dsccommunity / gpregistrypolicydsc Goto Github PK
View Code? Open in Web Editor NEWDSC resources used to apply and manage local group policies by modifying the respective .pol file.
License: MIT License
DSC resources used to apply and manage local group policies by modifying the respective .pol file.
License: MIT License
The README indicates that a prerelease module will be published to the PowerShell gallery on a merge to master. However, the merge of PR #27 to fix handling of REG_MULTI_SZ values did not actually result in a prerelease.
While a full release including the fix from PR #27 would be ideal, a prerelease would provide at least a temporary solution for issue #25 here, as well as for a Microsoft PowerStig issue that is relatively high priority for organizations relying upon it to meet Windows 10 compliance requirements (microsoft/PowerStig#1268).
I am trying to set the same user configuration policy for all users of the PC however there is no target type for "All Users" and because the target type is not a Key parameter there can't be multiple instances of the resource with the same parameters named "Key" and "ValueName".
This is the error message:
PSDesiredStateConfiguration\Configuration : A conflict was detected between resources '[RegistryPolicyFile]SetDesktopWallpaperPathForAdmin (C:\Agent-1\_work\4\s\Package Builders\Win10BaseConfig\Config.ps1::164::7::RegistryPolicyFile)' and '[RegistryPolicyFile]SetDesktopWallpaperPath (C:\Agent-1\_work\4\s\Package Builders\Win10BaseConfig\Config.ps1::182::7::RegistryPolicyFile)' in node 'localhost'. Resources have identical key properties but there are differences in the following non-key properties: 'TargetType'. Values 'Administrators' don't match values 'NonAdministrators'. Please update these property values so that they are identical in both cases.
Either add a target type that can add a policy for all users
Update Target Type to be one of the Key parameters
Update the Account Name Parameter to take an array of users and groups.
RegistryPolicyFile SetDesktopWallpaperStyle
{
Key = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
TargetType = 'Administrators'
ValueName = "WallpaperStyle"
ValueType = 'Dword'
ValueData = "0"
}
RegistryPolicyFile SetDesktopWallpaperStyle
{
Key = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
TargetType = 'NonAdministrators'
ValueName = "WallpaperStyle"
ValueType = 'Dword'
ValueData = "0"
}
OsName : Microsoft Windows 10 Enterprise LTSC
OsOperatingSystemSKU : 125
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-GB
OsMuiLanguages : {en-GB}
Name Value
---- -----
PSVersion 5.1.17763.1432
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1432
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Name Version Path
---- ------- ----
GPRegistryPolicyDsc 1.2.0 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1
When setting a registry policy file value that is a MultiString with multiple entries, all items end up in the same entry separated by spaces.
For example, when setting the group policy "ComputerConfiguration\Administrative Templates\Network\SSL ConfigurationSettings\ECC Curve Order" (registry key "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002:EccCurves" to @('curve25519', 'NistP384', NistP256'), the three values are saved in one string as 'curve25519 NistP384 NistP256'.
The fault can be found in New-GPRegistrySettingsEntry (
N/A
New-GPRegistrySettingsEntry should join the values with a null character before passing to Unicode.GetBytes
as in
[System.Text.Encoding]::Unicode.GetBytes(($RegistryPolicy.ValueData -join "`0") + "`0")
Similarly Format-MultiStringValue should not split on a space.
This can be reproduced using Invoke-DscResource
invoke-dscresource -ModuleName GPRegistryPolicyDsc -Name RegistryPolicyFile -Method Set -Property @{
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002'
ValueName = 'EccCurves'
ValueData = @('curve25519', 'NistP384', 'NistP256')
ValueType = 'MultiString'
Ensure = 'Present'
} -verbose
Name | Value |
---|---|
OsName | Microsoft Windows 10 Enterprise LTSC |
OsOperatingSystemSKU | 125 |
OsArchitecture | 64-bit |
WindowsVersion | 1809 |
WindowsBuildLabEx | 17763.1.amd64fre.rs5_release.180914-1434 |
OsLanguage | en-US |
OsMuiLanguages | {en-US} |
Name | Value |
---|---|
PSVersion | 5.1.17763.1852 |
PSEdition | Desktop |
PSCompatibleVersions | {1.0, 2.0, 3.0, 4.0...} |
BuildVersion | 10.0.17763.1852 |
CLRVersion | 4.0.30319.42000 |
WSManStackVersion | 3.0 |
PSRemotingProtocolVersion | 2.3 |
SerializationVersion | 1.1.0.1 |
Name | Version | Path |
---|---|---|
GPRegistryPolicyDsc | 1.2.0 | C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1 |
When we merge a new release into the master branch it will automatically deploy to PowerShell Gallery, but there will not be GitHub Release. We should try to automate this step to.
