Group policy
If you use traditional Active Directory tools, use group policy to enable PowerShell logging. Open the Group Policy Management Console. Create a new Group Policy Object (GPO) or edit an existing one. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell. Locate the setting βTurn on PowerShell Script Block Loggingβ and set it to Enabled.
Susan Bradley / CSO
This logging allows you to capture the content of all executed scripts, including commands and functions.
Intune
Similarly in Intune perform the following steps: Go to Microsoft Intune Admin Center and find devices. Click on Windows devices and Configuration. Click Create, select New Policy. Select Windows 10 and later, select Settings Catalog under profile type, and click Create. Enter PowerShell Configuration as name, enter a Description if needed, and click Next. Click Add settings, enter PowerShell in the Search for a setting bar, and click Search. Select Administrative Templates\Windows Components\Windows PowerShell, and click Select all these settings, or go through each one and select those you want to monitor.
