[Bug] lgpo.get fails on german windows 11 #68354
Description
What happened?
Description
Executing lgpo.get on a minion running a German-language Windows 11 installation results in an error. In contrast, the same command functions as expected on a system installed using an English Windows 11 ISO.
Steps to Reproduce the behavior
- install an Windows 11 with an German ISO
- install salt minion
- execute the following command
win11-de.test.intern:
The minion function caused an exception: Traceback (most recent call last):
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\minion.py", line 2050, in _thread_return
return_data = minion_instance._execute_job_function(
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\minion.py", line 2006, in _execute_job_function
return_data = self.executors[fname](opts, data, func, args, kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 163, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1288, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1303, in _run_as
ret = _func_or_method(*args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\executors\direct_call.py", line 10, in execute
return func(*args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 163, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1288, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1303, in _run_as
ret = _func_or_method(*args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\modules\win_lgpo.py", line 8891, in get
class_vals[policy_name] = _get_policy_info_setting(_pol)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\modules\win_lgpo.py", line 8983, in _get_policy_info_setting
value = _get_advaudit_value(option=policy_definition["AdvAudit"]["Option"])
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\modules\win_lgpo.py", line 5517, in _get_advaudit_value
_advaudit_check_csv()
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\modules\win_lgpo.py", line 5487, in _advaudit_check_csv
field_names = _get_advaudit_defaults("fieldnames")
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\modules\win_lgpo.py", line 5431, in _get_advaudit_defaults
dump = __utils__["auditpol.get_auditpol_dump"]()
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 163, in __call__
ret = self.loader.run(run_func, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1288, in run
return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\loader\lazy.py", line 1303, in _run_as
ret = _func_or_method(*args, **kwargs)
File "C:\Program Files\Salt Project\Salt\Lib\site-packages\salt\utils\win_lgpo_auditpol.py", line 305, in get_auditpol_dump
return fp.readlines()
File "C:\Program Files\Salt Project\Salt\lib\codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xdc in position 315: invalid continuation byte
ERROR: Minions returned with non-zero exit code
Expected behavior
On a clean installed Windows 11 English (US) the command is showing me a list of the group policy and their setting
nico@salt-master:~$ sudo salt 'win11-eng.test.intern' lgpo.get
win11-eng.test.intern:
----------
Computer Configuration:
----------
Access Credential Manager as a trusted caller:
Access this computer from the network:
- BUILTIN\Backup Operators
- BUILTIN\Users
- BUILTIN\Administrators
- Everyone
Account lockout duration:
10.0
Account lockout threshold:
10
Accounts: Administrator account status:
Disabled
Accounts: Block Microsoft accounts:
Not Defined
Accounts: Guest account status:
Disabled
Accounts: Limit local account use of blank passwords to console logon only:
Enabled
Accounts: Rename administrator account:
Administrator
Accounts: Rename guest account:
Guest
Act as part of the operating system:
Add workstations to domain:
Adjust memory quotas for a process:
- BUILTIN\Administrators
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
Allow log on locally:
- BUILTIN\Backup Operators
- BUILTIN\Users
- BUILTIN\Administrators
- win11-eng\Guest
Allow log on through Remote Desktop Services:
- BUILTIN\Remote Desktop Users
- BUILTIN\Administrators
Audit Account Lockout:
Not Configured
Audit Application Generated:
Not Configured
Audit Application Group Management:
Not Configured
Audit Audit Policy Change:
Not Configured
Audit Authentication Policy Change:
Not Configured
Audit Authorization Policy Change:
Not Configured
Audit Central Access Policy Staging:
Not Configured
Audit Certification Services:
Not Configured
Audit Computer Account Management:
Not Configured
Audit Credential Validation:
Not Configured
Audit DPAPI Activity:
Not Configured
Audit Detailed Directory Service Replication:
Not Configured
Audit Detailed File Share:
Not Configured
Audit Directory Service Access:
Not Configured
Audit Directory Service Changes:
Not Configured
Audit Directory Service Replication:
Not Configured
Audit Distribution Group Management:
Not Configured
Audit File Share:
Not Configured
Audit File System:
Not Configured
Audit Filtering Platform Connection:
Not Configured
Audit Filtering Platform Packet Drop:
Not Configured
Audit Filtering Platform Policy Change:
Not Configured
Audit Group Membership:
Not Configured
Audit Handle Manipulation:
Not Configured
Audit IPsec Driver:
Not Configured
