[win_lgpo] lgpo_set always reports failure; Registry.pol corruption

[onnodb]

Description of Issue/Question

I can't seem to get win_lgpo.set to work while trying to provision a Windows 10 IoT LTSB system. The lgpo.set state always returns a failure, showing a stack trace with exception salt.exceptions.CommandExecutionError: Error while attempting to write Administrative Template Policy data. Some changes may not be applied as expected.

Additionally, the Registry.pol file gets corrupted, rendering the Local Group Policy Editor unusable.

I'll be happy to provide any help you need to further troubleshoot this issue. The Win10 minion is in a VM for testing purposes, and I could easily obtain any files you need from there.

Setup & Steps to Reproduce

There seem to be multiple issues here:

• win_lgpo.py:5345 doesn't log the actual exception. To simplify troubleshooting, I changed this locally to include information about the exception for all steps below (simply adding a e argument to the log.exception call).
• A run of the following state:

test_lgpo:
  lgpo.set:
    - computer_policy:
      "Prevent changing lock screen and logon image": Enabled

produces the following debug log output on the minion:

[DEBUG   ] checking alias Prevent changing lock screen and logon image
[DEBUG   ] checking alias CPL_Personalization_NoChangingLockScreen
[DEBUG   ] checking alias Control Panel\Personalization\Prevent changing lock screen and logon image
[DEBUG   ] policy Prevent changing lock screen and logon image is not set, we will configure it
[DEBUG   ] searching for "Prevent changing lock screen and logon image" in admx data
[DEBUG   ] found an ADML entry matching the string! {Microsoft.Policies.ControlPanelDisplay}string -- {'id': 'CPL_Personalization_NoChangingLockScreen'}
[DEBUG   ] searching for displayName == $(string.CPL_Personalization_NoChangingLockScreen)
[DEBUG   ] found the ADMX policy matching the display name <Element {Microsoft.Policies.ControlPanelDisplay}policy at 0x1ff3e1cc4c8> -- Prevent changing lock screen and logon image
[DEBUG   ] setting == enabled
[DEBUG   ] enabled
[DEBUG   ] going to write some adm template data :: {'Microsoft.Policies.ControlPanelDisplay': {'CPL_Personalization_NoChangingLockScreen': 'Enabled'}}
[DEBUG   ] POLICY CLASS == Machine
[DEBUG   ] preparing to loop through policies requested to be configured
[DEBUG   ] adding CPL_Personalization_NoChangingLockScreen to base_policy_settings
[DEBUG   ] working on admPolicy CPL_Personalization_NoChangingLockScreen
[DEBUG   ] time to enable and set the policy "CPL_Personalization_NoChangingLockScreen"
[DEBUG   ] found this_policy == [<Element {Microsoft.Policies.ControlPanelDisplay}policy at 0x1ff3e1f3d48>]
[DEBUG   ] item value name is  N o C h a n g i n g L o c k S c r e e n
[DEBUG   ] appending [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ W i n d o w s \ P e r s o n a l i z a t i o n   ; N o C h a n g i n g L o c k S c r e e n   ; �   ; �   ; �   ]
[DEBUG   ] Directory 'C:\Windows\System32\GroupPolicy\Machine' already exists
[ERROR   ] Unhandled exception An error occurred attempting to write to C:\Windows\System32\GroupPolicy\Machine\Registry.pol, the exception was An error occurred attempting to write to C:\Windows\System32\GroupPolicy\gpt.ini, the exception was cannot use a string pattern on a bytes-like object occurred while attempting to write Adm Template Policy File
[ERROR   ] An exception occurred in this state: Traceback (most recent call last):
  File "C:\salt\bin\lib\site-packages\salt\state.py", line 1905, in call
    **cdata['kwargs'])
  File "C:\salt\bin\lib\site-packages\salt\loader.py", line 1830, in wrapper
    return f(*args, **kwargs)
  File "C:\salt\bin\lib\site-packages\salt\states\win_lgpo.py", line 306, in set_
    adml_language=adml_language)
  File "C:\salt\bin\lib\site-packages\salt\modules\win_lgpo.py", line 5556, in set_
    raise CommandExecutionError(msg)
salt.exceptions.CommandExecutionError: Error while attempting to write Administrative Template Policy data.  Some changes may not be applied as expected

The state does seem to get applied correctly, as verified by running LGPO.exe /parse /m C:\Windows\System32\GroupPolicy\Machine\Registry.pol.