There is a condition that will occur where policy is not applied although the .pol file was updated. This occurs because the GPT.ini file is not created and/or updated/incremented with the correct metadata.
N/A
Create logic, possibly similar to Dave Wyatt's solution (Update-GptIniVersion) to either create and/or increment the version number within the GPT.ini file.
configuration TestCase
{
Import-DscResource -ModuleName GPRegistryPolicyDsc
Node localhost
{
RegistryPolicyFile TestCase
{
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cCloud'
TargetType = 'ComputerConfiguration'
ValueName = 'bAdobeSendPluginToggle'
ValueData = 1
ValueType = 'Dword'
Ensure = 'Present'
}
}
}
OsName : Microsoft Windows 10 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 1909
WindowsBuildLabEx : 18362.1.amd64fre.19h1_release.190318-1202
OsLanguage : en-US
OsMuiLanguages : {en-US}
PSVersion 5.1.18362.628
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.18362.628
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
1.0.1
This is happening any time RegistryPolifyFile is included in a config. The OS is Server 2019.
Exception calling "IndexOf" with "2" argument(s): "Index was out of range. Must be non-negative and less than the size
of the collection.
Parameter name: startIndex"
Repro mof:
instance of MSFT_RegistryPolicyFile as $MSFT_RegistryPolicyFile1ref
{
ValueData = {
"255"
};
ValueType = "Dword";
ModuleVersion = "1.2.0";
ResourceID = "[RegistryPolicyFile]Registry(POL): Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun";
SourceInfo = "/Users/migreene/Git/newserverbaseline/ServerBaseline/WindowsServerBaseline2019.ps1::19::11::RegistryPolicyFile";
ValueName = "NoDriveTypeAutoRun";
ModuleName = "GPRegistryPolicyDsc";
TargetType = "ComputerConfiguration";
Key = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
ConfigurationName = "WindowsServerBaseline2019";
};
instance of MSFT_RefreshRegistryPolicy as $MSFT_RefreshRegistryPolicy1ref
{
IsSingleInstance = "Yes";
SourceInfo = "/Users/migreene/Git/newserverbaseline/ServerBaseline/WindowsServerBaseline2019.ps1::1302::11::RefreshRegistryPolicy";
ResourceID = "[RefreshRegistryPolicy]ActivateClientSideExtension";
ModuleName = "GPRegistryPolicyDsc";
ModuleVersion = "1.2.0";
ConfigurationName = "WindowsServerBaseline2019";
};
instance of OMI_ConfigurationDocument
{
Version="2.0.0";
MinimumCompatibleVersion = "1.0.0";
CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
Name="WindowsServerBaseline2019";
};
'''
During deployment of v1.0.0 there was a warning outputted that there is a best practice to include the resources in the module manifest. I suggest we do that.
VERBOSE: Performing the operation "Publish-Module" on target "Version '1.0.0' of module 'GPRegistryPolicyDsc'".
This module 'C:\Users\appveyor\AppData\Local\Temp\1\805144811\GPRegistryPolicyDsc\GPRegistryPolicyDsc.psd1' has exported DscResources. As a best practice, include exported DSC resources in the module manifest file(.psd1). If your PowerShell version is higher than 5.0, run Update-ModuleManifest -DscResourcesToExport to update the manifest with ExportedDscResources field.
VERBOSE: Successfully published module 'GPRegistryPolicyDsc' to the module publish location 'https://www.powershellgallery.com/api/v2/package/'. Please allow few minutes for 'GPRegistryPolicyDsc' to show up in the search results.
Name Version ModuleType ModuleBase
---- ------- ---------- ----------
GPRegistryPolicyDsc 1.0.0 Manifest C:\projects\gpregistrypolicydsc
Build success
ISSUE TITLE:
Failed to locate the semicolon after key name.
ISSUE DESCRIPTION
When I run start-dscconfiguration or Test-DSCConfiguration, I got the error as
PowerShell DSC resource MSFT_RegistryPolicyFile failed to execute Test-TargetResource
functionality with error message: Failed to locate the semicolon after key name.
