Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Configuration of "Let Windows apps" Registry Settings #44618

Closed
doesitblend opened this issue Nov 20, 2017 · 5 comments
Closed

Allow Configuration of "Let Windows apps" Registry Settings #44618

doesitblend opened this issue Nov 20, 2017 · 5 comments
Assignees
@twangboy
Labels
Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Windows ZD The issue is related to a Zendesk customer support ticket.
Milestone
Approved

Comments

@doesitblend
Copy link
Collaborator

Description of Issue/Question

Allowing settings to be configured for Application security. These settings are found under:

Setup

configure_app_privacy:
  lgpo.set:
    - computer_policy:
        Let Windows apps access account information: Enabled
        Default for all apps: Force Deny
        Put user in control of these specific apps (use Package Family Names): ""
        Force allow these specific apps (use Package Family Names): ""
        Force deny these specific apps (use Package Family Names): ""

Steps to Reproduce Issue

Run the above state on a Windows 2016 server. You should see the following error:

win2016-2:
----------
          ID: configure_app_privacy
    Function: lgpo.set
      Result: False
     Comment: Unable to find Machine policy Default for all apps Unable to find Machine policy Put user in control of these specific apps (use Package Family Names) Unable to find Machine policy Force allow these specific apps (use Package Family Names) Unable to find Machine policy Force deny these specific apps (use Package Family Names)
     Started: 23:06:00.223000
    Duration: 2672.0 ms
     Changes:

Versions Report

Salt Version:
           Salt: 2017.7.0-16-gab1b099
 
Dependency Versions:
           cffi: 1.10.0
       cherrypy: unknown
       dateutil: 2.6.0
      docker-py: Not Installed
          gitdb: 2.0.3
      gitpython: 2.1.3
          ioflo: Not Installed
         Jinja2: 2.9.6
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: 1.0.6
   msgpack-pure: Not Installed
 msgpack-python: 0.4.8
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:53:40) [MSC v.1500 64 bit (AMD64)]
   python-gnupg: 0.4.0
         PyYAML: 3.11
          PyZMQ: 16.0.2
           RAET: Not Installed
          smmap: 2.0.3
        timelib: 0.2.4
        Tornado: 4.5.1
            ZMQ: 4.1.6
 
System Versions:
           dist:   
         locale: cp1252
        machine: AMD64
        release: 2016Server
         system: Windows
        version: 2016Server 10.0.14393  Multiprocessor Free
@doesitblend doesitblend added Feature new functionality including changes to functionality and code refactors, etc. team-windows Windows ZD The issue is related to a Zendesk customer support ticket. labels Nov 20, 2017
@doesitblend
Copy link
Collaborator Author

ZD-1979

@gtmanfred gtmanfred added this to the Approved milestone Nov 21, 2017
@twangboy twangboy self-assigned this Dec 7, 2017
@twangboy twangboy added the ZRELEASED - Fluorine reitred label label Dec 7, 2017
@cachedout cachedout added ZRELEASED - Neon retired label and removed ZRELEASED - Fluorine reitred label labels Jan 26, 2018
@KChandrashekhar KChandrashekhar added ZRelease-Sodium retired label and removed ZRELEASED - Neon retired label labels May 9, 2019
@stale
Copy link

stale bot commented Jan 8, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Jan 8, 2020
@sagetherage sagetherage added the Confirmed Salt engineer has confirmed bug/feature - often including a MCVE label Jan 9, 2020
@stale
Copy link

stale bot commented Jan 9, 2020

Thank you for updating this issue. It is no longer marked as stale.

@stale stale bot removed the stale label Jan 9, 2020
@twangboy
Copy link
Contributor

This policy can be set in the following manner:

configure_app_privacy:
  lgpo.set:
    - computer_policy:
        Let Windows apps access account information:
          Default for all apps: Force deny
          LetAppsAccessAccountInfo_UserInControlOfTheseApps_List: []
          LetAppsAccessAccountInfo_ForceAllowTheseApps_List: []
          LetAppsAccessAccountInfo_ForceDenyTheseApps_List: []

However, setting specific policy seems to break parts of Salt. For example, lgpo.get machine will no longer work. To revert this policy, use the following:

configure_app_privacy:
  lgpo.set:
    - computer_policy:
        Let Windows apps access account information: Not Configured

@twangboy twangboy mentioned this issue Feb 28, 2020
Merged
@twangboy
Copy link
Contributor

Using full policy names should be fixed with this: #56272

@twangboy twangboy removed the Feature new functionality including changes to functionality and code refactors, etc. label Feb 28, 2020
@sagetherage sagetherage removed the ZRelease-Sodium retired label label Feb 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twangboy twangboy

Labels
Confirmed Salt engineer has confirmed bug/feature - often including a MCVE Windows ZD The issue is related to a Zendesk customer support ticket.
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
6 participants
@cachedout @gtmanfred @twangboy @doesitblend @sagetherage @KChandrashekhar