• The following state corrupts the Machine\Registry.pol file, as also reported in [win_lgpo] Causes corrupt Registry.pol file #48782:

test_lgpo:
  lgpo.set:
    - computer_policy:
      "Configure Offer Remote Assistance": Disabled

Debug output on the minion:

[DEBUG   ] checking alias Prevent changing lock screen and logon image
[DEBUG   ] checking alias CPL_Personalization_NoChangingLockScreen
[DEBUG   ] checking alias Control Panel\Personalization\Prevent changing lock screen and logon image
[DEBUG   ] need to compare Prevent changing lock screen and logon image from current/requested policy
[DEBUG   ] Prevent changing lock screen and logon image current setting matches the requested setting
[DEBUG   ] checking alias Configure Offer Remote Assistance
[DEBUG   ] checking alias RA_Unsolicit
[DEBUG   ] checking alias System\Remote Assistance\Configure Offer Remote Assistance
[DEBUG   ] policy Configure Offer Remote Assistance is not set, we will configure it
[DEBUG   ] searching for "Prevent changing lock screen and logon image" in admx data
[DEBUG   ] found an ADML entry matching the string! {Microsoft.Policies.ControlPanelDisplay}string -- {'id': 'CPL_Personalization_NoChangingLockScreen'}
[DEBUG   ] searching for displayName == $(string.CPL_Personalization_NoChangingLockScreen)
[DEBUG   ] found the ADMX policy matching the display name <Element {Microsoft.Policies.ControlPanelDisplay}policy at 0x15126f53208> -- Prevent changing lock screen and logon image
[DEBUG   ] setting == enabled
[DEBUG   ] enabled
[DEBUG   ] searching for "Configure Offer Remote Assistance" in admx data
[DEBUG   ] found an ADML entry matching the string! {Microsoft.Policies.RemoteAssistance}string -- {'id': 'RA_Unsolicit'}
[DEBUG   ] searching for displayName == $(string.RA_Unsolicit)
[DEBUG   ] found the ADMX policy matching the display name <Element {Microsoft.Policies.RemoteAssistance}policy at 0x15126f53fc8> -- Configure Offer Remote Assistance
[DEBUG   ] setting == disabled
[DEBUG   ] disabled
[DEBUG   ] going to write some adm template data :: {'Microsoft.Policies.ControlPanelDisplay': {'CPL_Personalization_NoChangingLockScreen': 'Enabled'}, 'Microsoft.Policies.RemoteAssistance': {'RA_Unsolicit': 'Disabled'}}
[DEBUG   ] POLICY CLASS == Machine
[DEBUG   ] POLICY CLASS Machine has file data
[DEBUG   ] 11 policies to examine
[DEBUG   ] CPL_Personalization_NoChangingLockScreen is enabled by no explicit enable/disable list or value
[DEBUG   ] preparing to loop through policies requested to be configured
[DEBUG   ] adding CPL_Personalization_NoChangingLockScreen to base_policy_settings
[DEBUG   ] adding RA_Unsolicit to base_policy_settings
[DEBUG   ] working on admPolicy CPL_Personalization_NoChangingLockScreen
[DEBUG   ] time to enable and set the policy "CPL_Personalization_NoChangingLockScreen"
[DEBUG   ] found this_policy == [<Element {Microsoft.Policies.ControlPanelDisplay}policy at 0x15126f54988>]
[DEBUG   ] item value name is  N o C h a n g i n g L o c k S c r e e n
[DEBUG   ] appending [ S o f t w a r e \ P o l i c i e s \ M i c r o s o f t \ W i n d o w s \ P e r s o n a l i z a t i o n   ; N o C h a n g i n g L o c k S c r e e n   ; �   ; �   ; �   ]
