide and per-user policy settings -Admin/root users can overwrite computer-wide and user policy settings using `-settingsfile`, +Admin/root users can overwrite computer-wide and per-user policy settings using `-settingsfile`, only when not in System Lock-down mode. This will have performance impact on startup, but only when `-settingsfile` is specified. -#### Precedence for User settings in descending order +#### Precedence for Per-user settings in descending order Note, this is listed as `User, then Computer` in [Registry keys and settings](#registry-keys-and-settings). @@ -187,7 +187,7 @@ Notes: | Transcription | OutputDirectory | String | Computer, Then User | | UpdatableHelp | DefaultSourcePath | String | Computer Wide | -I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on UpdatableHelp-DefaultSourcePath to make it allow User settings. +I filed [#9632](https://github.com/PowerShell/PowerShell/issues/9632) on UpdatableHelp-DefaultSourcePath to make it allow Per-user settings. #### JSON file settings format From c51f27f5b0a97dc916e6a85748e3958c610bc1b9 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Tue, 2 Jul 2019 10:28:38 -0700 Subject: [PATCH 16/19] Update RFCXXXX-Policy.md --- 1-Draft/RFCXXXX-Policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index b7362966..841500f5 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -25,6 +25,7 @@ I based this off of @iSazonov 's RFC, for just a slightly different purpose. - This is covered in [Policy settings Setting Fall-Back](#policy-settings-setting-fall-back). 1. Define how the `pwsh -settingsfile` switch should behave. - This is covered in [Parameter `-settingsfile`](#Parameter--settingsfile) +1. Specify where setting will be read from on various supported platforms. ## Definitions From 94f0ffefe5ab3f0f62f00191e9ea026ef462377a Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 7 Aug 2019 13:19:56 -0700 Subject: [PATCH 17/19] Update 1-Draft/RFCXXXX-Policy.md --- 1-Draft/RFCXXXX-Policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 841500f5..2f6ffab4 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -67,7 +67,7 @@ Because registry reads are more atomic, this is not an issue for group policy settings, but if we faced the same issues for these settings the solution would be the similar. -If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults. +If during startup PowerShell 7 cannot read user configuration files it uses _hardcoded_ defaults and emits a warning. PowerShell 7 does not update configuration values from modified configuration files during a given session after the configuration has been loaded. From 0d930909e06b1abe94a5b260b56f2d8815c1f212 Mon Sep 17 00:00:00 2001 From: Joey Aiello Date: Mon, 12 Aug 2019 11:35:28 -0700 Subject: [PATCH 18/19] Change "regular settings" to "non-policy" in Policy RFC --- 1-Draft/RFCXXXX-Policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-Draft/RFCXXXX-Policy.md b/1-Draft/RFCXXXX-Policy.md index 2f6ffab4..48f70f6d 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/1-Draft/RFCXXXX-Policy.md @@ -73,7 +73,7 @@ PowerShell 7 does not update configuration values from modified configuration fi ### Settings locations -`PowerShell 7` settings are grouped into `Policy settings` and `Regular settings`. +`PowerShell 7` settings are grouped into `Policy settings` and `Non-policy settings`. Regular settings are normal configuration settings. Regular settings can be treated as default and recommended values. Policy settings have a higher precedence than regular settings. From 0d4b2813c015dc72f338486ae3b5a8c97a34a651 Mon Sep 17 00:00:00 2001 From: Joey Aiello Date: Mon, 12 Aug 2019 11:41:17 -0700 Subject: [PATCH 19/19] Prepare policy RFC for acceptance --- .../RFCXXXX-Policy.md => 2-Draft-Accepted/RFC0041-Policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename 1-Draft/RFCXXXX-Policy.md => 2-Draft-Accepted/RFC0041-Policy.md (99%) diff --git a/1-Draft/RFCXXXX-Policy.md b/2-Draft-Accepted/RFC0041-Policy.md similarity index 99% rename from 1-Draft/RFCXXXX-Policy.md rename to 2-Draft-Accepted/RFC0041-Policy.md index 48f70f6d..7b51f223 100644 --- a/1-Draft/RFCXXXX-Policy.md +++ b/2-Draft-Accepted/RFC0041-Policy.md @@ -1,7 +1,7 @@ --- -RFC: RFCnnnn -Author: travisez13 -Status: Draft +RFC: RFC0041 +Author: travisez13 +Status: Draft-Accepted SupercededBy: N/A Version: 0.1 Area: Engine