(RPP005)
+ CategoryInfo : InvalidOperation: (root/Microsoft/...gurationManager:Str
ing) [], CimException
+ FullyQualifiedErrorId : ProviderOperationExecutionFailure
+ PSComputerName : localhost
Powershell version is 5.1
OsName : Microsoft Windows Server 2016 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsBuildLabEx : 14393.5356.amd64fre.rs1_release.220906-1211
OsLanguage : en-US
OsMuiLanguages : {en-US}-->
PSVersion 5.1.14393.5127
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.5127
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Version of the DSC module that was used
Name Version Path
GPRegistryPolicyDsc 1.2.0 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPol...
I use GPRegistryPolicyDsc through CommonTasks, in french Windows Server 2016.
GPRegistryPolicyDsc contains submodule GPRegistryFileParser that used Import-LocalizedData
cmdlet. In french system, this command tried to found GPRegistryPolicyFileParser.strings.psd1
in GPRegistryPolicyDsc\1.2.0\Modules\GPRegistryPolicyFileParser\fr-FR\
folder.
That generated an error in mof compilation.
There is only one language-specific data in the submodule. To avoid this problem, we could force the culture en-US
in Import-LocalizedData
with UICulture
parameter.
# insert configuration here
OsName : Microsoft Windows Server 2016 Datacenter Evaluation
OsOperatingSystemSKU : 80
OsArchitecture : 64 bits
WindowsBuildLabEx : 14393.1944.amd64fre.rs1_release.171129-2100
OsLanguage : fr-FR
OsMuiLanguages : {fr-FR}
Name Value
---- -----
PSVersion 5.1.14393.1944
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.14393.1944
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Name Version Path
---- ------- ----
GPRegistryPolicyDsc 1.2.0 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1
When testing, if the Key property contained 'HKEY_LOCAL_MACHINE' in the string, the resource always returned compliant.
RegistryPolicyFile 'AllowInputPersonalization' {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\InputPersonalization'
TargetType = 'ComputerConfiguration'
ValueName = 'AllowInputPersonalization'
ValueType = 'DWord'
ValueData = '0'
}
Although the value of 'Key' should not contain this additional text, it was unexpected for TEST to return 'Compliant'.
It's possible a string is matching in an unexpected way?
2016
7.1 (guest config)
latest
The Windows Server Core 1803 image is being removed on March 23, 2020. This repository is using the image and must be removed or transition to another image as appropriate.
GPRegistryPolicyDsc/azure-pipelines.yml
Line 75 in c54daed
GPRegistryPolicyDsc/azure-pipelines.yml
Line 116 in c54daed
The DSC wrapper module for gpregistrypolicydsc experiencesconstant corrective changes and warnings when managing reg_dword resources due to a case mismatch in the GPRegistryPolicyFileParser.psm1 and the valuemap within the resources schema file.
The GetRegTypeString() method in GPRegistryPolicyFileParser.psm1 is returning the the following unsupported values:
The expected values should be:
The file parser should output values aligned with the resource's schema file:
MSFT_RegistryPolicyFile.schema.mof
[Write, Description("Indicates the type of the value."), ValueMap{"Binary","Dword","ExpandString","MultiString","Qword","String","None"}, Values{"Binary","Dword","ExpandString","MultiString","Qword","String","None"}] String ValueType;
During a Puppet run, the dsc_registrypolicyfile resource generates warnings the existing registry file valuetype has been set to DWord
. The schema expects this value to resolve as Dword
Warning: Provider returned data that does not match the Type Schema for `dsc_registrypolicyfile[Remove access to use all Windows Update features (Configure notifications)]`
Value type mismatch:
* dsc_valuetype: DWord (expects an undef value or a match for Enum['Binary', 'Dword', 'ExpandString', 'MultiString', 'None', 'Qword', 'String'], got 'DWord')
Update the GetRegTypeString() method in GPRegistryPolicyFileParser.psm1 to return the correct valuetype's aligned with the resource schema mof file.
Dword
instead of DWord
.Qword
instead of QWord
.Original:
[System.String] GetRegTypeString()
{
[System.String] $result = ''
switch ($this.ValueType)
{
...
([RegType]::REG_DWORD)
{
$Result = 'DWord'
}
...
([RegType]::REG_QWORD)
{
$Result = 'QWord'
}
default
{
$Result = ''
}
}
return $result
}
Updated:
[System.String] GetRegTypeString()
{
[System.String] $result = ''
switch ($this.ValueType)
{
...
([RegType]::REG_DWORD)
{
# Return Dword instead of DWord
$Result = 'Dword'
}
...
