diff --git a/.github/workflows/Create External Help.yml b/.github/workflows/Create External Help.yml
index 9e4b8ee..87b4df2 100644
--- a/.github/workflows/Create External Help.yml	
+++ b/.github/workflows/Create External Help.yml	
@@ -8,6 +8,9 @@ on:
   # push:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   package_help:
     # The New-ExternalHelpCab cmdlet uses makecab, which depends on Windows.
diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml
index 30d46d8..331e6d1 100644
--- a/.github/workflows/powershell.yml
+++ b/.github/workflows/powershell.yml
@@ -37,8 +37,8 @@ jobs:
           # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules.
           path: .\
           recurse: true
-          # Include your own basic security rules. Removing this option will run all the rules
-          includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"'
+          # Run all rules except PSAvoidUsingWriteHost (Write-Host is used intentionally for progress output)
+          excludeRule: '"PSAvoidUsingWriteHost"'
           output: results.sarif
 
       # Upload the SARIF file generated in the previous step
diff --git a/Invoke-Locksmith.ps1 b/Invoke-Locksmith.ps1
index 9c2b6db..15b424b 100644
--- a/Invoke-Locksmith.ps1
+++ b/Invoke-Locksmith.ps1
@@ -2789,6 +2789,8 @@ function Invoke-Scans {
     [CmdletBinding()]
     [OutputType([hashtable])]
     [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'Performing multiple scans.')]
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'EnrollmentAgentEKU', Justification = 'Parameter is part of the public API and reserved for future ESC13 enrollment-agent scan support.')]
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'PreferredOwner', Justification = 'Parameter is part of the public API and reserved for planned remediation ownership integration.')]
     param (
         # Could split Scans and PromptMe into separate parameter sets.
         [Parameter(Mandatory)]
diff --git a/Private/Invoke-Scans.ps1 b/Private/Invoke-Scans.ps1
index a1af997..32b0776 100644
--- a/Private/Invoke-Scans.ps1
+++ b/Private/Invoke-Scans.ps1
@@ -30,6 +30,8 @@ function Invoke-Scans {
     [CmdletBinding()]
     [OutputType([hashtable])]
     [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '', Justification = 'Performing multiple scans.')]
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'EnrollmentAgentEKU', Justification = 'Parameter is part of the public API and reserved for future ESC13 enrollment-agent scan support.')]
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSReviewUnusedParameter', 'PreferredOwner', Justification = 'Parameter is part of the public API and reserved for planned remediation ownership integration.')]
     param (
         # Could split Scans and PromptMe into separate parameter sets.
         [Parameter(Mandatory)]