[BUG] long setting names don't work in lgpo.set for some policies

[jtraub91]

Description

When using the lgpo.set state module, policy settings, where applicable, are passed in as a dictionary, e.g

Force a specific background and accent color:
  lgpo.set:
  - name: CPL_Personalization_PersonalColors
  - setting:
      Accent color: text-placeholder
      Start background color: text-placeholder
  - policy_class: Machine

I've also noticed that you can use, what I call the "short setting" name (found by inspecting C:\Windows\PolicyDefintions), e.g.

Force a specific background and accent color:
  lgpo.set:
  - name: CPL_Personalization_PersonalColors
  - setting:
      PersonalColors_Accent: text-placeholder
      PersonalColors_Background: text-placeholder
  - policy_class: Machine

The short setting name seems to be a bit more reliable, however.

Here is one example of a policy that does not work with the long setting names

Set IP-HTTPS State:
  lgpo.set:
  - name: IPHTTPS_ClientState
  - setting:
      Enter the IPHTTPS Url: text-placeholder
      Select Interface state from the following options: enum-placeholder
  - policy_class: Machine

but works with short setting names,

Set IP-HTTPS State:
  lgpo.set:
  - name: IPHTTPS_ClientState
  - setting:
      IPHTTPSClientUrlBox: text-placeholder
      StateSelect: enum-placeholder
  - policy_class: Machine

The cases for which the long setting name does not work seems to be sporadic and unpredictable; nonetheless, the following is a exhaustive list of policies I've identified to fail with long setting names

• Allow Online Tips (class: Machine)
• Set BranchCache Hosted Cache mode (class: Machine)
• Set IP-HTTPS State (class: Machine)
• Warning for large Kerberos tickets (class: Machine)
• Set maximum Kerberos SSPI context token buffer size (class: Machine)
• Specify KDC proxy servers for Kerberos clients (class: Machine)
• Allow uploads while the device is on battery while under set Battery level (percentage) (class: Machine)
• Cache Server Hostname (class: Machine)
• Delay Background download Cache Server fallback (in seconds) (class: Machine)
• Delay Foreground download Cache Server fallback (in seconds) (class: Machine)
• Maximum Background Download Bandwidth (percentage) (class: Machine)
• Maximum Foreground Download Bandwidth (percentage) (class: Machine)
• Max Cache Size (percentage) (class: Machine)
• Select a method to restrict Peer Selection (class: Machine)
• Select the source of Group IDs (class: Machine)
• Enable Protected Event Logging (class: Machine)
• Define device control policy groups (class: Machine)
• Define device control policy rules (class: Machine)
• Configure Attack Surface Reduction rules (class: Machine)
• Exclude files and paths from Attack Surface Reduction Rules (class: Machine)
• Configure allowed applications (class: Machine)
• Configure Controlled folder access (class: Machine)
• Configure protected folders (class: Machine)
• Define the number of days after which a catch-up scan is forced (class: Machine)
• Define security intelligence location for VDI clients. (class: Machine)
• Use a common set of exploit protection settings (class: Machine)
• Control rich previews for attachments (class: Machine)
• Preview pane location (class: Machine)
• Set large or small icon view in desktop search results (class: Machine)
• Tag Windows Customer Experience Improvement data with Study Identifier (class: Machine)
• Control maximum size of baseline file cache (class: Machine)
• Prohibit flyweight patching (class: Machine)
• Prohibit use of Restart Manager (class: Machine)
• Specify the types of events Windows Installer records in its transaction log (class: Machine)
• Turn off logging via package settings (class: Machine)
• Turn off Windows Installer (class: Machine)
• Configure auto-restart required notification for updates (class: Machine)
• Configure auto-restart warning notifications schedule for updates (class: Machine)
• Display options for update notifications (class: Machine)
• Specify active hours range for auto-restarts (class: Machine)
• Specify deadline before auto-restart for update installation (class: Machine)
• Specify the order in which Windows Installer searches for installation files (class: User)
• Location where all default Library definition files for users/machines reside. (class: Both)
• Configure which channel of Microsoft Edge to use for opening redirected sites (class: Both)
• Limit Site Discovery output by Domain (class: Both)
• Limit Site Discovery output by Zone (class: Both)
• Settings package size warning threshold (class: Both)
• Synchronization timeout (class: Both)
• Do not sync Apps (class: Machine)
• Do not sync app settings (class: Machine)
• Do not sync browser settings (class: Machine)
• Do not sync desktop personalization (class: Machine)
• Do not sync other Windows settings (class: Machine)
• Do not sync passwords (class: Machine)
• Do not sync personalize (class: Machine)
• Do not sync start settings (class: Machine)

Setup

Install salt minion. Form a salt state using long setting names for any policy in the above list.
(Search for policy in C:\Windows\PolicyDefinitions or in Local Group Policy Editor to find setting names)

Steps to Reproduce the behavior

salt-call --local state.sls <state> test=True

Expected error is Invalid Element name.

