Hey there Dave,

I'm attempting to use this module for configuring local policies and running into the following issue after I apply a config. The error I have is as follows:

I'm assuming it's because I did something horrible. I'm just not quite sure syntactically what I did.

        cAdministrativeTemplateSetting NoWindowsHotKey
        {
            KeyValueName = '\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys'
            PolicyType = 'User'
            Data = '1'
            Ensure = 'Present'
            Type = 'Dword'
        }

Pulling from the spreadsheet in another logged issue, here's the info that I was able to find on this specific policy.

Halp! :P

I can see from the source code that comment-based help should exist for, at least, Set-PolicyFileEntry, but after installing the module (v3.0.1) from PSGallery on a Win10 1709 machine, doing a `Get-Help Set-PolicyFileEntry -showwindow' is only giving me the basic, auto-generated help. That leads me to think there might be something wrong with the help block, but I haven't found it yet.

I'm going to fork the project and see what I can see in VSCode, and if I find something I'll make a pull request.

I just wanted you to be aware that I'm looking at it. If it's some sort of known issue, feel free to wave me off.

Hi, thanks for the module. It's very good. The help text from about_RegistryValuesForAdminTemplates.Help.txt was very helpful.

I found that when I set a local policy group option, the machine didn't update it's policy until after a reboot or until I ran the command gpupdate /force

So for instance, I ran the command
Set-PolicyFileEntry $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key 'Software\Policies\Microsoft\Windows\Explorer' -ValueName 'NoNewAppAlert' -Data 1 -Type DWord

The affect didn't take place until after I ran gpupdate /force

I think this is fine but I didn't see anyway in the help information or documentation on set-PolicyFileEntry that you need to then call gpupdate/reboot.

Is this expected behaviour of the module?

The process cannot access the file 'C:\\Program Files\\WindowsPowerShell\\Modules\\PolicyFileEditor\\PolicyFileEditor\\PolFileEditor.dll' because it is being used by another process.

Hi Dave, I'm running into an issue when using PolicyFileEditor with DSC:

For eg, the script below works fine, sets the Group Policy as expected:
$UserDir = "$env:windir\system32\GroupPolicy\Machine\Registry.pol"
$RegPath = 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'
$RegName = '\*\NETLOGON' # Backslash Backslash Asterisk Backslash NETLOGON
$RegData = 'RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'
$RegType = 'String'
Set-PolicyFileEntry -Path $UserDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType
gpupdate

But not sure how to include "\*\NETLOGON" as ValueName for Key 'Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths' when using in DSC? I've tried it in few different ways, but couldn't get it working.

cAdministrativeTemplateSetting 'Hardened UNC Paths NETLOGON'
{
KeyValueName = "Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths$([char]0x005C)$([char]0x005C)*$([char]0x005C)NETLOGON"
PolicyType = 'Machine'
Data = 'RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1'
Ensure = 'Present'
Type = 'String'
}

Appreciate your help!!!

Is it possible to provide some documentation and examples?

I want to use the DSC Resource , but is not that easy to understand how to use it (even after checking Get-DscResource -Syntax cAccountAdministrativeTemplateSetting)

I would like to change some setting in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Session Host\Licensing. How do I do this?

Any resource that could help to update Group Policy on the computer ? I would like to run this cmdlet on each of VMs .

GPResult /R /SCOPE Computer

I'm having a problem getting LGPO deployed with the PolicyFileEditor to trigger installation of network printers on Windows 10 Enterprise v1709. The printers show up properly in Windows Settings -> Deployed Printers but something does not trigger the actual installation even when I run gpupdate /force. If I manually change anything with the LGPO there by removing or adding a printer something gets triggered and the printers settings I had previously added with the PolicyFileEditor deploy. I have also tried restarting the computer to no effect.

I'm very new to GPO but in troubleshooting this issue I saw something that mentioned that printers are handled by a GPO Extension. I'm wondering if these extensions are not being triggered to update when I call gpupdate /force. I'm sorry if this is not an issue with the PolicyFileEditor and just a behaviour of the LGPO.

I would also like to say thank you so much for making this Powershell module! Its super rad and very useful. Cheers!

When I attempted to import:

PS > Import-Module PolicyFileEditor -Force
Add-Type : Could not load file or assembly

I've unblocked the DLL. Turns out I can load the DLL with:

Add-Type -Path C:\users...\PolFileEditor.dll -ErrorAction Stop

....
Why is the module not able to load the dll?

It would be great if there were an option to clear a local group policy setting using your module.

Hi,
I have 100s of computers for which I need to read some setting from local group policy. Can this script be used on remote computers?

Hello,

Thanks for your wonderful module!!

I have noticed a problem when attempting to enable the USB RemoteFX USB Redirection feature when using your policy. What I have found is that the PolicyFileEditor module does correctly set configuration in the GUI if the GPEDIT.msc console, and it does appear to create the registry key, but yet whatever other back end "magic" that happens when you manually enable the feature in the GUI is not happening when using PolicyFileEditor module.

