Issue writing certificates (and maybe other strings) which are stored as binary objects in policy files.

[ZeffyReport]

Details of the scenario you tried and the problem that is occurring

Using DSC to deploy certificates to machines (GPO was exported and converted to DSC module using 'Baseline' PowerShell module) resulted in the log files ~1.5GB in size being generated over repeated refresh/application of the configuration which in turn filled the machine's operating system drive.

Verbose logs showing the problem

Microsoft support case 2105160060000454 would hold the issue re-created by the Microsoft engineer

Suggested solution to the issue

After repeated testing and research, I finally found the cause of the problem:

From the script of the DSC module:
C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\Modules\GPRegistryPolicyFileParser\GPRegistryPolicyFileParser.ps1

The group policy file will save as a string value of a binary:
C:\Windows\System32\GroupPolicy\Machine\registry.pol

When policy apply second time, it will check the value from the policy file. However, it will read the value as binary directly and not convert it to string
Then it will compare it with the DSC configuration file, which the value is string. Thus, it will eventually write the output of the whole binary data, each byte will written in one line.

To resolve the issue please change the file GPRegistryPolicyFileParser.ps1:

From line 119:
[System.Byte[]] $value = $policyContentInBytes[($index)..($index + $valueLength - 1)]
Please change it to:
[System.String] $value = [System.Text.Encoding]::UNICODE.GetString($policyContents[($index)..($index + $valueLength - 1)])

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

I can't include most of the code, but the relevant section is below using module 'GPRegistryPolicyDsc'

     RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs\98A8DE8A61E03D9F98639D18986AB54C3C8CDF66\Blob'
     {
          ValueName = 'Blob'
          ValueData = '03000000010001001400000098A8DE8A61E03D9F98639D18986AB54C3C8CDF662200000001000100360100003082013206092A864886F70D010702A08201233082011F02010131003082011406092B0601040182370A01A08201053082010102020080300B06092B060104018237140104707B00440039003400320031003400410031002D0038003600430043002D0034003900420035002D0042003500320039002D004200310039003800420043004100360035004600440033007D007C0044006F006D00610069006E0043006F006E00740072006F006C006C00650072000000170D3138303630313032343635375A300906052B0E03021A0500A0623060302F06092B060104018237140204221E200044006F006D00610069006E0043006F006E00740072006F006C006C00650072301D0603551D250416301406082B0601050507030206082B06010505070301300E0603551D0F0101FF0404030205A03100'
          ValueType = 'Binary'
          TargetType = 'ComputerConfiguration'
          Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\ACRS\CTLs\98A8DE8A61E03D9F98639D18986AB54C3C8CDF66'
     }

     RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\CA\Certificates\1034ADB9276046BA03B04F1CA92FCED056395245\Blob'
     {
          ValueName = 'Blob'
          ValueData = '040000000100000010000000BB840253F51C97D42A60AFEF1159911A0F00000001000000200000007A6FBC9558FF341C90133DA70A91111EBCEED70EE31E5712953DFA1A424BF9E61400000001000000140000007795BED99AE03417A8D2B38EC1C41CF88F33527F190000000100000010000000A754121C62A6AC5C1B3D6333D8C88C2A5C000000010000000400000000100000180000000100000010000000357F848AAC8A1A59C7CBD23B7984DE3D0300000001000000140000001034ADB9276046BA03B04F1CA92FCED0563952452000000001000000C2060000308206BE308204A6A0030201020203014B39300D06092A864886F70D01010B0500308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175301E170D3136303632373232313232365A170D3235303131373232313232365A305E310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A130741757367726964311E301C0603550403131541757367726964496E7465726D656469617465434130820222300D06092A864886F70D01010105000382020F003082020A0282020100BE983E58C01FBA2F78BA2CE92E3E60652A7658C8CCA76FDF8E65730FE95AF455E468D1E932DF236B13EB35479FED6D3F0CC46D6F367EC0A1A80702AF58DA474E23B3CCFAC5B4E64D6E893B89BAA71010BD2550AAEECA7A3E4AE58BDD0F07A47B91F258B37ACED40EF898FB3AA3B1B023FE551DEE21A26291D6B60E160F79079852D6609AA73DE37FFF9AA84D8A87BBD0488424A7AF3E005F07D3AD34B4A79F6F6A2161D9669C4560ED7EF46661769116C427819C5F6DD86FF397585E880165898FA2FDCDF66ACB4896FB8AAD2F191401E5E07140A91E2643760EB3D99853C1E6F3153739BACF021B3180BBA9D6A23D6CBF482B98B24FF3B2B05538166C0DF148559FF31C4A2A6ECE863E57E3D8E235C298E4FC78A06145E91AA0D456A464BA103AE7CCF2EC7CE09B1176FEAE58AD01B71053AC1C5D7D7CD223DA2F29C240858A1C77FD57E21E20434A40717FE76D937542B52734FAAA74528FDDD15339997D36475897347E4365F3A5DBEC8762F755F0ABA2CF3922C036D8891D19503A96558CDEB4FE232D5B85D9D283708E906640C699D30C1397753C3480B111AC57BBED91D04EFF02B9400E08CDECB167CE4433CBD800730C810AB231D782E40F7E9ADD12F27BC45A570E34E708DE8FC5B35D404F2673A6CB502686D0504492E10106FAB4BBE7A5BB0DA03FE2CCF118BEA2433970230E69E1E85D568AD28FE7914504A4510203010001A38201503082014C300C0603551D13040530030101FF300B0603551D0F040403020106301D0603551D0E041604147795BED99AE03417A8D2B38EC1C41CF88F33527F3081BD0603551D230481B53081B280140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70A18196A48193308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175820100301006092B06010401823715010403020101302306092B0601040182371502041604140B0838451C0EA44E52298595762E60430F46070C301906092B0601040182371402040C1E0A00530075006200430041300D06092A864886F70D01010B05000382020100268D0DC37428A72525BBA65F59A37614421B5900DAD7B738D3703DA37D328015032CC66C2FFBF251523522CA3843DEC9E1911B5FE922C8D26D909BAEFEBAD0ED299F9021610A4C6D723E5F256EEC159C1C870A929FD3BBFFF6D999C13A7CC716A2E4905F29E7BED6B7DA6DCA010D614225BFD35F72A8E17233B47249EDC142DC690B8B6BED1439ACF45E56E1157FD6C57D7D702E20F717D7450A54F2BBE5A5A9EC6E7B22C967664AC4FF1949B2D3103C72DEFB27158E19FE6F4375B1B478E48B2D7756634F77A7DBEFA546A1FE1D79DF893E51A3CA8167B55CE2D92BE30C47682692E7AA016C1ED980BEDB76EE78785CB49102F601D2841AFE34DFCCD3D023296444236F47E8E43901DC817844CE18DB3DEFE37D0105E6751B6164A0D8EEF42DBAF1A22E92CECFE8ACBD783A6419A48CC228ED1A5799264D8E4DC690FE4FC2528CF8526CB25D0ABF41C8F43FA40A6F4BEF4EE174E11386BDF6BAF3C426B726FCF8B10DF5C0BF486261F2911B8834B6EBD558872C14DF6E5F9E44D6684FB1EC15B036B784BA7085FDC98F5F543AB53CB80418923B883F3759E5757F90FD4E0A7AD066080A3659E266491AD6C417172D42BCBA3039941EA3D03F5DA8B9685F806F3F46B6D4852828DA025C4CC6927E8F359066BF0A327260D902E0CF8D077C90A1AB4FBBE6D6AAADA1A99F6AFA22EEC3726AD44C7C69046BCF64C31940E79C05FC'
          ValueType = 'Binary'
          TargetType = 'ComputerConfiguration'
          Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\CA\Certificates\1034ADB9276046BA03B04F1CA92FCED056395245'
     }


     RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\2187791998C86676D0202549798C56B4EDE8613B\Blob'
     {
          ValueName = 'Blob'
          ValueData = '040000000100000010000000FB6AC351AF6C168250052EE877791E270F0000000100000014000000FF1FF61CBF9B7234BA7AD36B7B56834059A77396140000000100000014000000A64A17D1BC58B5772516922BD24C9523CF281436190000000100000010000000242ED3C836E20157395DD445CAE3DBA90300000001000000140000002187791998C86676D0202549798C56B4EDE8613B5C000000010000000400000000080000200000000100000096030000308203923082027AA00302010202101BB786D3B6AD8F65B97A793EC7488427300D06092A864886F70D0101050500304F310B3009060355040613025553311F301D060355040A1316426C7565436F61742053797374656D732C20496E632E311F301D06035504031316436C6F756420536572766963657320526F6F74204341301E170D3131303930363030303030305A170D3231303930353233353935395A304F310B3009060355040613025553311F301D060355040A1316426C7565436F61742053797374656D732C20496E632E311F301D06035504031316436C6F756420536572766963657320526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100C4007BF6A229374340A544B46DED0D1580EA9D8DE0F6326C619E87551B1BC367899CED8129886804E5B97E651CF45693D156E12289071518F8C3773691E5958139451DBA7A11969A2B51FCC9CCD37F9ED695720BB82AC9F5E198B1613676825E3E71694F541E8C345060C2938C07D0034B700814B1C666794F3109FF102EE1C6137370A732B800DE7FBFB5C1FB627E4F0CD1808B064C59FE4E3DB92D1F7DDBDABEF27B1F9B8175E2BD8D4CC3A93CD9160B4CB46C6BC02896E0434E996A31B1E8D5013B02EBDE78590B2F91975FFF14C5AA34981BEE7763490874D9F447321E7E7F636827A895B8B666CC357AEB84013EE58D5D58C014F101521746ACCD0404DB0203010001A36A3068300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF30260603551D11041F301DA41B3019311730150603550403130E4D504B492D323034382D312D3939301D0603551D0E04160414A64A17D1BC58B5772516922BD24C9523CF281436300D06092A864886F70D010105050003820101008CF8954C29F34D4CA032DC680E9E830326A6A666071DBCEF0F89D760DF77CE7BA01DE876ACE602864DCC4AD1FF736468CB15F784F4FCDF5CD0EB9CCAF9067697B91CDA33A038B62C7889D0123519CC4C1E78034DF831DD338B69A86952C7342F20332D53C2F4FF5FC29819FBCA191F7A4C84C69C7D1803598FA19ABCDD64FECC7E167B5973E664A060CF3864F74F33FD9D868E5F78CD09BA31A10624D3AFCBFDDFBAC6AC8437B1612A32024859664B27F19EBF1F9A45A40D484242D713F8557A332CA76C5EBAB6278F5F720A45AA24BCA1D5F66830C49F015DC3A5C04C0E930FF14DE2CB41E076976EF8ACF91D9B068FE6A9C7DDDF735737C6F88DBC0701FFAD'
          ValueType = 'Binary'
          TargetType = 'ComputerConfiguration'
          Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\2187791998C86676D0202549798C56B4EDE8613B'
     }