Audit IPsec Extended Mode:
Not Configured
Audit IPsec Main Mode:
Not Configured
Audit IPsec Quick Mode:
Not Configured
Audit Kerberos Authentication Service:
Not Configured
Audit Kerberos Service Ticket Operations:
Not Configured
Audit Kernel Object:
Not Configured
Audit Logoff:
Not Configured
Audit Logon:
Not Configured
Audit MPSSVC Rule-Level Policy Change:
Not Configured
Audit Network Policy Server:
Not Configured
Audit Non Sensitive Privilege Use:
Not Configured
Audit Other Account Logon Events:
Not Configured
Audit Other Account Management Events:
Not Configured
Audit Other Logon/Logoff Events:
Not Configured
Audit Other Object Access Events:
Not Configured
Audit Other Policy Change Events:
Not Configured
Audit Other Privilege Use Events:
Not Configured
Audit Other System Events:
Not Configured
Audit PNP Activity:
Not Configured
Audit Process Creation:
Not Configured
Audit Process Termination:
Not Configured
Audit RPC Events:
Not Configured
Audit Registry:
Not Configured
Audit Removable Storage:
Not Configured
Audit SAM:
Not Configured
Audit Security Group Management:
Not Configured
Audit Security State Change:
Not Configured
Audit Security System Extension:
Not Configured
Audit Sensitive Privilege Use:
Not Configured
Audit Special Logon:
Not Configured
Audit System Integrity:
Not Configured
Audit Token Right Adjusted:
Not Configured
Audit User / Device Claims:
Not Configured
Audit User Account Management:
Not Configured
Audit account logon events:
No auditing
Audit account management:
No auditing
Audit directory service access:
No auditing
Audit logon events:
No auditing
Audit object access:
No auditing
Audit policy change:
No auditing
Audit privilege use:
No auditing
Audit process tracking:
No auditing
Audit system events:
No auditing
Audit: Audit the access of global system objects:
Disabled
Audit: Audit the use of Backup and Restore privilege:
Disabled
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings:
Not Defined
Audit: Shut down system immediately if unable to log security audits:
Disabled
Backup files and directories:
- BUILTIN\Backup Operators
- BUILTIN\Administrators
Bypass traverse checking:
- BUILTIN\Backup Operators
- BUILTIN\Users
- BUILTIN\Administrators
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
- Everyone
Change the system time:
- BUILTIN\Administrators
- NT AUTHORITY\LOCAL SERVICE
Change the time zone:
- BUILTIN\Users
- BUILTIN\Administrators
- NT AUTHORITY\LOCAL SERVICE
Create a pagefile:
- BUILTIN\Administrators
Create a token object:
Create global objects:
- NT AUTHORITY\SERVICE
- BUILTIN\Administrators
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
Create permanent shared objects:
Create symbolic links:
- BUILTIN\Administrators
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax:
None
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax:
None
Debug programs:
- BUILTIN\Administrators
Deny access to this computer from the network:
- win11-eng\Guest
Deny log on as a batch job:
Deny log on as a service:
Deny log on locally:
- win11-eng\Guest
Deny log on through Remote Desktop Services:
Devices: Allow undock without having to log on:
Enabled
Devices: Allowed to format and eject removable media:
Not Defined
Devices: Prevent users from installing printer drivers:
Disabled
Devices: Restrict CD-ROM access to locally logged-on user only:
Not Defined
Devices: Restrict floppy access to locally logged-on user only:
Not Defined
Devices: Unsigned driver installation behavior:
Not Defined
Domain controller: Allow server operators to schedule tasks:
Not Defined
Domain controller: Allow vulnerable Netlogon secure channel connections:
None
Domain controller: LDAP server channel binding token requirements:
Not Defined
Domain controller: LDAP server signing requirements:
Not Defined
Domain controller: Refuse machine account password changes:
Not Defined
Domain member: Digitally encrypt or sign secure channel data (always):
Enabled
Domain member: Digitally encrypt secure channel data (when possible):
Enabled
Domain member: Digitally sign secure channel data (when possible):
Enabled
Domain member: Disable machine account password changes:
Disabled
Domain member: Maximum machine account password age:
30
Domain member: Require strong (Windows 2000 or later) session key:
Enabled
Enable computer and user accounts to be trusted for delegation:
Enforce password history:
0
Force shutdown from a remote system:
- BUILTIN\Administrators
Generate security audits:
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authentication:
- S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229
- NT AUTHORITY\SERVICE
- BUILTIN\Administrators
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
Increase a process working set:
- BUILTIN\Users
Increase scheduling priority:
- Window Manager\Window Manager Group
- BUILTIN\Administrators
Interactive logon: Display user information when the session is locked:
Not Defined
Interactive logon: Do not display last user name:
Disabled
Interactive logon: Do not require CTRL+ALT+DEL:
Not Defined
Interactive logon: Machine account lockout threshold:
None
Interactive logon: Machine inactivity limit:
None