([RegType]::REG_QWORD)
{
# Return Qword instead of QWord
$Result = 'Qword'
}
default
{
$Result = ''
}
}
return $result
}
Version 1.2.0.
@johlju @PlagueHO @gaelcolas @danielboth @jcwalker
Please review and assist where possible, should be a simple matter of swapping from upper to lower case for the affected characters.
Hello, I´ve updated fully working DSC code by Local Security Policy (GPO), by using GPRegistryPolicyDSC Module.
Machine in Azure DSC is still in-progress status, never finishes the configuration (normally configured in 10min including software installations)
Error from Azure DSC RAW Report: Index was out of range. Must be non-negative and less than the size of the collection. xDSCDiagnostics module points to this particular module.
Let the module to finish the configuration and configure the policies accordingly.
# insert configuration here (only part of the code here, whole has about 7k lines)
RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PolicyVersion'
{
ValueName = 'PolicyVersion'
ValueData = 534
ValueType = 'Dword'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Microsoft\WindowsFirewall'
}
RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\ConSecRules\{e571f044-8183-493e-ad47-3fd714e619b9}'
{
ValueName = '{e571f044-8183-493e-ad47-3fd714e619b9}'
ValueData = 'v2.22|Action=SecureServer|Name=Nvs-DC-Out-Winrm|Desc=Secure Winrm|Protocol=6|Active=TRUE|Profile=Domain|EP2Port=5985|EP2Port=5986|Auth1Set=Nvs-Mm-Kerb|Auth2Set=Nvs-Em-Kerb-Or-Anon|Crypto2Set=Nvs-Qm-EspGcm128|EmbedCtxt=Nvs-Ipsec-DC-Winrm|'
ValueType = 'String'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Microsoft\WindowsFirewall\ConSecRules'
}
RegistryPolicyFile 'Registry(POL): HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\ConSecRules\{6c77dbb9-31bf-45f8-b238-46dcb8a80665}'
{
ValueName = '{6c77dbb9-31bf-45f8-b238-46dcb8a80665}'
ValueData = 'v2.22|Action=SecureServer|Name=Nvs-DC-In-Winrm|Desc=Secure Winrm|Protocol=6|Active=TRUE|Profile=Domain|EP1Port=5985|EP1Port=5986|Auth1Set=Nvs-Mm-Kerb|Auth2Set=Nvs-Em-Kerb-Or-Anon|Crypto2Set=Nvs-Qm-EspGcm128|EmbedCtxt=Nvs-Ipsec-DC-Winrm|'
ValueType = 'String'
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Microsoft\WindowsFirewall\ConSecRules'
}
Windows Server 2019 or Windows Server 2019 Core (both contains WMF 5.1 by default), English language.,
Powershell 5.1
GPRegistryPolicyDsc module version 1.2.0
@johlju @jcwalker @gaelcolas @NicolasBn do you have any clue where the problem is, please?
Is it possible to import an entire .POL rather than the individual registry entries??
I am thinking something like:
RegistryPolicy BaselineGpo
{
Path = "C:\Policy\Registry\registry.pol"
}
Using DSC to deploy certificates to machines (GPO was exported and converted to DSC module using 'Baseline' PowerShell module) resulted in the log files ~1.5GB in size being generated over repeated refresh/application of the configuration which in turn filled the machine's operating system drive.
Microsoft support case 2105160060000454 would hold the issue re-created by the Microsoft engineer
After repeated testing and research, I finally found the cause of the problem:
From the script of the DSC module:
C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\Modules\GPRegistryPolicyFileParser\GPRegistryPolicyFileParser.ps1
The group policy file will save as a string value of a binary:
C:\Windows\System32\GroupPolicy\Machine\registry.pol
When policy apply second time, it will check the value from the policy file. However, it will read the value as binary directly and not convert it to string
Then it will compare it with the DSC configuration file, which the value is string. Thus, it will eventually write the output of the whole binary data, each byte will written in one line.