Then, replace the long setting names with short setting names (found in C:\Windows\PolicyDefintions) and re-run

salt-call --local state.sls <state> test=True

to observe success.

Expected behavior

For the most policies long setting names work, but for those listed above, they don't, unexpectedly.
At the very least, it is desirable to understand how / why these policies only work with short setting names.
i.e. what is the internal salt logic for identifying a valid long setting name? Is it a shortcoming of the policy definitions themselves or the way that salt parses them?

Versions Report

Salt Version:
          Salt: 3004.1

Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: 4.0.7
     gitpython: 3.1.18
        Jinja2: 2.10.1
       libgit2: Not Installed
      M2Crypto: Not Installed
          Mako: 1.1.4
       msgpack: 0.6.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: 2.20
      pycrypto: Not Installed
  pycryptodome: 3.10.1
        pygit2: Not Installed
        Python: 3.8.8 (tags/v3.8.8:024d805, Feb 19 2021, 13:18:16) [MSC v.1928 64 bit (AMD64)]
  python-gnupg: 0.4.7
        PyYAML: 5.4.1
         PyZMQ: 19.0.0
         smmap: 4.0.0
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.2

System Versions:
          dist:
        locale: cp1252
       machine: AMD64
       release: 10
        system: Windows
       version: 10 10.0.19041 SP0 Multiprocessor Free

[twangboy]

I started looking at this. It looks like the long name, as shown in the GUI, is not the same long name expected by the policy. For example, here is the GUI representation of Set IP-HTTPS State:

There is a command you can run to get the names as expected by Salt. That function is lgpo.get_policy_info. Running this command returns the following:

C:\src\salt> salt-call --local lgpo.get_policy_info "Set IP-HTTPS State" machine
local:
    ----------
    message:
    policy_aliases:
        - Set IP-HTTPS State
        - IPHTTPS_ClientState
        - Network\TCPIP Settings\IPv6 Transition Technologies\Set IP-HTTPS State
    policy_class:
        machine
    policy_elements:
        |_
          ----------
          element_aliases:
              - StateSelect
              - Select from the following states
          element_id:
              StateSelect
        |_
          ----------
          element_aliases:
              - IPHTTPSClientUrlBox
              - Enter the IPHTTPS Url
          element_id:
              IPHTTPSClientUrlBox
    policy_found:
        True
    policy_name:
        Set IP-HTTPS State
    rights_assignment:
        False

So, I think if you use Select from the following states instead of Select interface state from the following options you'll have better luck.

[twangboy]

Looking at Allow Online Tips seems to prepend a bunch of unknown characters to the name:

local:
    ----------
    message:
    policy_aliases:
        - Allow Online Tips
        - AllowOnlineTips
        - Control Panel\Allow Online Tips
    policy_class:
        machine
    policy_elements:
        |_
          ----------
          element_aliases:
              - CheckBox_AllowOnlineTips
              -
                          Allow Settings to retrieve online tips.
          element_id:
              CheckBox_AllowOnlineTips
    policy_found:
        True
    policy_name:
        Allow Online Tips
    rights_assignment:
        False

In this case, I would recommend using the Element ID: CheckBox_AllowOnlineTips rather than try to figure out what characters are before the Element name.

In fact, that may be the overall recommendation here... to use the Element ID instead.

We could investigate the possibility of stripping whitespace from the beginning and end of Element names.

[twangboy]

Type the name of the hosted cache server => Enter Client Computer Cache location
Warning for large Kerberos tickets => Ticket Size Threshold
etc....

[twangboy]

Just created a PR to handle whitespace. #62572

That should fix the Allow Online Tips policy. For the rest, you'll have to use lgpo.get_policy_info to get the long alias that Salt is expecting... or use the element ID.

[bcowman]

Salt Minion 3006.1

I'm trying to enable the policy Computer Configuration//Administrative Templates//Microsoft Edge//SmartScreen settings//Prevent bypassing Microsoft Defender SmartScreen prompts for sites

salt-call lgpo.get_policy_info "Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites" machine
[WARNING ] Trying another: Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites
local:
----------
message:
policy_aliases:
- Prevent bypassing Windows Defender SmartScreen prompts for sites
- PreventSmartScreenPromptOverride
- Microsoft Edge\SmartScreen settings\Prevent bypassing Windows Defender SmartScreen prompts for sites
policy_class:
machine
policy_elements:
policy_found:
True
policy_name:
Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites
rights_assignment:
False

I've tried to set this policy using all 3 of policy_aliases listed in the info but none of them work.
The first one gives an error that the policy name is used as the display name for multiple policies.
The second gives and error policy name is used in multiple ADMX files.
The third, using the long alias, which I expected to work, gives an error 'Unable to find Machine policy'.
Using the long Policy Name I get an error Unable to correlate to any policy.

I don't know if this is a bug but its been driving me insane for the past 2 days.