Interactive logon: Message text for users attempting to log on:
Interactive logon: Message title for users attempting to log on:
Interactive logon: Number of previous logons to cache (in case domain controller is not available):
10
Interactive logon: Prompt user to change password before expiration:
5
Interactive logon: Require Domain Controller authentication to unlock workstation:
Disabled
Interactive logon: Require smart card:
Disabled
Interactive logon: Smart card removal behavior:
No Action
Load and unload device drivers:
- BUILTIN\Administrators
Lock pages in memory:
Log on as a batch job:
- BUILTIN\Performance Log Users
- BUILTIN\Backup Operators
- BUILTIN\Administrators
Log on as a service:
- RESTRICTED SERVICES\ALL RESTRICTED SERVICES
- NT SERVICE\ALL SERVICES
Manage auditing and security log:
- BUILTIN\Administrators
Maximum password age:
42.0
Microsoft network client: Digitally sign communications (always):
Not Defined
Microsoft network client: Digitally sign communications (if server agrees):
Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers:
Disabled
Microsoft network server: Amount of idle time required before suspending session:
15
Microsoft network server: Attempt S4U2Self to obtain claim information:
Not Defined
Microsoft network server: Digitally sign communications (always):
Not Defined
Microsoft network server: Digitally sign communications (if client agrees):
Disabled
Microsoft network server: Disconnect clients when logon hours expire:
Enabled
Microsoft network server: Server SPN target name validation level:
Not Defined
Minimum password age:
0
Minimum password length:
0
Modify an object label:
Modify firmware environment values:
- BUILTIN\Administrators
Network access: Allow anonymous SID/Name translation:
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts:
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares:
Disabled
Network access: Do not allow storage of passwords and credentials for network authentication:
Disabled
Network access: Let Everyone permissions apply to anonymous users:
Disabled
Network access: Named Pipes that can be accessed anonymously:
Network access: Remotely accessible registry paths:
- System\CurrentControlSet\Control\ProductOptions
- System\CurrentControlSet\Control\Server Applications
- Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub-paths:
- System\CurrentControlSet\Control\Print\Printers
- System\CurrentControlSet\Services\Eventlog
- Software\Microsoft\OLAP Server
- Software\Microsoft\Windows NT\CurrentVersion\Print
- Software\Microsoft\Windows NT\CurrentVersion\Windows
- System\CurrentControlSet\Control\ContentIndex
- System\CurrentControlSet\Control\Terminal Server
- System\CurrentControlSet\Control\Terminal Server\UserConfig
- System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
- Software\Microsoft\Windows NT\CurrentVersion\Perflib
- System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares:
Enabled
Network access: Restrict clients allowed to make remote calls to SAM:
None
Network access: Shares that can be accessed anonymously:
Not Defined
Network access: Sharing and security model for local accounts:
Classic - local users authenticate as themselves
Network firewall: Domain: Inbound connections:
Not configured
Network firewall: Domain: Logging: Log dropped packets:
Not configured
Network firewall: Domain: Logging: Log successful connections:
Not configured
Network firewall: Domain: Logging: Name:
NotConfigured
Network firewall: Domain: Logging: Size limit (KB):
NotConfigured
Network firewall: Domain: Outbound connections:
Not configured
Network firewall: Domain: Settings: Apply local connection security rules:
Not configured
Network firewall: Domain: Settings: Apply local firewall rules:
Not configured
Network firewall: Domain: Settings: Display a notification:
Not configured
Network firewall: Domain: State:
Not configured
Network firewall: Private: Inbound connections:
Not configured
Network firewall: Private: Logging: Log dropped packets:
Not configured
Network firewall: Private: Logging: Log successful connections:
Not configured
Network firewall: Private: Logging: Name:
NotConfigured
Network firewall: Private: Logging: Size limit (KB):
NotConfigured
Network firewall: Private: Outbound connections:
Not configured
Network firewall: Private: Settings: Apply local connection security rules:
Not configured
Network firewall: Private: Settings: Apply local firewall rules:
Not configured
Network firewall: Private: Settings: Display a notification:
Not configured
Network firewall: Private: State:
Not configured
Network firewall: Public: Inbound connections:
Not configured
Network firewall: Public: Logging: Log dropped packets:
Not configured
Network firewall: Public: Logging: Log successful connections:
Not configured
Network firewall: Public: Logging: Name:
NotConfigured
Network firewall: Public: Logging: Size limit (KB):
NotConfigured
Network firewall: Public: Outbound connections:
Not configured
Network firewall: Public: Settings: Apply local connection security rules:
Not configured
Network firewall: Public: Settings: Apply local firewall rules:
Not configured
Network firewall: Public: Settings: Display a notification:
Not configured
Network firewall: Public: State:
Not configured
Network security: Allow Local System to use computer identity for NTLM:
Not Defined
Network security: Allow LocalSystem NULL session fallback:
Not Defined
Network security: Allow PKU2U authentication requests to this computer to use online identities.:
Not Defined
Network security: Configure encryption types allowed for Kerberos:
Invalid Value: Not an int
Network security: Do not store LAN Manager hash value on next password change:
Enabled
Network security: Force logoff when logon hours expire:
Disabled
Network security: LAN Manager authentication level:
Not Defined
Network security: LDAP client signing requirements:
Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients:
- Require 128-bit encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers:
- Require 128-bit encryption
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication:
Not Defined
Network security: Restrict NTLM: Add server exceptions in this domain:
Not Defined
Network security: Restrict NTLM: Audit Incoming NTLM Traffic:
Not Defined
Network security: Restrict NTLM: Audit NTLM authentication in this domain:
Not Defined
Network security: Restrict NTLM: Incoming NTLM traffic:
Not Defined
Network security: Restrict NTLM: NTLM authentication in this domain:
Not Defined
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers:
Not Defined
Password must meet complexity requirements:
Disabled
Perform volume maintenance tasks:
- BUILTIN\Administrators
Profile single process:
- BUILTIN\Administrators
Profile system performance:
- NT SERVICE\WdiServiceHost
- BUILTIN\Administrators
Recovery console: Allow automatic administrative logon:
Disabled
Recovery console: Allow floppy copy and access to all drives and all folders:
Disabled
Relax minimum password length limits:
Not Defined
Remove computer from docking station:
- BUILTIN\Users
- BUILTIN\Administrators
Replace a process level token:
- NT AUTHORITY\NETWORK SERVICE
- NT AUTHORITY\LOCAL SERVICE
Reset account lockout counter after:
10.0
Restore files and directories:
- BUILTIN\Backup Operators
- BUILTIN\Administrators
Shut down the system:
- BUILTIN\Backup Operators
- BUILTIN\Users
- BUILTIN\Administrators
Shutdown - For this GPO, run scripts in the following order:
Not Configured
Shutdown Powershell Scripts:
None
Shutdown Scripts:
None
Shutdown: Allow system to be shut down without having to log on:
Enabled
Shutdown: Clear virtual memory pagefile:
Disabled
Startup - For this GPO, run scripts in the following order:
Not Configured
Startup Powershell Scripts:
None
Startup Scripts:
None
Store passwords using reversible encryption:
Disabled
Synchronize directory service data:
System Cryptography: Force strong key protection for user keys stored on the computer:
Not Defined
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing:
Disabled
System objects: Require case insensitivity for non-Windows subsystems:
Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links):
Enabled
System settings: Optional subsystems:
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies:
Disabled
Take ownership of files or other objects:
- BUILTIN\Administrators
User Account Control: Admin Approval Mode for the built-in Administrator account:
Not Defined
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop:
Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode:
Prompt for consent for non-Windows binaries
User Account Control: Behavior of the elevation prompt for standard users:
Prompt for credentials
User Account Control: Detect application installations and prompt for elevation:
Enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations:
Enabled
User Account Control: Only elevate executables that are signed and validated:
Disabled
User Account Control: Run all administrators in Admin Approval Mode:
Enabled
User Account Control: Switch to the secure desktop when prompting for elevation:
Enabled
User Account Control: Virtualize file and registry write failures to per-user locations:
Enabled
User Configuration:
----------
Type of salt install
Official exe
Major version
3007.x
What supported OS are you seeing the problem on? Can select multiple. (If bug appears on an unsupported OS, please open a GitHub Discussion instead)
windows-desktop-11
salt --versions-report output
Salt Version:
Salt: 3007.8
Python Version:
Python: 3.10.18 (heads/main:1b25f37, Sep 5 2025, 22:35:19) [MSC v.1944 64 bit (AMD64)]
Dependency Versions:
cffi: 1.16.0
cherrypy: 18.8.0
cryptography: 42.0.5
dateutil: 2.8.2
docker-py: Not Installed
gitdb: 4.0.10
gitpython: Not Installed
Jinja2: 3.1.6
libgit2: Not Installed
looseversion: 1.3.0
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.7
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 24.0
pycparser: 2.21
pycrypto: Not Installed
pycryptodome: 3.19.1
pygit2: Not Installed
python-gnupg: 0.5.2
PyYAML: 6.0.1
PyZMQ: 25.1.2
relenv: 0.20.6
smmap: 5.0.1
timelib: 0.3.0
Tornado: 6.4.2
ZMQ: 4.3.4
Salt Package Information:
Package Type: onedir
System Versions:
dist:
locale: utf-8
machine: AMD64
release: 10
system: Windows
version: 10 10.0.22631 SP0 Multiprocessor Free