Here is an example. Run the following command:
set-PolicyFileEntry -path $env:systemroot\system32\GroupPolicy\Machine\registry.pol -Key 'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client' -ValueName "fUsbRedirectionEnableMode" -Data '2' -Type DWord

When you check the GPEDIT.msc configuration under Computer Configuration\Windows Components\ Remote Desktop Services \ Remote Desktop Client Connection \ RemoteFX USB Device Redirection\Allow RDP Derection of other supported RemoteFX USB devices from this computer you will see that it is correctly set to "Enabled" for "Administrators and Users".

However, it doesn't actually work. You can know this by opening the Device Manager and selecting your USB Host Controller (Example: Intel USB Host Controller) and clicking the Driver Tab, and selecting "Driver Details". When the RemoteFX USB Redirection feature correctly enables, you will see C:|WINDOWS\system32\drivers\tsusbflt.sys listed as one of the driver files.

To demonstrate how it should work, you can manually open GPEDIT.msc and go to the configuration listed above and "disable" or "not configure" it. Click Apply. Then, select "Enabled" for "Users and Administrators". Click Apply. Now check your driver files and you will see that the tsusbflt.sys driver file is immediately added - even without a reboot or GPUPDATE.

I guess my question is - how can someone figure out what other "magic" is happening behind the scenes other than the registry key that gets set (which doesn't appear to paint the whole picture)?

Hi

Trying to adjust some local gp settings, script works just fine when executed directly on a machine, but not with intune. The script is executed successfully, but nothing happends to the local GP. The scripts includes installing of nuget and the PolicyFileEditor module, this has been tested and works.

Also there seems to be an issue with a computer that is AzureAD joined, here the computer will have an empty GroupPolicy folder, until someone manually initializes the directory. Is there any way to initialize or will the powershell module do this ?

Script:
$UserPolicy = 'C:\windows\system32\GroupPolicy\User\Registry.pol'
$Ctx_Files_Key = 'Software\Policies\Citrix\Citrix Files'

Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'Account' -Type String -Data 'server-name-1'

Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint3-DisplayName' -Type String -Data 'Citrix Files Area 3'
Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint3-ShareFile' -Type String -Data 'Shared Folders\\Folder3'
Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint3-Local' -Type String -Data 'k:'

Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint4-DisplayName' -Type String -Data 'Citrix Files Area 4'
Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint4-ShareFile' -Type String -Data 'Shared Folders\\Folder4'
Set-PolicyFileEntry -Path $UserPolicy -Key $Ctx_Files_Key -ValueName 'MountPoint4-Local' -Type String -Data 'l:'

I have just started using the PolicyFileEditor module for my DSC work and it
does exactly what I need.

One feature that I would like to see is the ability to write into the 'Comment'
area of each Administrative Setting. That way, I can leave some notes in a
gpresult /H output file if anybody ever were to look at the Windows machine
that was configured via DSC + PolicyFileEditor.

Is this possible to implement at all?

If so, how complex would this be to implement?

Get-DscConfiguration -Verbose fails.
It fails at the line "return GetTargetResourceCommon -Path $path -KeyValueName $KeyValueName"
I tried solving it but so far I was unsuccessful...

Get-DscConfiguration : GetConfiguration did not succeed.
At line:1 char:1

• Get-DscConfiguration -Verbose

• - CategoryInfo          : NotSpecified: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get-DscConfiguration], CimException
  - FullyQualifiedErrorId : MI RESULT 1,Get-DscConfiguration
  

Hi Dave,
I am thrilled to have your module, thanks! I am going to use it in SCCM to modify the local policies for WSUS which is handled by SCCM.
I tried this on my laptop and received the message "access denied" ... I realize I can change permissions, but I am not thrilled with having to do this within the package.
Are there any permissions which will actually allow me to modify the policy?
Thanks!

Hello, i wrote a small script to toggle enabling/disabling of an administrative policy:

$RegPath = 'Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions'      # in HKEY_LOCAL_MACHINE
$RegName = 'DenyUnspecified'
$RegType = 'DWord'
$MachineDir = "$env:windir\System32\GroupPolicy\Machine\Registry.pol"          # set it to machine policies .pol file

$condition = (Get-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions -Name DenyUnspecified).DenyUnspecified

$RegData = if ( $condition -eq 1 ) { 0 } else { 1 }       # set regdata to the opposite of what it is currently
    
Set-PolicyFileEntry -Path $MachineDir -Key $RegPath -ValueName $RegName -Data $RegData -Type $RegType

gpupdate.exe /force

EDIT: Ok so this works to enable/disable the setting, at least according to gpedit.msc. But when I run gpresult /scope computer /v it is still saying the value is enabled (with a value of 0, 0, 0, 0), even though in the system config it is saying it is disabled. Is this normal behavior?

edit edit: Nevermind. This is expected as "Enabled" simply means the policy is being used on the machine, the first number in 0,0,0,0 determines if it is enabled or disabled

Hi, I would like to report some issues I found in order to improve this module.

