I would like to try Scoop on Windows and its docs ask for "PowerShell must be enabled for your user account" by running
PS > Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
When I run the command I am seeing a warning saying
Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"):
What measures should one do to mitigate this risk? Would resetting the policy back to Undefined` after installing Scoot and between running of Scoop commands be better?
There is little risk involved with setting RemoteSigned. Basically this mode lets you execute local unsigned scripts (scripts you write) while scripts from a remote source must be signed by a trusted authority. I'll leave an explanation of each execution policy below.
AllSigned: Scripts can run but they MUST be signed by a trusted publisher regardless of where the script came from. Risks can include running malicious scripts that were signed by a trusted authority (which is unlikely, though not impossible).Bypass: Does not block execution of any scripts. Designed for configurations with alternative security models. No warnings or prompts relating to script execution are shown.Default: This is Restricted for Desktop editions of Windows, and RemoteSigned for servers.RemoteSigned: Local scripts can run (e.g. scripts you write yourself) but scripts downloaded from the internet must be signed by a trusted publisher. Risks can include running malicious unsigned scripts from sources other than the internet, or running malicious scripts that were signed by a trusted publisher. You can enable a script downloaded from the internet by using the Unblock-File cmdlet.Restricted: Powershell can run interactively but scripts cannot be executed. Powershell modules cannot be loaded as all forms of scripts files are blocked. I am unsure whether snap-ins (Powershell plugins available as a DLL) can be used with this mode.Undefined: This means there is no configured execution policy, and will run as though Default is set.Unrestricted: Runs all scripts whether they are signed or not. This is the only valid execution policy for non-Windows operating systems. Does warn you when running scripts that were sourced from outside of your local intranet.As for risk mitigation? User education (if this is for a business) about not running untrusted code would be a start. You'll probably already have an A/V and anti-malware solution in place, and you should be securely storing secrets in a credential vault where they belong. RemoteSigned is a good policy to set and in most cases this will be fairly permissive while still offering you some basic security against malicious remote scripts.