To resolve the issue please change the file GPRegistryPolicyFileParser.ps1:
From line 119:
[System.Byte[]] $value = $policyContentInBytes[($index)..($index + $valueLength - 1)]
Please change it to:
[System.String] $value = [System.Text.Encoding]::UNICODE.GetString($policyContents[($index)..($index + $valueLength - 1)])
# insert configuration here
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs\98A8DE8A61E03D9F98639D18986AB54C3C8CDF66\Blob'
{
ValueName = 'Blob'
ValueData = '03000000010001001400000098A8DE8A61E03D9F98639D18986AB54C3C8CDF662200000001000100360100003082013206092A864886F70D010702A08201233082011F02010131003082011406092B0601040182370A01A08201053082010102020080300B06092B060104018237140104707B00440039003400320031003400410031002D0038003600430043002D0034003900420035002D0042003500320039002D004200310039003800420043004100360035004600440033007D007C0044006F006D00610069006E0043006F006E00740072006F006C006C00650072000000170D3138303630313032343635375A300906052B0E03021A0500A0623060302F06092B060104018237140204221E200044006F006D00610069006E0043006F006E00740072006F006C006C00650072301D0603551D250416301406082B0601050507030206082B06010505070301300E0603551D0F0101FF0404030205A03100'
ValueType = 'Binary'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs\98A8DE8A61E03D9F98639D18986AB54C3C8CDF66'
}
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\CA\Certificates\1034ADB9276046BA03B04F1CA92FCED056395245\Blob'
{
ValueName = 'Blob'
ValueData = '040000000100000010000000BB840253F51C97D42A60AFEF1159911A0F00000001000000200000007A6FBC9558FF341C90133DA70A91111EBCEED70EE31E5712953DFA1A424BF9E61400000001000000140000007795BED99AE03417A8D2B38EC1C41CF88F33527F190000000100000010000000A754121C62A6AC5C1B3D6333D8C88C2A5C000000010000000400000000100000180000000100000010000000357F848AAC8A1A59C7CBD23B7984DE3D0300000001000000140000001034ADB9276046BA03B04F1CA92FCED0563952452000000001000000C2060000308206BE308204A6A0030201020203014B39300D06092A864886F70D01010B0500308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175301E170D3136303632373232313232365A170D3235303131373232313232365A305E310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A130741757367726964311E301C0603550403131541757367726964496E7465726D656469617465434130820222300D06092A864886F70D01010105000382020F003082020A0282020100BE983E58C01FBA2F78BA2CE92E3E60652A7658C8CCA76FDF8E65730FE95AF455E468D1E932DF236B13EB35479FED6D3F0CC46D6F367EC0A1A80702AF58DA474E23B3CCFAC5B4E64D6E893B89BAA71010BD2550AAEECA7A3E4AE58BDD0F07A47B91F258B37ACED40EF898FB3AA3B1B023FE551DEE21A26291D6B60E160F79079852D6609AA73DE37FFF9AA84D8A87BBD0488424A7AF3E005F07D3AD34B4A79F6F6A2161D9669C4560ED7EF46661769116C427819C5F6DD86FF397585E880165898FA2FDCDF66ACB4896FB8AAD2F191401E5E07140A91E2643760EB3D99853C1E6F3153739BACF021B3180BBA9D6A23D6CBF482B98B24FF3B2B05538166C0DF148559FF31C4A2A6ECE863E57E3D8E235C298E4FC78A06145E91AA0D456A464BA103AE7CCF2EC7CE09B1176FEAE58AD01B71053AC1C5D7D7CD223DA2F29C240858A1C77FD57E21E20434A40717FE76D937542B52734FAAA74528FDDD15339997D36475897347E4365F3A5DBEC8762F755F0ABA2CF3922C036D8891D19503A96558CDEB4FE232D5B85D9D283708E906640C699D30C1397753C3480B111AC57BBED91D04EFF02B9400E08CDECB167CE4433CBD800730C810AB231D782E40F7E9ADD12F27BC45A570E34E708DE8FC5B35D404F2673A6CB502686D0504492E10106FAB4BBE7A5BB0DA03FE2CCF118BEA2433970230E69E1E85D568AD28FE7914504A4510203010001A38201503082014C300C0603551D13040530030101FF300B0603551D0F040403020106301D0603551D0E041604147795BED99AE03417A8D2B38EC1C41CF88F33527F3081BD0603551D230481B53081B280140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70A18196A48193308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175820100301006092B06010401823715010403020101302306092B0601040182371502041604140B0838451C0EA44E52298595762E60430F46