Closed ben-eddy74 closed 1 month ago
Good catch finding this. Do you have time to send in a PR?
Hey @ben-eddy74 - something doesn't seem right here. Are you saying that when you run the following, you get 'True' or 'False' (the string?) rather than 1, or 0?
(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled
(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}').IsInstalled
The Microsoft website indicates that these should be REG_DWORD values returning 1 or 0, and the script should therefore work perfectly as-is.
The resource works fine on all the systems I've tried (Server 2012 R2, Server 2022) so not sure why it's not for you!
If you're getting True or False, we're probably hitting this issue again (same as #412)
Hi @Borgquite
I was developing a configuration and when I faced this issue I stopped using the resource. I made a fork and setup a dev station for a PR but due to life I did not continue yet.
When I got your message I deployed a new Windows 2019 server and without any configuration I indeed get 0 and 1 back instead of True or False. If it is a rare case then I might not face it anymore.
In the coming days I will try to find some time to test again against different environments (Azure DevTestLabs and VMware)
Hi @ben-eddy74
No worries. Based on experience with #412 it's likely that DSC is the cause of the 'True' string value (which is incorrect) and the pull request I've submitted should fix that.
Please don't feel the need to put any more work into testing - hopefully this'll do the job :)
Problem description
When disabling IE Enhanced Security, the desired state is always False.
In case the LCM is configured with 'RebootNodeIfNeeded = $true' and 'ActionAfterReboot = ContinueConfiguration', a reboot loop is happening.
Verbose logs
DSC configuration
Suggested solution
When running the following command:
The result is True (which is not correct):
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = ResourceGet,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'. VERBOSE: An LCM method call arrived from computer AIS02TESTSQL with user sid S-1-5-21-3403967775-1204755894-2229100015-82601. VERBOSE: [AIS02TESTSQL]: [DSCEngine] Importing the module C:\Program Files\WindowsPowerShell\Modules\ComputerManagementDsc\9.1.0\DscResources\DSC_IEEnhancedSecurityConfiguration\DSC_IEEnhancedSecurityConfiguration.psm1 in force mode. VERBOSE: [AIS02TESTSQL]: [[IEEnhancedSecurityConfiguration]DirectResourceAccess] Importing the module DSC_IEEnhancedSecurityConfiguration in force mode. VERBOSE: [AIS02TESTSQL]: [[IEEnhancedSecurityConfiguration]DirectResourceAccess] Getting IE Enhanced Security Configuration state for 'Administrators'. (IEESC0001) VERBOSE: [AIS02TESTSQL]: LCM: [ End Get ] [[IEEnhancedSecurityConfiguration]DirectResourceAccess] in 0.0940 seconds. VERBOSE: [AIS02TESTSQL]: LCM: [ End Set ] in 11.8180 seconds. VERBOSE: Operation 'Invoke CimMethod' complete.
ConfigurationName : DependsOn : ModuleName : ComputerManagementDsc ModuleVersion : 9.1.0 PsDscRunAsCredential : ResourceId : SourceInfo : Enabled : True Role : Administrators SuppressRestart : False PSComputerName : localhost
VERBOSE: Time taken for configuration job to complete is 12.065 seconds
Looking at the source code, the following registry value is checked:
False
Which is different from the Invoke-DscResource command.
The root cause seems to be the cast to boolean, which returns true, even when the registry value is false:
True
Proposed solution:
Change in Get-TargetResource
$currentlyEnabled = [System.Boolean] (Get-ItemProperty -Path $registryKey -ErrorAction 'Stop').$script:registryKey_Property
To
$currentlyEnabled = (Get-ItemProperty -Path $registryKey -ErrorAction 'Stop').$script:registryKey_Property -eq 'True'
Operating system the target node is running
PowerShell version and build the target node is running
ComputerManagementDsc version