SecurityOptions: SendConfigurationApply function did not succeed

[nawijesi]

Details of the scenario you tried and the problem that is occurring

Running the SecurityOptions configuration on Windows 10 clients fails when connecting Windows 10 client to Azure automation state configuration (running this security options locally on the client works fine with 0 issues)

Verbose logs showing the problem

DSC Configuration 'RegistrationMetaConfigV2' completed with error(s). Following are the first few: Cannot bind argument to parameter 'ReferenceObject' because it is null. The PowerShell DSC resource '[SecurityOption]SecurityOptions' with SourceInfo '::299::5::SecurityOption' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details. The SendConfigurationApply function did not succeed.

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

SecurityOption SecurityOptions  #All OK, comments in 2.3.9.2 and 2.3.17.2
    {
      Name = 'SecurityOptions'

    # 2.3.1 Security Options - Accounts  

    #2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
    Accounts_Block_Microsoft_accounts = 'Users cant add or log on with Microsoft accounts'

    # 2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'
    Accounts_Guest_account_status = 'Disabled'  

    # 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
    Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only = 'Enabled'  

    # 2.3.2 Audit

    # 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
    Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings = 'Enabled'   

    # 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'
    Audit_Shut_down_system_immediately_if_unable_to_log_security_audits = 'Disabled'  

    # 2.3.4 Security Options - Devices

    # 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'
    Devices_Prevent_users_from_installing_printer_drivers = 'Enabled'  

    # Finner ikke referanse i 1909    
    Devices_Allow_undock_without_having_to_log_on = 'Disabled'  

    # 2.3.6 Security Options - Domain Member

    # 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
    Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always = 'Enabled'  

    # 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
    Domain_member_Digitally_encrypt_secure_channel_data_when_possible = 'Enabled'  

    # 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'  
    Domain_member_Digitally_sign_secure_channel_data_when_possible = 'Enabled'  

    # 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
    Domain_member_Disable_machine_account_password_changes  = 'Disabled'  

    # 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'
    Domain_member_Maximum_machine_account_password_age = 30  

    # 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled
    Domain_member_Require_strong_Windows_2000_or_later_session_key = 'Enabled'  

    # 2.3.7 Security Options - Interactive Logon

    # 2.3.7.2 (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'
    Interactive_logon_Do_not_display_last_user_name = 'Enabled'

    # 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
    Interactive_logon_Machine_account_lockout_threshold = '10'

    # 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
    Interactive_logon_Machine_inactivity_limit = 600  

    # 2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)
    Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available = 10 

    # 2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
    Interactive_logon_Prompt_user_to_change_password_before_expiration  = 10  

    # 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher     
    Interactive_logon_Smart_card_removal_behavior = 'Lock Workstation'  

    # 2.3.8 Security Options - Microsoft Network Client

    # 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'
    Microsoft_network_client_Digitally_sign_communications_if_server_agrees = 'Enabled'  

    # 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'
    Microsoft_network_client_Send_unencrypted_password_to_third_party_SMB_servers = 'Disabled'  

    # 2.3.9 Security Options - Microsoft Network Server

    #2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0'    
    Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session = 15  

    # 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'  # May consider to be set to Disable do to wan acc
    Microsoft_network_server_Digitally_sign_communications_always = 'Enabled'  

    # 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'
    Microsoft_network_server_Digitally_sign_communications_if_client_agrees = 'Enabled'  

    # 2.3.10 Security Options - Network Access

    # 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'
    Network_access_Allow_anonymous_SID_Name_translation = 'Disabled'  

    # 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)
    Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts = 'Enabled'  

    # 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)
    Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares  = 'Enabled'  

    # 2.3.10.4 (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'
    Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication = 'Enabled'

    # 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'
    Network_access_Let_Everyone_permissions_apply_to_anonymous_users = 'Disabled'

    # 2.3.10.6 (L1) Configure 'Network access: Named Pipes that can be accessed anonymously'
    Network_access_Named_Pipes_that_can_be_accessed_anonymously = ''

    #<# Removed due to error in DSC #Verify
    # 2.3.10.7 (L1) Configure 'Network access: Remotely accessible registry paths'
    # https://github.com/dsccommunity/SecurityPolicyDSC/issues/83
    # Network_access_Remotely_accessible_registry_paths = 'System\CurrentControlSet\Control\ProductOptions' 
    # System\CurrentControlSet\Control\Server Applications, SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    #>

    #<# Removed due to error in DSC #Verify
    # 2.3.10.8 (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths' 
    # https://github.com/dsccommunity/SecurityPolicyDSC/issues/83
    # Network_access_Remotely_accessible_registry_paths_and_subpaths = 'System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog'
    #>

    #2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'  
    Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares  = 'Enabled'  

    # 2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
    # Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM = 'O:BAG:BAD:(A;;RC;;;BA)' 

    # 2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'
    # Network access: Restrict clients allowed to make remote calls to SAM is not included in module #89 https://github.com/dsccommunity/SecurityPolicyDsc/issues/89

    # 2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' 
    Network_access_Shares_that_can_be_accessed_anonymously = ''

    # 2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' 
    Network_access_Sharing_and_security_model_for_local_accounts = 'Classic - local users authenticate as themselves'

    # # 2.3.11 Security Options - Network Security

    # # 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'
    Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM = 'Enabled'  

    # 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'
    Network_security_Allow_LocalSystem_NULL_session_fallback  = 'Disabled'  

    # 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' 
    Network_security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities = 'Disabled'

    # 2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' + RC4_HMAC_MD5
    # KerberosSupportedEncryptionType: New resource proposal · Issue #1 · dsccommunity/SChannelDsc (github.com)
    Network_security_Configure_encryption_types_allowed_for_Kerberos = 'AES128_HMAC_SHA1','AES256_HMAC_SHA1','RC4_HMAC_MD5'

    # 2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'  
    Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change = 'Enabled'  

    # 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' 
    Network_security_Force_logoff_when_logon_hours_expire = 'Enabled'

    # 2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'  
    Network_security_LAN_Manager_authentication_level = 'Send NTLMv2 responses only. Refuse LM & NTLM'  

    # 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher
    Network_security_LDAP_client_signing_requirements = 'Negotiate Signing'  

    # 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients = 'Both options checked'  

    # 2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'
    Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers = 'Both options checked'    

    }

The operating system the target node is running

Windows 10 Clients on the image Windows 10 Enterprise . Version 20H2.

Version and build of PowerShell the target node is running

Powershell 5

Version of the DSC module that was used

Latest

[nawijesi]

The logs were not showing exactly which security options setting was causing this issue on the client. So through the process of elimination we pinpointed the cause to this security options policy:

Network_security_Configure_encryption_types_allowed_for_Kerberos = 'AES128_HMAC_SHA1','AES256_HMAC_SHA1','RC4_HMAC_MD5'

Running the security options locally on the Windows 10 Client had no issues. The error was only occurring through Azure automation state configuration

[nawijesi]

The error handling needs to be improved for SecurityOptions as if one fails, the failure does not appear properly on logs.