[BUG] lgpo.set fails when policy is already in desired state

[VitalyMutyev]

Description
If the group policy already configured as declared in state file, Salt state.apply execution exits with failure.

Note: This behaviour is not limited to the policy given in example below - there are multiple policies(from ADMX template referenced below) with described bug.

Setup

State file hardening-microsoft-test.sls:

'File Type Blocking Excel':
  lgpo.set:
    - user_policy:
         "Microsoft Excel 2016\\Excel Options\\Security\\Trust Center\\File Block Settings\\Dif and Sylk files":
           "L_DifAndSylkFilesDropID": "Open/Save blocked, use open policy"

Steps to Reproduce the behavior

1. Get Administrative Template files (ADMX/ADML) for Microsoft 365 Apps for enterprise/Office LTSC 2021/Office 2019/Office 2016 and the Office Customization Tool for Office 2016: https://www.microsoft.com/en-us/download/details.aspx?id=49030
2. Copy templates to Windows machine - upload ADMX files to 'C:\Windows\PolicyDefinitions', restart PC. If applied successfully, you should see Office the policies in Local Group Policy Editor: User Configuration\Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files
3. Apply the state more than once:

$sudo salt 'test-S*' state.apply security.hardening-microsoft-test
test-Surface-cracked:
----------
          ID: File Type Blocking Excel
    Function: lgpo.set
      Result: True
     Comment: The following policies changed:
              Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files
     Started: 20:08:01.484804
    Duration: 24129.009 ms
     Changes:   
              ----------
              new:
                  ----------
                  User Configuration:
                      ----------
                      Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files:
                          ----------
                          File block setting:
                              Open/Save blocked, use open policy
              old:
                  ----------
                  User Configuration:
                      ----------
                      Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files:
                          Not Configured

Summary for test-Surface-cracked
------------
Succeeded: 1 (changed=1)
Failed:    0
------------
Total states run:     1
Total run time:  24.129 s

run second time:

$sudo salt 'test-S*' state.apply security.hardening-microsoft-test
test-Surface-cracked:
----------
          ID: File Type Blocking Excel
    Function: lgpo.set
      Result: False
     Comment: Failed to set the following policies:
              Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files
     Started: 20:16:33.973043
    Duration: 24291.846 ms
     Changes:   

Summary for test-Surface-cracked
------------
Succeeded: 0
Failed:    1
------------
Total states run:     1
Total run time:  24.292 s

Expected behavior
Salt should exit with "Result: True" and notify there are no changes applied in current state of configured GPO.

Versions Report
MASTER:
$ salt -V
Salt Version:
Salt: 3005.1

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
gitdb: 2.0.6
gitpython: 3.0.7
Jinja2: 2.10.1
libgit2: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 0.6.2
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: 3.6.1
pygit2: Not Installed
Python: 3.8.10 (default, Nov 14 2022, 12:59:47)
python-gnupg: 0.4.5
PyYAML: 5.3.1
PyZMQ: 20.0.0
smmap: 2.0.5
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.2

System Versions:
dist: ubuntu 20.04 focal
locale: utf-8
machine: x86_64
release: 5.15.0-1023-aws
system: Linux
version: Ubuntu 20.04 focal

MINION:
Salt Minion 3005.1 (Tiamat):
3005.1

os_name:
Microsoft Windows 10 Pro
os_type:
Work Station
os_version:
10.0.19045

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[OrangeDog]

Is there anything in the minion log regarding why it failed?

[VitalyMutyev]

Here are few lines around the error (see attached debug log for more details), note the first line with 'success': True, is it related to the applied state?:

2022-12-12 14:34:25,731 [salt.minion :2061][DEBUG ][5536] minion return: {'success': True, 'return': {'pid': 10504, 'fun': 'state.apply', 'arg': ['security.hardening-microsoft-test'], 'tgt': 'test-S*', 'jid': '20221212223358064837', 'ret': '', 'tgt_type': 'glob', 'user': 'sudo_vitaly'}, 'retcode': 0, 'jid': '20221212223423389592', 'fun': 'saltutil.find_job', 'fun_args': ['20221212223358064837']}
2022-12-12 14:34:26,588 [salt.utils.process:1155][DEBUG ][6536] Subprocess ProcessPayload(jid=20221212223423389592) cleaned up
2022-12-12 14:34:28,965 [salt.loaded.int.module.win_lgpo:8439][WARNING ][10504] Trying another: Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files
2022-12-12 14:34:29,178 [salt.loaded.int.module.win_lgpo:9685][DEBUG ][10504] Compiling non hierarchical return...
2022-12-12 14:34:29,179 [salt.state :321 ][ERROR ][10504] Failed to set the following policies:
Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\Dif and Sylk files
2022-12-12 14:34:29,180 [salt.state :2345][INFO ][10504] Completed state [ File Type Blocking Excel] at time 14:34:29.179511 (duration_in_ms=27503.689)
2022-12-12 14:34:29,180 [salt.state :3401][DEBUG ][10504] File C:\ProgramData\Salt Project\Salt\var\cache\salt\minion\accumulator\1320133716048 does not exist, no need to cleanup
2022-12-12 14:34:29,180 [salt.channel.client:313 ][DEBUG ][10504] Closing AsyncReqChannel instance

Full log: minion_debug.log

[VitalyMutyev]

This behaviour is not present on Salt Minion 3004.2-1 (Python 3) - executing state repeatedly does not fail with error.

[jtraub91]

Seeing this issue also. Please see #63473 (comment). Originally posted there, but this seems to be the more closely related existing open issue.

[twangboy]

The above PRs should fix this issue