Testing with Windows AppLocker#

Windows environments with AppLocker enabled present unique challenges for conda development and testing. This guide explains how to set up a testing environment with AppLocker to ensure conda works correctly in these environments.

Why Test with AppLocker?#

AppLocker is Microsoft’s application control solution that allows organizations to:

  • Control which applications and files users can run

  • Create rules to allow or deny applications from running based on file attributes

  • Create exceptions to rules

Many enterprise environments use AppLocker to restrict script execution, which can impact environmnet activation and execution processes. Testing with AppLocker ensures conda works properly in these restricted environments.

Setting Up AppLocker for Testing#

Step 1: Enable the Application Identity Service#

Note

The Application Identity Service is required for AppLocker to function properly.

  1. Open the Services application (press Win+R, type services.msc, and press Enter)

  2. Find Application Identity in the list of services

  3. Right-click on it and select Properties

  4. Optional: Change Startup type to Automatic if you want the service to start on boot

  5. Click Start to start the service

  6. Click OK to close the properties window

Step 2: Configure AppLocker Enforcement#

  1. Open Local Security Policy (press Win+R, type secpol.msc, and press Enter)

  2. Navigate to Security Settings > Application Control Policies > AppLocker

  3. Right-click on AppLocker and select Properties

  4. Under the Enforcement tab, check Script Rules and set it to Enforce rules

  5. Click OK to close the properties window

Step 3: Create AppLocker Rules#

  1. In the Local Security Policy window, navigate to Script Rules under AppLocker

  2. Right-click on Script Rules and select Create Default Rules to establish baseline rules

  3. Create an Allow Rule for your development environment:

    • Right-click on Script Rules and select Create New Rule…

    • Choose Allow under Permissions and set the user/group to Everyone

    • Select Path as the condition

    • Enter the path to your development environment (e.g., path to devenv)

    • Complete the wizard without adding exceptions

  4. Create an Allow Rule for the conda source code location using the same process

  5. Create a Deny Rule for the %TEMP% directory:

    • Follow the same process but choose Deny under Permissions

    • Set the absolute path

  6. Restart your computer to apply the rules

../../_images/applocker.png