dsccommunity / ComputerManagementDsc

DSC resources for for configuration of a Windows computer. These DSC resources allow you to perform computer management tasks, such as renaming the computer, joining a domain and scheduling tasks as well as configuring items such as virtual memory, event logs, time zones and power settings.
https://dsccommunity.org
MIT License
306 stars 83 forks source link

IEEnhancedSecurityConfiguration never in desired state when Enabled is set to False #433

Closed ben-eddy74 closed 1 week ago

ben-eddy74 commented 2 months ago

Problem description

When disabling IE Enhanced Security, the desired state is always False.

In case the LCM is configured with 'RebootNodeIfNeeded = $true' and 'ActionAfterReboot = ContinueConfiguration', a reboot loop is happening.

Verbose logs

2024-08-30T18:51:29.160+00:00 verbose [MYCOMPUTER]: LCM:  [ Start  Test     ]  [[IEEnhancedSecurityConfiguration]DisableForAdministrators]
2024-08-30T18:51:29.160+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Importing the module DSC_IEEnhancedSecurityConfiguration in force mode.
2024-08-30T18:51:29.253+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Testing IE Enhanced Security Configuration state for 'Administrators'. (IEESC0003)
2024-08-30T18:51:29.253+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Getting IE Enhanced Security Configuration state for 'Administrators'. (IEESC0001)
2024-08-30T18:51:29.285+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] The IE Enhanced Security Configuration for 'Administrators' was enabled, but expected it to be disabled. (IEESC0006)
2024-08-30T18:51:29.285+00:00 verbose [MYCOMPUTER]: LCM:  [ End    Test     ]  [[IEEnhancedSecurityConfiguration]DisableForAdministrators]  in 0.1250 seconds.
2024-08-30T18:51:29.285+00:00 verbose [MYCOMPUTER]: LCM:  [ Start  Set      ]  [[IEEnhancedSecurityConfiguration]DisableForAdministrators]
2024-08-30T18:51:29.285+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Importing the module DSC_IEEnhancedSecurityConfiguration in force mode.
2024-08-30T18:51:29.394+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Getting IE Enhanced Security Configuration state for 'Administrators'. (IEESC0001)
2024-08-30T18:51:29.410+00:00 verbose [MYCOMPUTER]:                            [[IEEnhancedSecurityConfiguration]DisableForAdministrators] Setting IE Enhanced Security Configuration state for 'Administrators'. (IEESC0002)
2024-08-30T18:51:29.410+00:00 verbose [MYCOMPUTER]: LCM:  [ End    Set      ]  [[IEEnhancedSecurityConfiguration]DisableForAdministrators]  in 0.1250 seconds.

DSC configuration

IEEnhancedSecurityConfiguration DisableForAdministrators
{
  Role            = 'Administrators'
  Enabled         = $false
}

Suggested solution

When running the following command:

Invoke-DscResource -Name IEEnhancedSecurityConfiguration -Method Get -ModuleName ComputerManagementDsc -Property @{ Role = 'Administrators'; Enabled = $false } -Verbose

The result is True (which is not correct):

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceGet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer AIS02TESTSQL with user sid S-1-5-21-3403967775-1204755894-2229100015-82601. VERBOSE: [AIS02TESTSQL]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.1.0\DscResources\DSC_IEEnhancedSecurityConfiguration\DSC_IEEnhancedSecurityConfiguration.psm1 in force mode. VERBOSE: [AIS02TESTSQL]: [[IEEnhancedSecurityConfiguration]DirectResourceAccess] Importing the module DSC_IEEnhancedSecurityConfiguration in force mode. VERBOSE: [AIS02TESTSQL]: [[IEEnhancedSecurityConfiguration]DirectResourceAccess] Getting IE Enhanced Security Configuration state for 'Administrators'. (IEESC0001) VERBOSE: [AIS02TESTSQL]: LCM: [ End Get ] [[IEEnhancedSecurityConfiguration]DirectResourceAccess] in 0.0940 seconds. VERBOSE: [AIS02TESTSQL]: LCM: [ End Set ] in 11.8180 seconds. VERBOSE: Operation 'Invoke CimMethod' complete.

ConfigurationName : DependsOn : ModuleName : ComputerManagementDsc ModuleVersion : 9.1.0 PsDscRunAsCredential : ResourceId : SourceInfo : Enabled : True Role : Administrators SuppressRestart : False PSComputerName : localhost

VERBOSE: Time taken for configuration job to complete is 12.065 seconds

Looking at the source code, the following registry value is checked:

PS C:\Windows\system32> (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled

False

Which is different from the Invoke-DscResource command.

The root cause seems to be the cast to boolean, which returns true, even when the registry value is false:

PS C:\Windows\system32> [bool](Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled

True

Proposed solution:

Change in Get-TargetResource

$currentlyEnabled = [System.Boolean] (Get-ItemProperty -Path $registryKey -ErrorAction 'Stop').$script:registryKey_Property

To

$currentlyEnabled = (Get-ItemProperty -Path $registryKey -ErrorAction 'Stop').$script:registryKey_Property -eq 'True'

Operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

PowerShell version and build the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.6189
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.6189
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

ComputerManagementDsc version

Name                  Version Path
----                  ------- ----
ComputerManagementDsc 9.1.0   C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.1.0\ComputerManagementDsc.psd1
johlju commented 2 months ago

Good catch finding this. Do you have time to send in a PR?

Borgquite commented 1 week ago

Hey @ben-eddy74 - something doesn't seem right here. Are you saying that when you run the following, you get 'True' or 'False' (the string?) rather than 1, or 0?

(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled

The Microsoft website indicates that these should be REG_DWORD values returning 1 or 0, and the script should therefore work perfectly as-is.

The resource works fine on all the systems I've tried (Server 2012 R2, Server 2022) so not sure why it's not for you!

Borgquite commented 1 week ago

If you're getting True or False, we're probably hitting this issue again (same as #412)

https://stackoverflow.com/questions/16787365/set-itemproperty-sets-registry-value-as-string-on-some-systems-instead-of-dword

ben-eddy74 commented 1 week ago

Hi @Borgquite

I was developing a configuration and when I faced this issue I stopped using the resource. I made a fork and setup a dev station for a PR but due to life I did not continue yet.

When I got your message I deployed a new Windows 2019 server and without any configuration I indeed get 0 and 1 back instead of True or False. If it is a rare case then I might not face it anymore.

In the coming days I will try to find some time to test again against different environments (Azure DevTestLabs and VMware)

Borgquite commented 1 week ago

Hi @ben-eddy74

No worries. Based on experience with #412 it's likely that DSC is the cause of the 'True' string value (which is incorrect) and the pull request I've submitted should fix that.

Please don't feel the need to put any more work into testing - hopefully this'll do the job :)