070C301906092B0601040182371402040C1E0A00530075006200430041300D06092A864886F70D01010B05000382020100268D0DC37428A72525BBA65F59A37614421B5900DAD7B738D3703DA37D328015032CC66C2FFBF251523522CA3843DEC9E1911B5FE922C8D26D909BAEFEBAD0ED299F9021610A4C6D723E5F256EEC159C1C870A929FD3BBFFF6D999C13A7CC716A2E4905F29E7BED6B7DA6DCA010D614225BFD35F72A8E17233B47249EDC142DC690B8B6BED1439ACF45E56E1157FD6C57D7D702E20F717D7450A54F2BBE5A5A9EC6E7B22C967664AC4FF1949B2D3103C72DEFB27158E19FE6F4375B1B478E48B2D7756634F77A7DBEFA546A1FE1D79DF893E51A3CA8167B55CE2D92BE30C47682692E7AA016C1ED980BEDB76EE78785CB49102F601D2841AFE34DFCCD3D023296444236F47E8E43901DC817844CE18DB3DEFE37D0105E6751B6164A0D8EEF42DBAF1A22E92CECFE8ACBD783A6419A48CC228ED1A5799264D8E4DC690FE4FC2528CF8526CB25D0ABF41C8F43FA40A6F4BEF4EE174E11386BDF6BAF3C426B726FCF8B10DF5C0BF486261F2911B8834B6EBD558872C14DF6E5F9E44D6684FB1EC15B036B784BA7085FDC98F5F543AB53CB80418923B883F3759E5757F90FD4E0A7AD066080A3659E266491AD6C417172D42BCBA3039941EA3D03F5DA8B9685F806F3F46B6D4852828DA025C4CC6927E8F359066BF0A327260D902E0CF8D077C90A1AB4FBBE6D6AAADA1A99F6AFA22EEC3726AD44C7C69046BCF64C31940E79C05FC'
ValueType = 'Binary'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\CA\Certificates\1034ADB9276046BA03B04F1CA92FCED056395245'
}
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\2187791998C86676D0202549798C56B4EDE8613B\Blob'
{
ValueName = 'Blob'
ValueData = '040000000100000010000000FB6AC351AF6C168250052EE877791E270F0000000100000014000000FF1FF61CBF9B7234BA7AD36B7B56834059A77396140000000100000014000000A64A17D1BC58B5772516922BD24C9523CF281436190000000100000010000000242ED3C836E20157395DD445CAE3DBA90300000001000000140000002187791998C86676D0202549798C56B4EDE8613B5C000000010000000400000000080000200000000100000096030000308203923082027AA00302010202101BB786D3B6AD8F65B97A793EC7488427300D06092A864886F70D0101050500304F310B3009060355040613025553311F301D060355040A1316426C7565436F61742053797374656D732C20496E632E311F301D06035504031316436C6F756420536572766963657320526F6F74204341301E170D3131303930363030303030305A170D3231303930353233353935395A304F310B3009060355040613025553311F301D060355040A1316426C7565436F61742053797374656D732C20496E632E311F301D06035504031316436C6F756420536572766963657320526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100C4007BF6A229374340A544B46DED0D1580EA9D8DE0F6326C619E87551B1BC367899CED8129886804E5B97E651CF45693D156E12289071518F8C3773691E5958139451DBA7A11969A2B51FCC9CCD37F9ED695720BB82AC9F5E198B1613676825E3E71694F541E8C345060C2938C07D0034B700814B1C666794F3109FF102EE1C6137370A732B800DE7FBFB5C1FB627E4F0CD1808B064C59FE4E3DB92D1F7DDBDABEF27B1F9B8175E2BD8D4CC3A93CD9160B4CB46C6BC02896E0434E996A31B1E8D5013B02EBDE78590B2F91975FFF14C5AA34981BEE7763490874D9F447321E7E7F636827A895B8B666CC357AEB84013EE58D5D58C014F101521746ACCD0404DB0203010001A36A3068300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF30260603551D11041F301DA41B3019311730150603550403130E4D504B492D323034382D312D3939301D0603551D0E04160414A64A17D1BC58B5772516922BD24C9523CF281436300D06092A864886F70D010105050003820101008CF8954C29F34D4CA032DC680E9E830326A6A666071DBCEF0F89D760DF77CE7BA01DE876ACE602864DCC4AD1FF736468CB15F784F4FCDF5CD0EB9CCAF9067697B91CDA33A038B62C7889D0123519CC4C1E78034DF831DD338B69A86952C7342F20332D53C2F4FF5FC29819FBCA191F7A4C84C69C7D1803598FA19ABCDD64FECC7E167B5973E664A060CF3864F74F33FD9D868E5F78CD09BA31A10624D3AFCBFDDFBAC6AC8437B1612A32024859664B27F19EBF1F9A45A40D484242D713F8557A332CA76C5EBAB6278F5F720A45AA24BCA1D5F66830C49F015DC3A5C04C0E930FF14DE2CB41E076976EF8ACF91D9B068FE6A9C7DDDF735737C6F88DBC0701FFAD'
ValueType = 'Binary'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\2187791998C86676D0202549798C56B4EDE8613B'
}
RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\BA2D46017966D1946C515E1BBBDFDD8B7A773B91\Blob'
