Azure Automation State Configuration
Azure Automation State Configuration (previously Azure Automation DSC), is a service provided by Azure that allows you to write, manage and compile PowerShell Desired State Configuration (DSC) configurations and assign these configurations to target virtual machines (or any server or workstation to be honest). On its own, State Configuration provides some basic configuration examples, but its true power comes form the ability for you to define your own configurations.
User created configurations need to be imported and compiled before the configuration is applied to a virtual machine. It is common when creating DSC configurations to rely on a variety of DSC Resources. The modules containing these resources need to be imported into Azure Automation for it to be able to compile any configuration. So how do we import and update these modules?
The first mechanism to manage the PowerShell modules is through the Azure Portal, by going to your Automation Account > Shared Resources > Modules. Here you can add modules from a zip file, update the built in Azure modules, or add modules from the PowerShell Gallery. This provides a simple mechanism particularly if you are starting; unfortunately, most production configurations will need multiple modules, making the Azure Portal difficult to use.
We can also manage modules via ARM templates. Define the template is relatively straight forward but requires a couple of tricks to get started. I will put together a separate blog post on how you can define your own ARM template.
Accelerating Adoption
I wanted to help those starting out with State configuration. My goal was to help accelerate new State Configuration deployments, by creating a “starter” ARM template that would install the most common PowerShell DSC modules that are in the PowerShell Gallery and the most common in my production DSC configurations. This ARM template could also be used to ensure that the modules are also updated on a regular basis.
So what modules are included? I selected 32 modules in the end. These cover the configuration of core Windows, Windows Server roles and features, security hardening, package management and Chocolatey. Most of the modules are maintained by Microsoft, however four modules, cChoco, cSpeculationControlFixes, UpdateServicesDSC and xSystemSecurity that are maintain by members of the community.
| Module Name | Author | Description |
|---|---|---|
| ActiveDirectoryCSDsc | Microsoft Corporation | This DSC Resource module can be used to install or uninstall Certificate Services components in Windows Server. |
| AuditPolicyDsc | Microsoft Corporation | The AuditPolicyDsc module allows you to configure and manage the advanced audit policy on all currently supported versions of Windows. |
| cChoco | Chocolatey Software Lawrence Gripper Javy de Koning | Chocolatey DSC Resources for use with internal packages and the community package repository. Learn more at http://chocolatey.org/ |
| CertificateDsc | Microsoft Corporation | This module includes DSC resources that simplify administration of certificates on a Windows Server |
| ComputerManagementDsc | Microsoft Corporation | The ComputerManagementDsc module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xComputer and xDisk resources. These DSC Resources allow you to perform computer management tasks, like joining a domain or initializing disks. |
| cSpeculationControlFixes | Kieran Jacobsen | PowerShell DSC for enabling Speculation Control fixes on Windows Server |
| DFSDsc | Microsoft Corporation | DSC resources for configuring Distributed File System Replication and Namespaces. |
| GPRegistryPolicy | Microsoft Corporation | Module with cmdlets to work with GP Registry Policy .pol files |
| GPRegistryPolicyParser | Microsoft Corporation | Module with parser cmdlets to work with GP Registry Policy .pol files |
| NetworkingDsc | Microsoft Corporation | Module with DSC Resources for Networking area |
| PackageManagementProviderResource | Microsoft Corporation | Module with DSC resources for the package management. |
| PSDscResources | Microsoft Corporation | This module contains the standard DSC resources. Because PSDscResources overwrites in-box resources, it is only available for WMF 5.1. Many of the resource updates provided here are also included in the xPSDesiredStateConfiguration module which is still compatible with WMF 4 and WMF 5 (though that module is not supported and may be removed in the future). |
| SecurityPolicyDsc | Microsoft Corporation | This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments |
| SqlServerDsc | Microsoft Corporation | Module with DSC Resources for deployment and configuration of Microsoft SQL Server. |
| StorageDsc | Microsoft Corporation | This module contains all resources related to the PowerShell Storage module, or pertaining to disk management. |
| UpdateServicesDsc | Michael Greene | Module with DSC Resources for deployment and configuration of Windows Server Update Services. |
| WindowsDefender | Microsoft Corporation | Windows Defender module allows you to configure Windows Defender settings. |
| xActiveDirectory | Microsoft Corporation | The xActiveDirectory module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xADDomain, xADDomainController, xADUser, and xWaitForDomain resources. These DSC Resources allow you to configure and manage Active Directory. |
| xDhcpServer | Microsoft Corporation | Module with DSC Resources for DHCP Server area |
| xDismFeature | Microsoft Corporation | Module with DSC Resources for Deployment Image Servicing and Management features. |
| xDnsServer | Microsoft Corporation | Module with DSC Resources for DNS Server area |
| xFailOverCluster | Microsoft Corporation | Module containing DSC resources used to configure FailOver Clusters. |
| xInternetExplorerHomePage | Microsoft Corporation | This DSC Resources can easily set an URL for the home page of Internet Explorer |
| xPendingReboot | Microsoft Corporation | This module identifies pending reboots in Windows Server and acts on them. |
| xPSDesiredStateConfiguration | Microsoft Corporation | The xPSDesiredStateConfiguration module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the xDscWebService, xWindowsProcess, xService, xPackage, xArchive, xRemoteFile, xPSEndpoint and xWindowsOptionalFeature resources. |
| xRemoteDesktopAdmin | Microsoft Corporation | Module with DSC Resources for enabling administrative Remote Desktop Connections |
| xSmbShare | Microsoft Corporation | Module with DSC Resources for SmbShare area |
| xSystemSecurity | Arun Chandrasekhar | Handles Windows related security settings like UAC and IE ESC. xUAC enables or disables the User Account Control prompt, while xIEEsc enables or disables IE Enhanced Security Configuration. |
| xTimeZone | Microsoft Corporation | This DSC Resources can easily set the System Time Zone. |
| xWebAdministration | Microsoft Corporation | Module with DSC Resources for Web Administration |
| xWindowsEventForwarding | Microsoft Corporation | This module can be used to manage configuration of a Windows Event Forwarding server in a Collector role. |
| xWindowsUpdate | Microsoft Corporation | Module with DSC Resources for Windows Update |
| xWinEventLog | Microsoft Corporation | Configure Windows Event Logs |
Want to get started and use the template?
You will need an Azure Automation account to start.
You can then use the Deploy to Azure button on the Git Repository or download the latest release and deploy using Azure CLI or PowerShell.
What to contribute?
The project is up on GitHub and I welcome everyone to make suggestions and recommendations. If you need a had with your first PR, check out this guide from egghead.io. I have connected this project to Azure DevOps build pipelines so all PRs will be validated for any issues.