You do if those scripts can affect the system and need to run as root. Powershell is incredibly powerful (and dangerous) and some security isn't the worst thing.

the irony of this is that if ms were to leave powershell open to run any scripts from anywhere at any time, they'd be ridiculed for lax security policies.

why? .cmd and .bat can run any time, and can do just as much damage as powershell.

It's no more powerful and dangerous than bash in the right hands.

> Yeah, one command - on every machine...

I think Microsoft envisions centrally-managed environments, rather than those with lots of Windows machines that aren't centrally managed.

> on every machine...

Or through one group policy pushed to every machine.

Plus, unlike what most people envision on here, Microsoft intends companies to push AllSigned or RemoteSigned, rather than Unrestricted.

So the company can push their CA and new PS policy in a single GPO, and then all internal PS scripts are signed using an internal CA generated code signing certificate.

This sounds complex but it is actually as simple as running Set-AuthenticodeSignature on each script using the code signing certificate.