     RegistryPolicyFile 'Registry(POL): HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\BA2D46017966D1946C515E1BBBDFDD8B7A773B91\Blob'
     {
          ValueName = 'Blob'
          ValueData = '0400000001000000100000008284E0BBCECFB0404E2A04C15BC98B840F0000000100000020000000C01C9AAA9F3D78CD60362EDA2DE1D035EA35082C3ED331C3BB307F110B5C35951400000001000000140000000DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70190000000100000010000000357F848AAC8A1A59C7CBD23B7984DE3D5C000000010000000400000000100000030000000100000014000000BA2D46017966D1946C515E1BBBDFDD8B7A773B912000000001000000920600003082068E30820476A003020102020100300D06092A864886F70D01010B0500308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175301E170D3135303132313031313432325A170D3235303131393031313432325A308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E617530820222300D06092A864886F70D01010105000382020F003082020A0282020100CF0A47EB875AD13D292B2CA1AECE3CF6A33D700DA4177191C51A787ED190CEF7E53C4DA66BBC9EC056C253DC8DC987B20EBAB3F5581B19F3541D878A3AC2A59AE13C6E0800FD418F0ED629CB2ADD7EE363DE59946529EE11AEA8DE8A6CA5172310B3F3D97D95279668A701E5F18116E7E5D173BD7D577395835F261E738F06C2446CACF269E5FB57344F9A78550DF77D2DCD32381FF64999BC38D95791129DA7DD2617997E3662D576C3D64C86B316F874AFB2622447C585AB025CA7CE703A21A6BB11D7351C33F2E556DA5346704570444FABB3460AE56FBECCB145DD283F3E141E0CFF8A618A6DD5AC1815989A7C9E671B8EA12339BFD82730123C1E643C1F10D7F8BB902E469AA3F15E1A5E0F21C11074256A76CB314C0ECAC98FB9559210ED47F3BA9F746DD1DAC3AC03389EED9D9B042BD6BDE289461B177121CF391F0F11CD961F9CC865DAEA04CEC5BBB7CB53269B07912B1984DCE19FD269D56E9B3ABA4D902616285EB95FC16F74DA09E7C97A6B843E9FFADDE5E200B2DCE614188A894C1103FDF14B598D2948CC6FA0954E0D56392BD8138C29B495E919E4175168874F92BC6BBFF5AAC2DA26CDBAA24A8E4599383F5870E10FE26D0D1D4A9CBD49031A7F691787291F0990D696BA5E3370884C6F5BC0B4AC7AB9464DF2751659D2FDA9331E6E76D2B9D90898B618D7D343FD51830A93499D568F65CB4C2B95AB250203010001A381F03081ED301D0603551D0E041604140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC703081BD0603551D230481B53081B280140DDECC3083D9805C7C0B0ED0A2FA341D01D6FC70A18196A48193308190310B3009060355040613024155310C300A060355040813034E5357310F300D060355040713065379646E65793110300E060355040A1307417573677269643110300E060355040B130741757367726964311630140603550403130D41757367726964526F6F7443413126302406092A864886F70D010901161768656C706465736B40617573677269642E636F6D2E6175820100300C0603551D13040530030101FF300D06092A864886F70D01010B0500038202010078E3D88FFD31DCC8D16450EF1C4BCB01A999189F32932C68569F768DB193E6E11964C51FF575882E50556C9B5554664DBD501FCD69D20111CC7A9119B217731EE53C7E133F414766EE4DDEAB816EB3B09EC5FBB56645488841B3269D657B24FF0992445A84DAE71B35414A195C4C90A640D44A74BA585DCC0A8FEF45A47553EBE3A7FE0C49ADE1221CFD11B7F5F805A62FE34C5B7923C661D350B4B75DA2D4B8D26D6B4F21FA5E0EB47963D9C8934040C845E5D1605A7E41366B68E49E853E0C223C1DF03055FD6ACBB03100736E548E593021649107C3FF2916967673F4E365F9CB4C6B34C747D63EA83F662730820796370FA512D330DFC606C814D5DB899FE43329BF9FD71B8A720258D238AE6CA27AD9F1D711E04B330FF6D7752797B7D0C71117D565F95FE7136134918646BC8A5F8DF6DBB477BEFDC027AE6CD234D0D95F735558270A76C43C61C4E53B0AE5398686480BCD71BD6DD18B2266E715A2BA8D173A8DAF70410EB905F19462C2B35426FFA0EB9ECA545DA0D705D00251127FEC281BF7BD48A0795DAE94DDAC06ADF7BB84A1F4BA4D12EE682D290DC6B49FA7FD02EBDB527BF8A485678AE015595C5DBE06987373359D8E398AC564F64A3BA4410800EFE70A2F0D39A12E5A3FB41C0A07433B91E49A7C9590307A21E505D80705A0142F64314BDB40CBE2F914FC210EEE78A7E46677542AC2618DA5C6E65FCC'
          ValueType = 'Binary'
          TargetType = 'ComputerConfiguration'
          Key = 'HKLM:\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\BA2D46017966D1946C515E1BBBDFDD8B7A773B91'
     }

The operating system the target node is running

OsName : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture : 64-bit
WindowsVersion : 1809
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version and build of PowerShell the target node is running

Name Value

---

PSVersion 5.1.17763.1007
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.1007
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

Version of the DSC module that was used

Name Version Path

---

GPRegistryPolicyDsc 1.2.0 C:\Program Files\WindowsPowerShell\Modules\GPRegistryPolicyDsc\1.2.0\GPRegistryPolicyDsc.psd1

[amrowicki]

Deploying multiple certificates causes increased memory consumption by the WmiPrvSE.exe process which, in turn, causes the System.OutOfMemoryException error to be thrown. The above solution also eliminates this problem.