SendConfigurationApply function does not succeeds on account an AccountPolicy.

[GerritH92]

Details of the scenario you tried and the problem that is occurring

We use below resource in our guest configuration package for vms on Azure. When running the Get-GuestConfigurationPackageComplianceStatus with our package we get the error as seen in attached screenshot. The error says i cannot convert the string -1 to an int. But nowhere on the machine or the .mof file of the configuration the -1 value is stated. This causes the guest configuration to show as non-compliant is azure.

Anyone able to debug this or running into the same problem?

Verbose logs showing the problem

Suggested solution to the issue

Please help!

The DSC configuration that is used to reproduce the issue (as detailed as possible)

 # Source: https://github.com/PowerShell/SecurityPolicyDsc/blob/dev/Examples/Resources/AccountPolicy/1-AccountPolicy_Config.ps1
    AccountPolicy AccountPolicies {
         Name                                        = 'PasswordPolicies'
         # 1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
         Enforce_password_history                    = 24
         # 1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
         Maximum_Password_Age                        = 60
         # 1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'
         Minimum_Password_Age                        = 1
         # 1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'
         Minimum_Password_Length                     = 14
         # 1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
         Password_must_meet_complexity_requirements  = 'Enabled'
         # 1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
         Store_passwords_using_reversible_encryption = 'Disabled'
         # 1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'
         Account_lockout_duration                    = 15
         # 1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
         Account_lockout_threshold                   = 10
         # 1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
         Reset_account_lockout_counter_after         = 15
      }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

---

PSVersion 7.2.0
PSEdition Core
GitCommitId 7.2.0
OS Microsoft Windows 10.0.17763
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

Version of the DSC module that was used

2.10.0

[ixcdevops]

I have seen this fail to apply when the account_lockout_duration is set to 0 in the configuration. If you update the dscresource module 'MSFT_AccountPolicy.psm1' to accept the range of values for this option to be (-1,99999) instead of (0,99999) for both the Set-TargetResource and Test-TargetResource functions. These are around lines 118 and 293 in the source.