microsoft · hinderjd · Aug 30, 2021 · Aug 30, 2021 · Aug 31, 2021 · Oct 29, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## [Unreleased]
 
+## [4.10.1] - 2021-08-31
+
+* Fixed: Windows Server 2019 V2R1 V-205763 generating an exception: [#827](https://github.com/microsoft/PowerStig/issues/827)
+* Fixed: PowerSTIG should honor Boolean with all composite resources: [#969](https://github.com/microsoft/PowerStig/issues/969)
+
 ## [4.10.0] - 2021-08-20
 
 * Update PowerSTIG to Parse/Apply SQL Server 2016 Instance V2R4 STIG: [#959](https://github.com/microsoft/PowerStig/issues/959)

diff --git a/FILEHASH.md b/FILEHASH.md
@@ -1,4 +1,4 @@
-# PowerSTIG File Hashes : Module Version 4.10.0
+# PowerSTIG File Hashes : Module Version 4.10.1
 
 Hashes for **PowerSTIG** files are listed in the following table:
 

diff --git a/Tests/Unit/Module/UserRightRule.tests.ps1 b/Tests/Unit/Module/UserRightRule.tests.ps1
@@ -11,7 +11,7 @@ try
                 DisplayName = 'Deny access to this computer from the network'
                 Constant = 'SeDenyNetworkLogonRight'
                 Identity = 'Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Run "gpedit.msc".
 
@@ -25,7 +25,7 @@ try
                 DisplayName = 'Access this computer from the network'
                 Constant = 'SeNetworkLogonRight'
                 Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Run "gpedit.msc".
 
@@ -41,7 +41,7 @@ try
                 DisplayName = 'Debug programs'
                 Constant = 'SeDebugPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -56,7 +56,7 @@ try
                 DisplayName = 'Create a token object'
                 Constant = 'SeCreateTokenPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -69,7 +69,7 @@ try
                 DisplayName = 'Access Credential Manager as a trusted caller'
                 Constant = 'SeTrustedCredManAccessPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -82,7 +82,7 @@ try
                 DisplayName = 'Deny log on as a service'
                 Constant = 'SeDenyServiceLogonRight'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -95,7 +95,7 @@ try
                 DisplayName = 'Manage auditing and security log'
                 Constant = 'SeSecurityPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -121,7 +121,7 @@ try
                 DisplayName = 'Take ownership of files or other objects'
                 Constant = 'SeTakeOwnershipPrivilege'
                 Identity = 'Administrators'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -136,7 +136,7 @@ try
                 DisplayName = 'Lock pages in memory'
                 Constant = 'SeLockMemoryPrivilege'
                 Identity = 'NULL'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -149,7 +149,7 @@ try
                 DisplayName = 'Deny log on through Remote Desktop Services'
                 Constant = 'SeDenyRemoteInteractiveLogonRight'
                 Identity = 'Enterprise Admins,Domain Admins,Local account,Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -176,7 +176,7 @@ try
                 DisplayName = 'Deny log on locally'
                 Constant = 'SeDenyInteractiveLogonRight'
                 Identity = 'Enterprise Admins,Domain Admins,Guests'
-                Force = $false
+                Force = 'false'
                 OrganizationValueRequired = $false
                 CheckContent = 'Verify the effective setting in Local Group Policy Editor.
                 Run "gpedit.msc".
@@ -198,7 +198,7 @@ try
                 DisplayName = 'Access this computer from the network'
                 Constant = 'SeNetworkLogonRight'
                 Identity = 'Administrators,Authenticated Users,Enterprise Domain Controllers'
-                Force = $true
+                Force = 'true'
                 OrganizationValueRequired = $false
                 CheckContent = 'This applies to domain controllers. It is NA for other systems.
 

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -155,7 +155,7 @@ stages:
         dependsOn: Test_Unit
         condition: succeededOrFailed()
         pool:
-          vmImage: 'ubuntu 16.04'
+          vmImage: 'ubuntu 18.04'
         timeoutInMinutes: 0
         steps:
           - pwsh: |

diff --git a/source/DSCResources/Resources/Vsphere.VmHostService.ps1 b/source/DSCResources/Resources/Vsphere.VmHostService.ps1
@@ -5,12 +5,15 @@ $rules = $stig.RuleList | Select-Rule -Type 'VsphereServiceRule'
 
 foreach ($rule in $rules)
 {
+    $ruleRunning = $null
+    [void][bool]::TryParse($rule.Running, [ref] $ruleRunning)
+
     VmHostService (Get-ResourceTitle -Rule $rule)
     {
         Name       = $HostIP
         Server     = $ServerIP
         Credential = $Credential
-        Running    = $rule.Running
+        Running    = $ruleRunning
         Key        = $rule.Key
         Policy     = $rule.Policy
     }

diff --git a/source/DSCResources/Resources/windows.UserRightsAssignment.ps1 b/source/DSCResources/Resources/windows.UserRightsAssignment.ps1
@@ -33,33 +33,44 @@ if ($DomainName -and $ForestName)
 foreach ($rule in $rules)
 {
     Write-Verbose -Message $rule
-    $identitySplit = $rule.Identity -split ","
-    [System.Collections.ArrayList] $identityList = @()
 
