What happened?
When lgpo_reg.value_absent is called and the Registry.pol entry has already been removed (e.g. by a prior partial run, or because the pol and registry have drifted out of sync), but the registry value itself still exists, the state reports failure instead of cleaning up the registry value.
Running the state with test=True correctly identifies the problem — it reports "Policy value already deleted / Registry value will be deleted" and returns Result: None (would make changes). But the actual (non-test) run then fails with "Failed to remove Machine policy value" and Result: False, leaving the registry value in place.
Steps to Reproduce
- Set the value in both pol and registry:
set_value:
lgpo_reg.value_present:
- key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- name: VulnerableChannelAllowList
- v_type: REG_SZ
- v_data: "O:BAG:BAD:(A;;RC;;;BA)"
- policy_class: Machine
- Manually remove only the Registry.pol entry (or apply the state once in an environment where pol was already cleared):
salt-call --local lgpo_reg.delete_value
"SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" VulnerableChannelAllowList
- Confirm the pol entry is gone but the registry value is still present, then run the state:
salt-call --local state.apply my_state
Expected Behavior
The state succeeds and removes the registry value regardless of whether the Registry.pol entry was already absent.
Actual Behavior
test=True correctly detects the drift:
Result: None
Comment: Policy value already deleted
Registry value will be deleted
But the actual run fails:
Result: False
Comment: Failed to remove Machine policy value
- key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- name: VulnerableChannelAllowList
Root Cause (suspected)
lgpo_reg.delete_value appears to return None early when the pol key or value name is not found, before reaching the registry cleanup code. This means when pol is already absent but the registry value still exists, nothing is cleaned up and the state sees no changes, causing it to report failure.
Type of salt install
Official exe
Major version
3006.x
What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)
windows-2019
salt --versions-report output
Environment
• Salt version: 3006.x
• OS: Windows Server 2019
What happened?
When lgpo_reg.value_absent is called and the Registry.pol entry has already been removed (e.g. by a prior partial run, or because the pol and registry have drifted out of sync), but the registry value itself still exists, the state reports failure instead of cleaning up the registry value.
Running the state with test=True correctly identifies the problem — it reports "Policy value already deleted / Registry value will be deleted" and returns Result: None (would make changes). But the actual (non-test) run then fails with "Failed to remove Machine policy value" and Result: False, leaving the registry value in place.
Steps to Reproduce
Expected Behavior
The state succeeds and removes the registry value regardless of whether the Registry.pol entry was already absent.
Actual Behavior
test=True correctly detects the drift:
But the actual run fails:
Root Cause (suspected)
lgpo_reg.delete_value appears to return None early when the pol key or value name is not found, before reaching the registry cleanup code. This means when pol is already absent but the registry value still exists, nothing is cleaned up and the state sees no changes, causing it to report failure.
Type of salt install
Official exe
Major version
3006.x
What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)
windows-2019
salt --versions-report output