I was trying to use this DSC resource but I had a few issues when using it with Invoke-DSCResource command.

Although, as I described in a previous issue (#4), using a DSC configuration script works:

Configuration LocalGPO
{
    param
    (
        [string[]] $NodeName = 'localhost'
    )

    Import-DSCResource -ModuleName PolicyFileEditor

    Node $NodeName
    {
        cAdministrativeTemplateSetting RDPLicensing
        {
            KeyValueName = "SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\LicenseServers"
            PolicyType = "Machine"
            Data = ("server.test.localgpo.dsc.com")
            Ensure = "Present"
            Type = "String"
        }

      ## The next 3 resources are to change the GPO Setting "Set Remote Desktop Services User Home Directory"
        cAdministrativeTemplateSetting "RDP Users Home Directory Path"
        {
        #    SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirUNC 
        #    SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDir
        #    SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirDrive
            KeyValueName = "SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\WFHomeDir"
            PolicyType = "Machine"
            Data = "\\servershare\test"
            Ensure = "Present"
            Type = "String"
        }

        cAdministrativeTemplateSetting "RDP Users Home Directory Letter"
        {
            KeyValueName = "SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\WFHomeDirDrive"
            PolicyType = "Machine"
            Data = "X:"
            Ensure = "Present"
            Type = "String"
        }

        cAdministrativeTemplateSetting "RDP Users Home Directory UNC boolean"
        {
            KeyValueName = "SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\WFHomeDirUNC"
            PolicyType = "Machine"
            Data = "1"
            Ensure = "Present"
            Type = "Dword"
        }
    }
}
LocalGPO
Start-DscConfiguration -Path .\LocalGPO -Wait -Force -Verbose

When one needs to remotely call this resource or use other configuration management tools like Puppet or Ansible that rely on the Invoke-DSCResource command it doesn't work properly.

You can check the reported issues submitted by me in the corresponding issue trackers:

• Ansible: ansible/ansible#25754 (comment)
• Puppet: https://tickets.puppetlabs.com/browse/MODULES-5216
• PowerShell: PowerShell/PSDesiredStateConfiguration#121

It's possible to confirm that there is a problem when passing the Type property as a string.

Tests:

This does NOT work

$DscParams = @{}
$DscParams.Add("Ensure", "Present")
$DscParams.Add("KeyValueName", "'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\LicenseServers")
$DscParams.Add("PolicyType", "Machine")
$DscParams.Add("Data", @("something.contoso.com"))
$DscParams.Add("Type", "String")
Invoke-DscResource -Name cAdministrativeTemplateSetting -ModuleName "PolicyFileEditor" -Method Test -Property $dscparams 

Output:

Convert property 'Type' value from type 'STRING' to type 'SINT32' failed
 At line:12, char:2
 Buffer:
irectResourceAccess";
};^
insta
    + CategoryInfo          : SyntaxError: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MiClientApiError_Failed
    + PSComputerName        : localhost

This WORKS

$DscParams2 = @{}
$DscParams2.Add("Ensure", "Present")
$DscParams2.Add("KeyValueName", "'SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\LicenseServers")
$DscParams2.Add("PolicyType", "Machine")
$DscParams2.Add("Data", @("something.contoso.com"))
$DscParams2.Add("Type", 1) 
Invoke-DscResource -Name cAdministrativeTemplateSetting -ModuleName "PolicyFileEditor" -Method Test -Property $dscparams2

Output:

InDesiredState
--------------
False

With any type the resource only works passing an integer, as defined in the mof file:
https://github.com/dlwyatt/PolicyFileEditor/blob/master/DscResources/PshOrg_AccountAdminTemplateSetting/PshOrg_AccountAdminTemplateSetting.schema.mof#L8

Possible solutions

So, the solutions could be on of the two:

1. [Preferable] Change the type to String.

Like the Registry resource from Microsoft, it is possible to use a string instead of sint32:
https://github.com/PowerShell/PSDscResources/blob/2c33e69634aa9c641ab27427d457fe9f49884e7c/DscResources/MSFT_RegistryResource/MSFT_RegistryResource.schema.mof#L7

2. Change the map in the type property to use only integers int or sint32.

[ClassVersion("1"), FriendlyName("cAccountAdministrativeTemplateSetting")]
class PshOrg_AccountAdminTemplateSetting : OMI_BaseResource
{
[Key] string Account;
[Key] string KeyValueName;
[write,ValueMap{"Present", "Absent"},Values{"Present", "Absent"}] string Ensure;
[write] string Data[];
[write,ValueMap{"0","1","2","3","4","7","11","-1"},Values"0","1","2","3","4","7","11","-1"}] sint32 Type;
};

In this solution, the user has to know the mappings from the different types in order to use the correct integer. So it has to be in the documentation somewhere.

It would be great to have a fix for this.