Not able to apply Registry Rules on AWS Windows host

[seanlogan-wh]

Describe the bug
My team is applying PowerStig to our Windows hosts and we have to skip the RegistryRule otherwise PowerShell breaks for us. It looks related to winrm or windows remote shell but I have not been able to find a setting that allows powershell to work after applying the stig.

To Reproduce
We are running an Windows host in the AWS cloud using this AMI: ami-0595b708bb9f30517

• CIS Microsoft Windows Server 2016 Benchmark v2.0.0.6 - Level 2-9652b83a-72cf-4084-82a9-8ce71a17d573
• Install PowerStig
• Run PowerStig with all the default settings ( OsVersion = '2016', OsRole = 'MS' )
• After host reboots, not able to continue the configuration using the Start-DscConfiguration -UseExisting command. Reports an error "Not enough storage is available to complete this operation."

Expected behavior
PowerStig is fully applied and host is still usable

Screenshots

Additional context
We had to apply a skipRuleType for @('RegistryRule') and apply those settings manually to meet compliance.

Thanks.

[erjenkin]

Hello @seanlogan-wh,

I have not seen this on standard Windows Server 2016 VM's. Could you try to deploy on a non-CIS image? CIS has its own security configurations that doesn't always map to STIG and I would just like to determine if this is a PowerSTIG issue or an issue with the CIS image.

Thank you,
Eric

[seanlogan-wh]

Hi Eric,

It looks like it is an issue just with the CIS image we are using. We are stuck on the current AMI for the time being so we just skipped those rules and applied manually. Was hoping it was something you had seen before and knew a fix for.

Thanks.

[erjenkin]

Hello @seanlogan-wh

I would recommend filing a ticket with the creator the image - they should be able to drill down to what in their configuration could be causing that storage error with the RemoteRM listener - If had was I was going dig in I would start with the "Get-Item -Path WSMan:\localhost\MaxEnvelopeSizeKb" (to ensure your document size isn't too small, you could always increase it for test purposes) and check the differences between the CIS and non-CIS with "Get-DscLocalConfigurationManager"(if any)

I will leave this thread open for when you find the solution.

Thank you,
Eric