Skip to content

Restrict __PSLockdownPolicy test hook to DEBUG builds only#26721

Draft
Copilot wants to merge 4 commits intomasterfrom
copilot/fix-pslockdownpolicy-debug
Draft

Restrict __PSLockdownPolicy test hook to DEBUG builds only#26721
Copilot wants to merge 4 commits intomasterfrom
copilot/fix-pslockdownpolicy-debug

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

The __PSLockdownPolicy environment variable is an internal test hook for constrained language mode testing that was available in all builds. This restricts it to DEBUG builds and adds visibility when used.

Changes

  • wldpNativeMethods.cs: Wrapped environment variable check in #if DEBUG preprocessor directive

    • Added ETW operational warning when detected: __PSLockdownPolicy environment variable detected. This is a test hook and should not be used in production.
    • RELEASE builds have the check completely removed at compile time

  • HelpersSecurity.psm1: Wrapped test cmdlet SetLockdownMode/RevertLockdownMode in #if DEBUG

    • RELEASE builds throw InvalidOperationException with clear error message

Behavior

DEBUG builds: Feature works as before, plus ETW warning logged

RELEASE builds: Environment variable ignored, test cmdlet throws exception

Impact

Existing tests continue to pass in DEBUG builds. In RELEASE builds, tests using this feature will fail with informative error messages (intended behavior - these are DEBUG-only tests).

Original prompt

This section details on the original issue you should resolve

<issue_title>make __PSLockdownpolicy only work in debug build</issue_title>
<issue_description>### Summary of the new feature / enhancement

make __PSLockdownpolicy only work in debug build.

This is only for testing and should not be used in production.

Proposed technical implementation details (optional)

make __PSLockdownpolicy only work in debug build.

This is only for testing and should not be used in production.

Also emit a warning that this is __PSLockdownpolicy is a test hook not meant for production when the feature is enabled.</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@TravisEz13
Wrap __PSLockdownPolicy in #if DEBUG and add warning
fa264a0 
Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Copilot AI changed the title [WIP] Make PSLockdownpolicy work only in debug build Restrict __PSLockdownPolicy test hook to DEBUG builds only Jan 23, 2026
Copilot AI requested a review from TravisEz13 January 23, 2026 19:57
@microsoft-github-policy-service microsoft-github-policy-service bot added the Waiting on Author The PR was reviewed and requires changes or comments from the author before being accept label Jan 27, 2026
@TravisEz13 TravisEz13 added the CL-Test Indicates that a PR should be marked as a test change in the Change Log label Jan 27, 2026
TravisEz13
TravisEz13 reviewed Jan 27, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TravisEz13 TravisEz13 TravisEz13 left review comments

@jshigetomi jshigetomi Awaiting requested review from jshigetomi jshigetomi will be requested when the pull request is marked ready for review jshigetomi is a code owner

@SeeminglyScience SeeminglyScience Awaiting requested review from SeeminglyScience SeeminglyScience will be requested when the pull request is marked ready for review SeeminglyScience is a code owner

+1 more reviewer

@ajobayer153-lgtm ajobayer153-lgtm ajobayer153-lgtm approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@TravisEz13 TravisEz13

Copilot code review Copilot

Labels

CL-Test Indicates that a PR should be marked as a test change in the Change Log Waiting on Author The PR was reviewed and requires changes or comments from the author before being accept

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

make __PSLockdownpolicy only work in debug build

3 participants

@TravisEz13 @ajobayer153-lgtm