[DEBUG   ] working on admPolicy RA_Unsolicit
[DEBUG   ] time to disable RA_Unsolicit
[DEBUG   ] item value name is  f A l l o w U n s o l i c i t e d
[DEBUG   ] appending [ S o f t w a r e \ p o l i c i e s \ M i c r o s o f t \ W i n d o w s   N T \ T e r m i n a l   S e r v i c e s   ; f A l l o w U n s o l i c i t e d   ; �   ; �   ;     ]
[DEBUG   ] checking elements of RA_Unsolicit
[DEBUG   ] I have disabled value string of [ S o f t w a r e \ p o l i c i e s \ M i c r o s o f t \ W i n d o w s   N T \ T e r m i n a l   S e r v i c e s   ; * * d e l . f A l l o w U n s o l i c i t e d F u l l C o n t r o l   ; �   ; �   ;     ]
[DEBUG   ] item value name is  * * d e l . f A l l o w U n s o l i c i t e d F u l l C o n t r o l
[DEBUG   ] appending [ S o f t w a r e \ p o l i c i e s \ M i c r o s o f t \ W i n d o w s   N T \ T e r m i n a l   S e r v i c e s   ; * * d e l . f A l l o w U n s o l i c i t e d F u l l C o n t r o l   ; �   ; �   ;     ]
[DEBUG   ] I have disabled value string of [ S o f t w a r e \ p o l i c i e s \ M i c r o s o f t \ W i n d o w s   N T \ T e r m i n a l   S e r v i c e s \ R A U n s o l i c i t   ; * * d e l v a l s .   ; �   ; �   ;     ]
[DEBUG   ] item value name is  * * d e l v a l s .
[DEBUG   ] appending [ S o f t w a r e \ p o l i c i e s \ M i c r o s o f t \ W i n d o w s   N T \ T e r m i n a l   S e r v i c e s \ R A U n s o l i c i t   ; * * d e l v a l s .   ; �   ; �   ;     ]
[ERROR   ] Unhandled exception An error occurred attempting to write to C:\Windows\System32\GroupPolicy\Machine\Registry.pol, the exception was An error occurred attempting to write to C:\Windows\System32\GroupPolicy\gpt.ini, the exception was cannot use a string pattern on a bytes-like object occurred while attempting to write Adm Template Policy File
[ERROR   ] An exception occurred in this state: Traceback (most recent call last):
  File "C:\salt\bin\lib\site-packages\salt\state.py", line 1905, in call
    **cdata['kwargs'])
  File "C:\salt\bin\lib\site-packages\salt\loader.py", line 1830, in wrapper
    return f(*args, **kwargs)
  File "C:\salt\bin\lib\site-packages\salt\states\win_lgpo.py", line 306, in set_
    adml_language=adml_language)
  File "C:\salt\bin\lib\site-packages\salt\modules\win_lgpo.py", line 5556, in set_
    raise CommandExecutionError(msg)
salt.exceptions.CommandExecutionError: Error while attempting to write Administrative Template Policy data.  Some changes may not be applied as expected

While the initial exception aborting the LGPO update appears to be of the same type, the Registry.pol file is now corrupted:

LGPO.exe v2.2 - Local Group Policy Object utility

Parse machine registry.pol: Registry.pol
; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  Registry.pol

Computer
Software\Policies\Microsoft\Windows\Personalization
NoChangingLockScreen
DWORD:1

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
DWORD:0

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicitedFullControl
DELETE

Invalid file format.  Expected ']', found character 0x00000000

Versions Report

Master:

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: 2.4.2
      docker-py: Not Installed
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.3
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.12 (default, Dec  4 2017, 14:50:18)
   python-gnupg: 0.3.8
         PyYAML: 3.11
          PyZMQ: 15.2.0
           RAET: Not Installed
          smmap: 0.9.0
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4

System Versions:
           dist: Ubuntu 16.04 xenial
         locale: UTF-8
        machine: x86_64
        release: 4.4.0-116-generic
         system: Linux
        version: Ubuntu 16.04 xenial

Minion:

Salt Version:
           Salt: 2018.3.2

Dependency Versions:
           cffi: 1.10.0
       cherrypy: 10.2.1
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 3.5.3 (v3.5.3:1880cb95a742, Jan 16 2017, 16:02:32) [MSC v.1900 64 bit (AMD64)]
   python-gnupg: 0.4.1
         PyYAML: 3.12
          PyZMQ: 16.0.3
           RAET: Not Installed
          smmap: 2.0.3
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6

System Versions:
           dist:
         locale: cp1252
        machine: AMD64
        release: 10
         system: Windows
        version: 10 10.0.14393 SP0 Multiprocessor Free

[onnodb]

Tested again using the PY2 minion, and there lgpo.set does appear to work successfully: all of my previous tests now report success to the master.

However, the following state:

Set branding GPO:
  lgpo.set:
    - computer_policy:
        "Configure Offer Remote Assistance": Disabled

still corrupts Registry.pol:

LGPO.exe v2.2 - Local Group Policy Object utility

Parse machine registry.pol: Registry.pol
; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  Registry.pol

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
DWORD:0

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicitedFullControl
DELETE

Invalid file format.  Expected ']', found character 0x00000000

[Ch3LL]

ping @twangboy i know you have done some recent work around here. mind taking a look here?

[twangboy]

@lomeroe Looks similar to #48782

[lomeroe]

@twangboy It does look to be the same or very similar. I haven't been able to get back to investigating #48782 though. Hopefully in the next week or two I will...

[onnodb]

Please do let me know if I can be of any assistance with testing etc. I'd be happy to help.

[lomeroe]

@onnodb Could you test this version of win_lgpo.py out and let me know if it makes things happier on your end?

https://github.com/lomeroe/salt/blob/issue48782_2018.3/salt/modules/win_lgpo.py

[onnodb]

Yes, absolutely! I'm going to be back in the office on Thursday by the latest, and I'll do a test run ASAP.

[onnodb]

Just checked, and I'm afraid the corruption of registry.pol is still there:

LGPO.exe v2.2 - Local Group Policy Object utility

Parse machine registry.pol: c:\windows\system32\GroupPolicy\Machine\Registry.pol
; ----------------------------------------------------------------------
; PARSING Computer POLICY
; Source file:  c:\windows\system32\GroupPolicy\Machine\Registry.pol

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowToGetHelp
DWORD:0

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowFullControl
DELETE

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
MaxTicketExpiry
DELETE

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
MaxTicketExpiryUnits
DELETE

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fUseMailto
DELETE

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicited
DWORD:0

Computer
Software\policies\Microsoft\Windows NT\Terminal Services
fAllowUnsolicitedFullControl
DELETE

Invalid file format.  Expected ']', found character 0x00000000

(Just to be sure: this is the PY3 minion with the modules/win_lgpo.py file manually copied over and the __pycache__ directories removed)

[onnodb]

In case it's useful for troubleshooting, I've uploaded the resulting Registry.pol file to my Dropbox:
https://www.dropbox.com/s/ux75sw4dl7bhmyk/Registry.pol?dl=0

[lomeroe]

Thanks @onnodb

I think I see the problem, I made an update to the file linked above. I am just now kicking off tests myself, but feel pretty good about it correcting your issue on py3.

[lomeroe]

@onnodb more commits pushed to that file for testing, feeling pretty good about having it all ironed out

[onnodb]

That indeed appears to fix it completely. Wonderful! Many thanks!