Modifying the Windows Execution Policy on your machine

When trying to set up my machine to run Azure Functions locally using Visual Studio Code, I ran across an error. After generating an empty HTTP-triggered Azure Function and running it, a big red error popped up in the terminal:

func : File C:\Users\Hendr\AppData\Roaming\npm\func.ps1 cannot be loaded because running scripts is disabled on this system. For more 
information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.

I happened to try the same thing on a different machine, and got exactly the same behavior. It seems that this is something that you need to resolve yourself on most Windows machines. Browsing to the URL provided in the error message, we get an explanation of what an Execution Policy is exactly:

PowerShell’s execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

On a Windows computer you can set an execution policy for the local computer, for the current user, or for a particular session. You can also use a Group Policy setting to set execution policies for computers and users.

https:/go.microsoft.com/fwlink/?LinkID=135170

So it looks to be a good thing that it’s blocking scripts by default, so that no malicious scripts are executed without your permission. Of course we need to change this because we do want Visual Studio Code to be able to execute scripts.

You can check the Execution Policy on your machine by opening PowerShell in admin mode, and running Get-ExecutionPolicy. On my machine, this returned the value Restricted. When getting the list of all policies, we see that all of them are undefined. When this is the case, the effective policy on a Windows client machine is Restricted. Restricted means that no PowerShell script are allowed to run, but individual commands are allowed.

Looking at the current policies

So what value do we need to set in order not to undermine the security benefit that the policy has? Reading the documentation by Microsoft, the RemoteSigned option seems to be a good fit:

  • Scripts can run.
  • Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.
  • Doesn’t require digital signatures on scripts that are written on the local computer and not downloaded from the internet.
  • Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.
  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.

This guarantees at least that scripts downloaded from the internet are signed, or that they are manually unblocked. So let’s see if with this policy we can run our Azure Function. To change the policy, run the following command in PowerShell as admin:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

This will warn you about the possible implications, which you can accept. Go ahead and confirm the policy change.

Changing the Execution Policy

Since we’re changing the policy for the current user of the machine, the change is persisted in the Windows Registry. When we try to run the Azure Function again after these modifications, it runs like a charm!