PowerShell Desired State Configuration (DSC) is a powerful platform for centralized management of your infrastructure through configuration files and is widely used to implement the Infrastructure-as-Code (IaC) concepts. DSC provides a declarative system configuration model that allows you to specify how you want to configure the endpoint (workstation or server).
Azure has its own implementation of DSC, called Azure State DSC, which is used to manage virtual machines. Azure DSC can be used as part of the Azure Automation Management service.
Azure DSC supports the following operating system versions:
- Windows Client 8.1/10/11
- Windows Server 2022/2019/2016/2012R2
You must create an Automation account to use Azure State DSC:
- Sign in to Azure Portal and navigate to the Automation Account using the top search bar;
- Click New to create a new Automation Account resource;
- Specify the account name, Azure resource group, and region;
Also, you can create an Azure Automation account using the Azure Az PowerShell module:
Install-Module -Name Az -Force Connect-AzAccount New-AzAutomationAccount -Name AzAutomationAcc1 -ResourceGroupName RGTest1 -Location eus
Create a file on your PS1 computer with your configuration that needs to be imported into Azure.
In this example, we’ve created a small DCS configuration file that checks for the following:
- The .Net Framework 3.5 is installed on Windows;
- The built-in Administrator account is disabled;
- Remote Desktop enabled on Windows (check the value of the fDenyTSConnections registry parameter).
Confirutation BasicDSCTests {
Import-DscResource -ModuleName PSDesiredStateConfiguration
WindowsFeature Add_Net_Framework {
Ensure = "Present"
Name = "NetFx3"
}
Registry RDPEnabled {
Key = "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server"
ValueName = "fDenyTSConnections"
ValueType = "DWord"
ValueData = 1
Ensure = "Present"
}
User Builtin-Administrator-Disabled {
Ensure = "Present"
Username = "Administrator"
Disabled = $true
}
}
Save this code to the file c:\ps\AzBasicDSCTests.ps1.
Note. Check our tutorial on how to resize Azure VM disk.
You can now import this configuration file into Azure from the Configurations section.
Or you can import it using the Import-AzAutomationDscConfiguration cmdlet:
Import-AzAutomationDscConfiguration -SourcePath c:\ps\AzBasicDSCTests.ps1 -ResourceGroupName RGTest1 -AutomationAccountName AzAutomationAcc1 -Published
Once you have uploaded the DSC configuration file, you will need to compile it:
Start-AzAutomationDscCompilationJob -ConfigurationName AzBasicDSCTests -ResourceGroupName RGTest1 -AutomationAccountName AzAutomationAcc1
Check the compilation status and ensure that the RollupStatus property is changed to Good:
Get-AzAutomationDscNodeConfiguration -ResourceGroupName RGTest1 -AutomationAccountName AzAutomationAcc1
You are now ready to apply your configuration to Azure VMs:
- Navigate to Automation Account > Configuration Management > State Configuration (DSC);
- Click Add to register virtual machines in Configuration Management;
- Click Connect to add the virtual machine as a node in the state configuration (DSC > Nodes > Add).
You can add a VM using PowerShell:
$vm = Get-AzVM -Name TestVM1 Register-AzAutomationDscNode -AzureVMName $vm.Name -AzureVMLocation $vm.Location -NodeConfigurationName "AzBasicDSCTests.localhost" -ConfigurationMode ApplyAndAutocorrect -AutomationAccountName AzAutomationAcc1 -ResourceGroupName RGTest1
DSC will check the Windows state in the VM and apply your desired settings. You can check the compliance status of the VM:
Get-AzAutomationDscNode -NodeConfigurationName "AzBasicDSCTests.localhost" -ResourceGroupName RGTest1 -AutomationAccountName AzAutomationAcc1
It should return Status = Compliant.
The Azure Automation task checks the host configuration every 15 minutes. If a non-compliant VM state is found, Azure will try to bring the complaint.