-    foreach ($identity in $identitySplit)
+    if ($rule.Identity -eq 'NULL')
     {
-        if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity))
-        {
-            [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName )
-        }
-        elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity))
-        {
-            [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName )
-        }
-        # Default to adding the identify as provided for any non-default identities.
-        else
+        $identityList = $null
+    }
+    else
+    {
+        $identitySplit = $rule.Identity -split ","
+        [System.Collections.ArrayList] $identityList = @()
+
+        foreach ($identity in $identitySplit)
         {
-            if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors")
+            if (-not ([string]::IsNullorWhitespace($domainName)) -and $domainGroupTranslation.Contains($identity))
+            {
+                [void] $identityList.Add($domainGroupTranslation.$identity -f $DomainName )
+            }
+            elseif (-not ([string]::IsNullorWhitespace($forestName)) -and $forestGroupTranslation.Contains($identity))
             {
-                [void] $identityList.Add($identity)
+                [void] $identityList.Add($forestGroupTranslation.$identity -f $ForestName )
+            }
+            # Default to adding the identify as provided for any non-default identities.
+            else
+            {
+                if ($identity -notmatch "Schema Admins|Enterprise Admins|security|Domain Admins|auditors")
+                {
+                    [void] $identityList.Add($identity)
+                }
             }
         }
     }
 
+    $ruleForce = $null
+    [void][bool]::TryParse($rule.Force, [ref] $ruleForce)
+
     UserRightsAssignment (Get-ResourceTitle -Rule $rule)
     {
         Policy   = ($rule.DisplayName -replace " ", "_")
         Identity = $identityList
-        Force    = [bool] $rule.Force
+        Force    = $ruleForce
     }
 }
diff --git a/source/DSCResources/Resources/windows.WindowsEventLog.ps1 b/source/DSCResources/Resources/windows.WindowsEventLog.ps1
@@ -5,9 +5,12 @@ $rules = $stig.RuleList | Select-Rule -Type WinEventLogRule
 
 foreach ( $rule in $rules )
 {
+    $ruleIsEnabled = $null
+    [void][bool]::TryParse($rule.IsEnabled, [ref] $ruleIsEnabled)
+
     WindowsEventLog (Get-ResourceTitle -Rule $rule)
     {
         LogName   = $rule.LogName
-        IsEnabled = [boolean]$($rule.IsEnabled)
+        IsEnabled = $ruleIsEnabled
     }
 }
diff --git a/source/Module/Rule.Permission/PermissionRule.psm1 b/source/Module/Rule.Permission/PermissionRule.psm1
@@ -20,7 +20,7 @@ class PermissionRule : Rule
 {
     [string] $Path
     [object[]] $AccessControlEntry <#(ExceptionValue)#>
-    [bool] $Force
+    [string] $Force
 
     <#
         .SYNOPSIS

diff --git a/source/Module/Rule.UserRight/UserRightRule.psm1 b/source/Module/Rule.UserRight/UserRightRule.psm1
@@ -23,7 +23,7 @@ class UserRightRule : Rule
     [ValidateNotNullOrEmpty()] [string] $DisplayName
     [ValidateNotNullOrEmpty()] [string] $Constant
     [ValidateNotNullOrEmpty()] [string] $Identity <#(ExceptionValue)#>
-    [bool] $Force = $false
+    [string] $Force = $false
 
     <#
         .SYNOPSIS

diff --git a/source/Module/Rule.VsphereService/VsphereServiceRule.psm1 b/source/Module/Rule.VsphereService/VsphereServiceRule.psm1
@@ -20,7 +20,7 @@ class VsphereServiceRule : Rule
 {
     [string] $Key
     [string] $Policy
-    [bool] $Running
+    [string] $Running
 
     <#
         .SYNOPSIS

diff --git a/source/Module/Rule.WinEventLog/WinEventLogRule.psm1 b/source/Module/Rule.WinEventLog/WinEventLogRule.psm1
@@ -17,7 +17,7 @@ using module .\..\Rule\Rule.psm1
 class WinEventLogRule : Rule
 {
     [string] $LogName
-    [bool] $IsEnabled <#(ExceptionValue)#>
+    [string] $IsEnabled <#(ExceptionValue)#>
 
     <#
         .SYNOPSIS