salt: [win_lgpo] Causes corrupt Registry.pol file

Description of Issue/Question

When applying below SLS files, causes Registry.pol to get corrupted. Using LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\Registry.pol to verify. All other consecutive states afterwards will fail with CommandExecutionError: Error while attempting to write Administrative Template Policy data. Some changes may not be applied as expected

Before:

; PARSING COMPLETED.
; ----------------------------------------------------------------------

After

; PARSING Computer POLICY
; Source file:  C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Computer
Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter
EnabledV9
DWORD:1

_Invalid file format.  Expected '[', found character 0x00005b00_

Setup and steps to repo

I have tried this line by line to see which of these items is causing this, but this is the only combo that can do this. I don’t know what other combo can cause this. Just need to keep a close eye on the changes we make moving forward.

Step1: Delete C:\Windows\System32\GroupPolicy\Machine\Registry.pol, then apply this SLS file first

# Microsoft Edge Security requirements
edge_sec_requirements:
  lgpo.set:
    - computer_policy:
        "Windows Components\\Microsoft Edge\\Allow Address bar drop-down list suggestions": Disabled
        "Windows Components\\Microsoft Edge\\Configure Password Manager": Disabled
        "Windows Components\\Microsoft Edge\\Configure search suggestions in Address bar": Disabled
        "Windows Components\\Microsoft Edge\\Prevent access to the about:flags page in Microsoft Edge": Enabled
        "Windows Components\\Microsoft Edge\\Prevent using Localhost IP address for WebRTC": Enabled

# Microsoft Edge Smart Screen settings
enable_edge_defender_smartscreen:
  lgpo.set:
    - computer_policy:
        Configure Windows Defender SmartScreen: Enabled
        Prevent bypassing Windows Defender SmartScreen prompts for files: Enabled
        Prevent bypassing Windows Defender SmartScreen prompts for sites: Enabled

Step2: Verified that Registry.pol is still valid Step3: Run this second SLS file:

gpo_log_trace:
  lgpo.set:
    - computer_policy:
        "System\\Group Policy\\Configure registry policy processing":
            "Do not apply during periodic background processing": False
            "Process even if the Group Policy objects have not changed": True
        "System\\Group Policy\\Continue experiences on this device": Disabled
        "System\\Group Policy\\Turn off background refresh of Group Policy": Disabled

Step4: Registry.pol file is now corrupt due to Allow Address bar drop-down list suggestions being overwritten by this SLS file:

local:
----------
          ID: gpo_log_trace
    Function: lgpo.set
      Result: True
     Comment:
     Started: 09:16:55.187000
    Duration: 11854.0 ms
     Changes:
              ----------
              new:
                  ----------
                  Computer Configuration:
                      ----------
                      System\Group Policy\Configure registry policy processing:
                          ----------
                          Do not apply during periodic background processing:
                              False
                          Process even if the Group Policy objects have not changed:
                              True
                      System\Group Policy\Continue experiences on this device:
                          Disabled
                      System\Group Policy\Turn off background refresh of Group Policy:
                          Disabled
              old:
                  ----------
                  Computer Configuration:
                      ----------
                      Windows Components\Microsoft Edge\Allow Address bar drop-down list suggestions:
                          Disabled

Summary for local
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  11.854 s

Versions Report

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.10.0
       cherrypy: 10.2.1
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.14 (v2.7.14:84471935ed, Sep 16 2017, 20:25:58) [MSC v.1500 64 bit (AMD64)]
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.3
           RAET: Not Installed
          smmap: 2.0.3
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 10
         system: Windows
        version: 10 10.0.17134  Multiprocessor Free

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 19 (12 by maintainers)

Commits related to this issue

Most upvoted comments

With the merge of #50006 I’m closing this.

+1
twangboy on Nov 2, 2018
Read more comments on GitHub
← salt: win_dacl module stacktrace: NameError: name 'ntsecuritycon' is not defined
salt: win_pkg: help, winrepo-ng package not found or no files report with pkg.refresh_db →