Known issues and limitations

The current release includes known issues and limitations. In most cases, workarounds are provided.

  • If legacy configuration files exist in the C:\Windows\Temp folder, you might see this error message: undefined method `[]' for nil:NilClass Source. The legacy files, generated and cached by the Desired State Configuration (DSC) module, can cause configuration conflicts after you upgrade SCE. To resolve the issue, remove the following files from the C:\Windows\Temp folder: DscSecedit.jfm, DscSecedit.sdb, securityOptionsToAdd, SecurityPolicy, and userRightsToAdd. Then, run the Puppet agent.

  • Microsoft Local Administrator Password Solution (LAPS) is not fully supported. Microsoft has deprecated the legacy version of the LAPS feature and introduced a new version. For details, see What is Windows LAPS? In SCE for Windows v2.1.0 on the Windows Server 2019 and 2022 operating systems, legacy LAPS controls are removed, and support for LAPS is discontinued.

  • A registry key override can occur when duplicate normalized names are used to specify CIS controls. The issue occurs because the normalized control names for two authentication settings related to Windows Remote Management (WinRM) are identical. The normalized control names are the same for both the client (18.9.102.1.1) and service (18.9.102.2.1) controls. The workaround is to configure the controls with the control numbers (18.9.102.1.1 and 18.9.102.2.1) or the normalized control numbers (c18_9_102_1_1 and c18_9_102_2_1). This issue occurs only in Windows Enterprise 10 environments.
  • In a Windows Server 2016 or 2019 environment, a scan failure is reported for CIS Control 2.3.10.12. The failure affects the following control: 2.3.10.12, (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None.' This control is enforced correctly but fails Security Compliance Management scans. The scans detect the backing registry value, type REG_MULTI_SZ. The expected value is a blank item as the first line in a multiline string. However, the Puppet module that manages registry settings does not permit the use of blank values. As a workaround, no value is set for the backing registry. A blank value and no value are functionally equivalent, resulting in the same configuration. For this reason, you can ignore the reported scan failure.

  • You might see a scan failure and an error message such as Could not evaluate: undefined method... for Windows Attack Surface Reduction (ASR) rules. The scan failure occurs if you set the ASR rule to Block, as recommended by CIS guidelines. However, in that case, the Puppet agent cannot successfully configure the node. For this reason, use the default value of Audit and ignore the error message.

  • Some controls can fail scans. During a Security Compliance Management scan, you might see error messages about CIS recommended guidelines that are not enforced. These error messages are triggered by bugs in the Security Compliance Management console. SCE correctly enforces these settings. The following controls are affected:
    • 1.1.5 - Windows Server 2016 and Windows Server 2019
    • 1.1.6 - Windows Server 2016 and Windows Server 2019

    • 2.3.10.1 - Windows Server 2016 and Windows Server 2019

    • 2.3.10.7 - Windows Server 2016
    • 18.2.1 - Windows Server 2019
    • 18.4.1 - Windows Server 2016 and Windows Server 2019
    • 18.4.8 - Windows Server 2016
    • 18.4.9 - Windows Server 2016 and Windows Server 2019
    • 18.4.12 - Windows Server 2016
    • 18.8.21.5 - Windows Server 2016
    • 18.9.47.5.1.2 - Windows Server 2019
    • 18.9.62.3.9.1 - Windows Server 2016
  • Puppet runs are not idempotent. If you see Desired State Configuration (DSC) resources showing corrective changes in a Puppet run, for example, Unknown feature "custom_isync", you are running an incompatible version of Puppet. SCE for Windows requires that Puppet agents at the version 7 level must be v7.8.0 or later. You can also use any level of Puppet 8.
  • If the Puppet agent fails to upgrade when you use the puppetlabs/puppet_agent module, restart the computer or virtual machine where the Puppet agent is running to help ensure that updates are applied.
  • If you use remote desktop protocol (RDP) to access nodes, users who are members of the groups Guests and local accounts will not be able to log in by default. To provide access to these groups, set the sce_windows::allow_local_account_rdp parameter to true.
  • If non-admin users cannot log in to nodes, the issue might be related to event logs. By default, Windows Event Log does not clear events. When the event log of a node is full, only administrators can log in. To clear the event logs manually, find the specific recommendation in your compliance framework and configure the setting. In the Windows registry, locate the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application:Retention
    Then, set the Retention value to 0.
  • You cannot disable Windows Remote Management (WinRM). The WinRM service is required for the DSC modules and cannot be disabled.