{
ValueName = 'Blob'
ValueData = '0400000001000000100000008284E0BBCECFB0404E2A04C15BC98B840F0000000100000020000000C01C9AAA9F3D78CD60362EDA2DE1D035EA35082C3ED331C3BB307F110B5C35951400000001000000140000000DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70190000000100000010000000357F848AAC8A1A59C7CBD23B7984DE3D5C000000010000000400000000100000030000000100000014000000BA2D46017966D1946C515E1BBBDFDD8B7A773B912000000001000000920600003082068E30820476A003020102020100300D06092A864886F70D01010B0500308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175301E170D3135303132313031313432325A170D3235303131393031313432325A308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E617530820222300D06092A864886F70D01010105000382020F003082020A0282020100CF0A47EB875AD13D292B2CA1AECE3CF6A33D700DA4177191C51A787ED190CEF7E53C4DA66BBC9EC056C253DC8DC987B20EBAB3F5581B19F3541D878A3AC2A59AE13C6E0800FD418F0ED629CB2ADD7EE363DE59946529EE11AEA8DE8A6CA5172310B3F3D97D95279668A701E5F18116E7E5D173BD7D577395835F261E738F06C2446CACF269E5FB57344F9A78550DF77D2DCD32381FF64999BC38D95791129DA7DD2617997E3662D576C3D64C86B316F874AFB2622447C585AB025CA7CE703A21A6BB11D7351C33F2E556DA5346704570444FABB3460AE56FBECCB145DD283F3E141E0CFF8A618A6DD5AC1815989A7C9E671B8EA12339BFD82730123C1E643C1F10D7F8BB902E469AA3F15E1A5E0F21C11074256A76CB314C0ECAC98FB9559210ED47F3BA9F746DD1DAC3AC03389EED9D9B042BD6BDE289461B177121CF391F0F11CD961F9CC865DAEA04CEC5BBB7CB53269B07912B1984DCE19FD269D56E9B3ABA4D902616285EB95FC16F74DA09E7C97A6B843E9FFADDE5E200B2DCE614188A894C1103FDF14B598D2948CC6FA0954E0D56392BD8138C29B495E919E4175168874F92BC6BBFF5AAC2DA26CDBAA24A8E4599383F5870E10FE26D0D1D4A9CBD49031A7F691787291F0990D696BA5E3370884C6F5BC0B4AC7AB9464DF2751659D2FDA9331E6E76D2B9D90898B618D7D343FD51830A93499D568F65CB4C2B95AB250203010001A381F03081ED301D0603551D0E041604140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC703081BD0603551D230481B53081B280140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70A18196A48193308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175820100300C0603551D13040530030101FF300D06092A864886F70D01010B0500038202010078E3D88FFD31DCC8D16450EF1C4BCB01A999189F32932C68569F768DB193E6E11964C51FF575882E50556C9B5554664DBD501FCD69D20111CC7A9119B217731EE53C7E133F414766EE4DDEAB816EB3B09EC5FBB56645488841B3269D657B24FF0992445A84DAE71B35414A195C4C90A640D44A74BA585DCC0A8FEF45A47553EBE3A7FE0C49ADE1221CFD11B7F5F805A62FE34C5B7923C661D350B4B75DA2D4B8D26D6B4F21FA5E0EB47963D9C8934040C845E5D1605A7E41366B68E49E853E0C223C1DF03055FD6ACBB03100736E548E593021649107C3FF2916967673F4E365F9CB4C6B34C747D63EA83F662730820796370FA512D330DFC606C814D5DB899FE43329BF9FD71B8A720258D238AE6CA27AD9F1D711E04B330FF6D7752797B7D0C71117D565F95FE7136134918646BC8A5F8DF6DBB477BEFDC027AE6CD234D0D95F735558270A76C43C61C4E53B0AE5398686480BCD71BD6DD18B2266E715A2BA8D173A8DAF70410EB905F19462C2B35426FFA0EB9ECA545DA0D705D00251127FEC281BF7BD48A0795DAE94DDAC06ADF7BB84A1F4BA4D12EE682D290DC6B49FA7FD02EBDB527BF8A485678AE015595C5DBE06987373359D8E398AC564F64A3BA4410800EFE70A2F0D39A12E5A3FB41C0A07433B91E49A7C9590307A21E505D80705A0142F64314BDB40CBE2F914FC210EEE78A7E46677542AC2618DA5C6E65FCC'
ValueType = 'Binary'
TargetType = 'ComputerConfiguration'
Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\BA2D46017966D1946C515E1BBBDFDD8B7A773B91'
}
OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}
Name Value
PSVersion 5.1.17763.1007
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1007
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Name Version Path
GPRegistryPolicyDsc 1.2.0 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1
Based on testing, in addition to terminating multistring values with a null char, they also need a newline.
