fix: improve task reliability for security audit and anonymous enum roles

.github/workflows/terratest.yaml

@@ -54,6 +54,7 @@ jobs:
         env:
           EVENT_NAME: ${{ github.event_name }}
           BASE_BRANCH: ${{ github.base_ref }}
+          MERGE_GROUP_BASE_SHA: ${{ github.event.merge_group.base_sha }}
         run: |
           # Always run all tests for schedule and workflow_dispatch
           if [ "${EVENT_NAME}" = "schedule" ] || [ "${EVENT_NAME}" = "workflow_dispatch" ]; then
@@ -65,6 +66,8 @@ jobs:
 
           if [ "${EVENT_NAME}" = "pull_request" ]; then
             BASE_REF="origin/${BASE_BRANCH}"
+          elif [ "${EVENT_NAME}" = "merge_group" ]; then
+            BASE_REF="${MERGE_GROUP_BASE_SHA}"
           else
             BASE_REF="HEAD^"
           fi

ansible/playbooks/base/dc_base.yml

@@ -154,6 +154,13 @@
           }
       register: ssm_config
 
+    - name: Prevent forced user registry unload (fixes WUA 0x800703FA)
+      ansible.windows.win_regedit:
+        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
+        name: DisableForceUnload
+        data: 1
+        type: dword
+
     - name: Enable Windows Update service
       ansible.windows.win_service:
         name: wuauserv

ansible/playbooks/base/member_base.yml

@@ -125,6 +125,13 @@
       delay: 10
       until: firewall_result is not failed
 
+    - name: Prevent forced user registry unload (fixes WUA 0x800703FA)
+      ansible.windows.win_regedit:
+        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
+        name: DisableForceUnload
+        data: 1
+        type: dword
+
     - name: Enable Windows Update service
       ansible.windows.win_service:
         name: wuauserv

ansible/playbooks/base/mssql_base_sql.yml

@@ -157,6 +157,13 @@
         Protocol: "UDP"
         Description: "Opens the discover port for MSSQL Browser"
 
+    - name: Prevent forced user registry unload (fixes WUA 0x800703FA)
+      ansible.windows.win_regedit:
+        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
+        name: DisableForceUnload
+        data: 1
+        type: dword
+
     - name: Enable Windows Update service
       ansible.windows.win_service:
         name: wuauserv

ansible/roles/security_audit_policy/tasks/main.yml

@@ -47,6 +47,8 @@
     } else {
       Write-Output "SYSVOL not found - skipping (not a DC or not yet configured)"
     }
+  async: 1800
+  poll: 30
   register: sacl_sysvol
   changed_when: "'SACL configured' in sacl_sysvol.stdout"
   failed_when: false
@@ -77,6 +79,8 @@
     } else {
       Write-Output "NETLOGON not found at expected path - skipping"
     }
+  async: 1800
+  poll: 30
   register: sacl_netlogon
   changed_when: "'SACL configured' in sacl_netlogon.stdout"
   failed_when: false
@@ -108,6 +112,8 @@
       Write-Output "Path not found: {{ item.path }} - skipping"
     }
   loop: "{{ security_vars.audit_folders | default([]) }}"
+  async: 1800
+  poll: 30
   register: sacl_custom
   changed_when: "'SACL configured' in sacl_custom.stdout"
   failed_when: false

ansible/roles/settings_updates/README.md

@@ -13,14 +13,10 @@ Install Windows updates on managed hosts
 
 ## Tasks
 
-### default.yml
-
-- **Enable update service** (ansible.windows.win_service)
-- **Install all updates and reboot as many times as needed** (ansible.windows.win_updates)
-
 ### main.yml
 
 - **Run Windows Updates (skip on prebaked AMIs)** (block) - Conditional
+- **Prevent forced user registry unload (fixes WUA 0x800703FA)** (ansible.windows.win_regedit)
 - **Reset Windows Update components** (ansible.windows.win_shell)
 - **Reboot to clear pending registry operations** (ansible.windows.win_reboot)
 - **Enable update service** (ansible.windows.win_service)

ansible/roles/settings_updates/tasks/main.yml

@@ -2,6 +2,13 @@
 - name: Run Windows Updates (skip on prebaked AMIs)
   when: not ((goad_prebaked | default({})).windows_updated | default(false))
   block:
+    - name: Prevent forced user registry unload (fixes WUA 0x800703FA)
+      ansible.windows.win_regedit:
+        path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
+        name: DisableForceUnload
+        data: 1
+        type: dword
+
     - name: Reset Windows Update components
       ansible.windows.win_shell: |
         $ErrorActionPreference = 'SilentlyContinue'

ansible/roles/vulns_anonymous_enum/tasks/main.yml

@@ -49,7 +49,8 @@
   tags: lsa_policy
 
 - name: Apply LSAAnonymousNameLookup security policy
-  ansible.windows.win_shell: secedit /configure /db C:\Windows\Security\Database\secedit.sdb /cfg C:\temp-anon-policy.inf /overwrite /areas SECURITYPOLICY /log C:\Windows\Temp\secedit-anon.log /quiet
+  ansible.windows.win_shell: |
+    secedit /configure /db C:\Windows\Temp\secedit-anon.sdb /cfg C:\temp-anon-policy.inf /areas SECURITYPOLICY /log C:\Windows\Temp\secedit-anon.log /quiet
   register: secedit_result
   # Note: This will fail on Domain Controllers because LSAAnonymousNameLookup is controlled by Group Policy
   # The GPO update task below will handle the DC case

scripts/get-playbook-files.sh

@@ -24,7 +24,7 @@ case "${PLAYBOOK}" in
             "ansible/roles/common/tasks/main.yml"
             "ansible/roles/settings_keyboard/tasks/main.yml"
             "ansible/roles/settings_no_updates/tasks/main.yml"
-            "ansible/roles/settings_updates/tasks/default.yml"
+            "ansible/roles/settings_updates/tasks/main.yml"
             "ad/GOAD/data/${ENV}-config.json"
             "ansible/playbooks/data.yml"
         )