Azure Automation State Configuration – Installing Common DSC Modules

Azure Automation State Configuration

Azure Automation State Configuration (previously Azure Automation DSC), is a service provided by Azure that allows you to write, manage and compile PowerShell Desired State Configuration (DSC) configurations and assign these configurations to target virtual machines (or any server or workstation to be honest). On its own, State Configuration provides some basic configuration examples, but its true power comes form the ability for you to define your own configurations.

User created configurations need to be imported and compiled before the configuration is applied to a virtual machine. It is common when creating DSC configurations to rely on a variety of DSC Resources. The modules containing these resources need to be imported into Azure Automation for it to be able to compile any configuration. So how do we import and update these modules?

The first mechanism to manage the PowerShell modules is through the Azure Portal, by going to your Automation Account > Shared Resources > Modules. Here you can add modules from a zip file, update the built in Azure modules, or add modules from the PowerShell Gallery. This provides a simple mechanism particularly if you are starting; unfortunately, most production configurations will need multiple modules, making the Azure Portal difficult to use.

We can also manage modules via ARM templates. Define the template is relatively straight forward but requires a couple of tricks to get started. I will put together a separate blog post on how you can define your own ARM template.

Accelerating Adoption

I wanted to help those starting out with State configuration. My goal was to help accelerate new State Configuration deployments, by creating a “starter” ARM template that would install the most common PowerShell DSC modules that are in the PowerShell Gallery and the most common in my production DSC configurations. This ARM template could also be used to ensure that the modules are also updated on a regular basis.

So what modules are included? I selected 32 modules in the end. These cover the configuration of core Windows, Windows Server roles and features, security hardening, package management and Chocolatey. Most of the modules are maintained by Microsoft, however four modules, cChoco, cSpeculationControlFixes, UpdateServicesDSC and xSystemSecurity that are maintain by members of the community.

Module Name Author Description
ActiveDirectoryCSDsc Microsoft Corporation This DSC Resource module can be used to install or uninstall Certificate Services components in Windows Server.
AuditPolicyDsc Microsoft Corporation The AuditPolicyDsc module allows you to configure and manage the advanced audit policy on all currently supported versions of Windows.
cChoco Chocolatey Software Lawrence Gripper Javy de Koning Chocolatey DSC Resources for use with internal packages and the community package repository. Learn more at http://chocolatey.org/
CertificateDsc Microsoft Corporation This module includes DSC resources that simplify administration of certificates on a Windows Server
ComputerManagementDsc Microsoft Corporation The ComputerManagementDsc module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xComputer and xDisk resources. These DSC Resources allow you to perform computer management tasks, like joining a domain or initializing disks.
cSpeculationControlFixes Kieran Jacobsen PowerShell DSC for enabling Speculation Control fixes on Windows Server
DFSDsc Microsoft Corporation DSC resources for configuring Distributed File System Replication and Namespaces.
GPRegistryPolicy Microsoft Corporation Module with cmdlets to work with GP Registry Policy .pol files
GPRegistryPolicyParser Microsoft Corporation Module with parser cmdlets to work with GP Registry Policy .pol files
NetworkingDsc Microsoft Corporation Module with DSC Resources for Networking area
PackageManagementProviderResource Microsoft Corporation Module with DSC resources for the package management.
PSDscResources Microsoft Corporation This module contains the standard DSC resources. Because PSDscResources overwrites in-box resources, it is only available for WMF 5.1. Many of the resource updates provided here are also included in the xPSDesiredStateConfiguration module which is still compatible with WMF 4 and WMF 5 (though that module is not supported and may be removed in the future).
SecurityPolicyDsc Microsoft Corporation This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments
SqlServerDsc Microsoft Corporation Module with DSC Resources for deployment and configuration of Microsoft SQL Server.
StorageDsc Microsoft Corporation This module contains all resources related to the PowerShell Storage module, or pertaining to disk management.
UpdateServicesDsc Michael Greene Module with DSC Resources for deployment and configuration of Windows Server Update Services.
WindowsDefender Microsoft Corporation Windows Defender module allows you to configure Windows Defender settings.
xActiveDirectory Microsoft Corporation The xActiveDirectory module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xADDomain, xADDomainController, xADUser, and xWaitForDomain resources. These DSC Resources allow you to configure and manage Active Directory.
xDhcpServer Microsoft Corporation Module with DSC Resources for DHCP Server area
xDismFeature Microsoft Corporation Module with DSC Resources for Deployment Image Servicing and Management features.
xDnsServer Microsoft Corporation Module with DSC Resources for DNS Server area
xFailOverCluster Microsoft Corporation Module containing DSC resources used to configure FailOver Clusters.
xInternetExplorerHomePage Microsoft Corporation This DSC Resources can easily set an URL for the home page of Internet Explorer
xPendingReboot Microsoft Corporation This module identifies pending reboots in Windows Server and acts on them.
xPSDesiredStateConfiguration Microsoft Corporation The xPSDesiredStateConfiguration module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the xDscWebService, xWindowsProcess, xService, xPackage, xArchive, xRemoteFile, xPSEndpoint and xWindowsOptionalFeature resources.
xRemoteDesktopAdmin Microsoft Corporation Module with DSC Resources for enabling administrative Remote Desktop Connections
xSmbShare Microsoft Corporation Module with DSC Resources for SmbShare area
xSystemSecurity Arun Chandrasekhar Handles Windows related security settings like UAC and IE ESC. xUAC enables or disables the User Account Control prompt, while xIEEsc enables or disables IE Enhanced Security Configuration.
xTimeZone Microsoft Corporation This DSC Resources can easily set the System Time Zone.
xWebAdministration Microsoft Corporation Module with DSC Resources for Web Administration
xWindowsEventForwarding Microsoft Corporation This module can be used to manage configuration of a Windows Event Forwarding server in a Collector role.
xWindowsUpdate Microsoft Corporation Module with DSC Resources for Windows Update
xWinEventLog Microsoft Corporation Configure Windows Event Logs

Want to get started and use the template?