In GPO Editor, you have to press Return at the end of each line in a multiline editor.
Confirm?
Due to a mistake from my side when merging the last PR the commits don't have the same commit ID's. This is a problem now. I'm looking at rebasing master to get the correct commit history, but without the latest merged changes.
I looks like I might have used rebase to merge the release PR, which got the wrong commit history.
Steps to release a new version.
I guessing. 🤔 Let's try it.
/cc @jcwalker
The resource occasionally fails to set with the error "The process cannot access the file 'C:\windows\System32\GroupPolicy\Machine\registry.pol' because it is being used by another process."
This appears to be part of a race condition and I have encountered it several times, but on different registry policy values on each occurrence. I cannot reliably reproduce the problem.
I am using DSC as part of a "Microsoft Deployment Toolkit" (MDT) deployment, and have not found a good way to test which process is accessing registry.pol at the time of this error. Suggestions welcome!
[OBFUSCATED]: LCM: [ Start Resource ] [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer]
[OBFUSCATED]: LCM: [ Start Test ] [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer]
[OBFUSCATED]: [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] Retrieving current for Key SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services ValueName SecurityLayer. (RPF04)
[OBFUSCATED]: [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] Expected to find an array value for property ValueData in the current values, but it was either not present or was null. This has caused the test method to return false.
[OBFUSCATED]: [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] String value for property ValueType does not match. Current state is '' and desired state is 'Dword'.
[OBFUSCATED]: LCM: [ End Test ] [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] in 0.2510 seconds.
[OBFUSCATED]: LCM: [ Start Set ] [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer]
[OBFUSCATED]: [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] Retrieving current for Key SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services ValueName SecurityLayer. (RPF04)
[OBFUSCATED]: [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] Adding policy with Key: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services, ValueName: SecurityLayer, ValueData: System.String[], ValueType: Dword. (RPF001)
[OBFUSCATED]: LCM: [ End Set ] [[RegistryPolicyFile]Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer] in 1.1090 seconds.
PowerShell DSC resource MSFT_RegistryPolicyFile failed to execute Set-TargetResource functionality with error message: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: The process cannot access the file 'C:\windows\System32\GroupPolicy\Machine\registry.pol' because it is being used by another process.
InvalidOperation: (:) [], CimException
The solution likely depends on which process is accessing the file. If it is the "Group Policy Client" service, perhaps RegistryPolicyFile should stop the service first, or at least check to see if the group policy is being updated.
Otherwise perhaps the RegistryPolicyFile could test access to the file, and wait for a short period if it is in use.
Configuration Win10Lockdown {
RegistryPolicyFile 'Win10Lockdown\CVE-2016-2183\Terminal Services - Security Layer' {
TargetType = 'ComputerConfiguration'
Key = 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
ValueName = 'SecurityLayer'
ValueType = 'Dword'
ValueData = '2'
}
}
Name | Value |
---|---|
OsName | Microsoft Windows 10 Enterprise LTSC |
OsOperatingSystemSKU | 125 |
OsArchitecture | 64-bit |
WindowsVersion | 1809 |
WindowsBuildLabEx | 17763.1.amd64fre.rs5_release.180914-1434 |
OsLanguage | en-US |
OsMuiLanguages | {en-US} |
Name | Value |
---|---|
PSVersion | 5.1.17763.1852 |
PSEdition | Desktop |
PSCompatibleVersions | {1.0, 2.0, 3.0, 4.0...} |
BuildVersion | 10.0.17763.1852 |
CLRVersion | 4.0.30319.42000 |
WSManStackVersion | 3.0 |
PSRemotingProtocolVersion | 2.3 |
SerializationVersion | 1.1.0.1 |
Name | Version | Path |
---|---|---|
GPRegistryPolicyDsc | 1.2.0 | C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1 |
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.