[trelliscoded]

Disabling script signing on dev machines and requiring signatures on production scripts sounds like perfectly reasonable behavior to me. I know a lot of people are scared of pki but it’s way easier than people think. Signing things is a one liner, I keep certs on a portable HSM and it’s really low friction.

[theamk]

Unless you suddenly get sick and your HSM is unavailable?

Unless you get a 2nd person on the team (working remotely), and they want to be able to sign scripts as well?

Unless you get some sort of automated CI/CD system?

[MarkSweep]

You can still turn off the script signing requirement without running a script (right?). Presumably this will be logged to the Windows Event Log, so there should be a mechanism that watches logs for this and alerts someone to investigate.