You will need an Azure Automation account to start.

You can then use the Deploy to Azure button on the Git Repository or download the latest release and deploy using Azure CLI or PowerShell.

What to contribute?

The project is up on GitHub and I welcome everyone to make suggestions and recommendations. If you need a had with your first PR, check out this guide from egghead.io. I have connected this project to Azure DevOps build pipelines so all PRs will be validated for any issues.

Posh-SYSLOG version 4 is now available

The Posh-SYSLOG PowerShell module continues to surprise me. I originally developed the module in early 2012, making it available on GitHub in 2013. Since then I've continued to maintain the module, even though I don’t directly use the module.

Early this year, usage of the module skyrocketed. Growing from a few hundred downloads a year to an average of 10 thousand downloads each month. I don’t know what’s driven this growth, but it's been incredible.

Today is another milestone for Posh-SYSLOG. I'm happy to announce that version 4.0 has been released. This release adds support for sending SYSLOG messages over TLS. Sending messages over TLS

Switching to TLS is super easy!

With previous versions, the Transport parameter allowed you to specify UDP and TCP transport options, in version 4.0, we now have the TCPwithTLS option. To send a message with TLS:

PS> Send-SyslogMessage -Server ‘myserver.local’ -Message ‘My Message’ -Severity Alert -Facility kern -Transport TCPwithTLS

Default behaviours

There are some default behaviours that you should be aware of:

  1. TLS 1.2 is used by default when connecting to the server. If your server doesn’t support this, you can use the SslProtocols parameter to change the behaviour. This parameter uses the type System.Security.Authentication.SSLProtocols, and supports specifying TLS 1.0, TLS 1.1, SSL 2 and SSL 3.
  2. By default, the value specified for the Server parameter is validated against the server’s certificate. This means that the certificate will need to contain this value for validation to be successful. Currently, you can't change this logic, but I'll look at including this in version 4.1.
  3. Sometimes we can’t validate the server’s certificate, we can ignore any validation errors by including the DoNotValidateTLSCertificate parameter. If this parameter is used, a warning will be displayed to the user.

Any potential breaking issues?

I don’t believe there are any breaking changes, but there's a minor change to one of the parameter types.

Before the Transport parameter was a string, this has been changed to an enum, Syslog_Protocol. PowerShell should be able to cast between the strings TCP and UDP to the enum without any issues. If this assumption turns out to cause any significant issues, I'll revert this change.

What else is fixed?

This release also fixes more issues caused on older PowerShell versions due to the use of OutputType([null])]. These have now been fully removed. I want to thank athelu for reporting the issue.

Getting the Module

If you have never used the module before, the easiest way to get Posh-SYSLOG is through the PowerShell Gallery:

PS> Install-Module -Name Posh-SYSLOG

If you already have the module installed, you can update the module from the PowerShell Gallery with:

PS> Update-Module -Name Posh-SYSLOG

You can also download the release from the module’s GitHub Releases page.

Found an issue? Then raise any bugs or feature requests via GitHub Issues.

Content from The Boring Security Talk now available

In September I presented The Boring Security Talk at DDD Melbourne, NDC Sydney and the Melbourne Cloud and Datacenter Meetup.

This talk was an ambitious talk and I was attempting to cover a wide range of topics that are not commonly discussed. I really enjoyed putting the talk together and presenting it to everyone.

The NDC session was longer than DDD Melbourne, with some additional content around why items like CI/CD, DNS, Email and package security are so important. There are also some more detailed examples and descriptions.

You can find the slides here:

At the end of the talk, I also provided links to three great resources if you wanted more information:

I want to thank everyone who attended and provided feedback to me afterwards. I also want to congratulate the organisers and volunteers who helped run such great events!

Upcoming Conferences

I'm excited to announce that I'll be presenting a new talk, “The Boring Security Talk” at both DDD Melbourne and NDC Sydney in September.

Don’t let the name fool you, the session will cover how you can protect some of the often-overlooked aspects of your organisation’s security! I'll be talking about dependencies, email, DNS and CI/CD. I'm putting together a session that should interest developers, operations and security teams.

Tickets to DDD Melbourne have already sold out, but tickets are still available to NDC Sydney.

I look forward to seeing everyone at DDD and NDC!

I'm speaking at NDC Sydney

I'm speaking at NDC Sydney

Planet PowerShell is now HTTPS only

Planet PowerShell

Planet PowerShell

I'm happy to announce that Planet PowerShell is now enforcing HTTPS for all aggregated sites. I gave some extra time for authors to make the change. In the end only 3 authors opted out of moving to HTTPS, so I'm happy with the result.

I've been making some changes to how CloudFlare cache settings. Planet PowerShell consumes roughly 150GB of bandwidth each month. I'm working to ensure that most of this is served from CloudFlare and not the underlying Azure App Services. Doing this will ensure that the cost of running Planet PowerShell is kept low. Thanks to Troy Hunt for his help with this.

Finally, for those who follow my blog directly, you'll have seen me post about how I manage the DNS for Planet PowerShell. While there isn’t any PowerShell in the post, I encourage you all to read my post “Managing DNS with DNSControl, CloudFlare, DNSimple, GitHub, VSTS, Key Vault and Docker!”.