Kieran Jacobsen

Kieran Jacobsen

He/Him. Microsoft MVP and GitKraken Ambassador. 🌏 Poshsecurity.com. 🏳‍🌈 Gay. 🐱 Cat owner.

Azure Automation State Configuration – Installing Common DSC Modules

Azure Automation State Configuration

Azure Automation State Configuration (previously Azure Automation DSC), is a service provided by Azure that allows you to write, manage and compile PowerShell Desired State Configuration (DSC) configurations and assign these configurations to target virtual machines (or any server or workstation to be honest). On its own, State Configuration provides some basic configuration examples, but its true power comes form the ability for you to define your own configurations.

User created configurations need to be imported and compiled before the configuration is applied to a virtual machine. It is common when creating DSC configurations to rely on a variety of DSC Resources. The modules containing these resources need to be imported into Azure Automation for it to be able to compile any configuration. So how do we import and update these modules?

The first mechanism to manage the PowerShell modules is through the Azure Portal, by going to your Automation Account > Shared Resources > Modules. Here you can add modules from a zip file, update the built in Azure modules, or add modules from the PowerShell Gallery. This provides a simple mechanism particularly if you are starting; unfortunately, most production configurations will need multiple modules, making the Azure Portal difficult to use.

We can also manage modules via ARM templates. Define the template is relatively straight forward but requires a couple of tricks to get started. I will put together a separate blog post on how you can define your own ARM template.

Accelerating Adoption

I wanted to help those starting out with State configuration. My goal was to help accelerate new State Configuration deployments, by creating a “starter” ARM template that would install the most common PowerShell DSC modules that are in the PowerShell Gallery and the most common in my production DSC configurations. This ARM template could also be used to ensure that the modules are also updated on a regular basis.

So what modules are included? I selected 32 modules in the end. These cover the configuration of core Windows, Windows Server roles and features, security hardening, package management and Chocolatey. Most of the modules are maintained by Microsoft, however four modules, cChoco, cSpeculationControlFixes, UpdateServicesDSC and xSystemSecurity that are maintain by members of the community.

Module Name Author Description
ActiveDirectoryCSDsc Microsoft Corporation This DSC Resource module can be used to install or uninstall Certificate Services components in Windows Server.
AuditPolicyDsc Microsoft Corporation The AuditPolicyDsc module allows you to configure and manage the advanced audit policy on all currently supported versions of Windows.
cChoco Chocolatey Software Lawrence Gripper Javy de Koning Chocolatey DSC Resources for use with internal packages and the community package repository. Learn more at http://chocolatey.org/
CertificateDsc Microsoft Corporation This module includes DSC resources that simplify administration of certificates on a Windows Server
ComputerManagementDsc Microsoft Corporation The ComputerManagementDsc module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xComputer and xDisk resources. These DSC Resources allow you to perform computer management tasks, like joining a domain or initializing disks.
cSpeculationControlFixes Kieran Jacobsen PowerShell DSC for enabling Speculation Control fixes on Windows Server
DFSDsc Microsoft Corporation DSC resources for configuring Distributed File System Replication and Namespaces.
GPRegistryPolicy Microsoft Corporation Module with cmdlets to work with GP Registry Policy .pol files
GPRegistryPolicyParser Microsoft Corporation Module with parser cmdlets to work with GP Registry Policy .pol files
NetworkingDsc Microsoft Corporation Module with DSC Resources for Networking area
PackageManagementProviderResource Microsoft Corporation Module with DSC resources for the package management.
PSDscResources Microsoft Corporation This module contains the standard DSC resources. Because PSDscResources overwrites in-box resources, it is only available for WMF 5.1. Many of the resource updates provided here are also included in the xPSDesiredStateConfiguration module which is still compatible with WMF 4 and WMF 5 (though that module is not supported and may be removed in the future).
SecurityPolicyDsc Microsoft Corporation This module is a wrapper around secedit.exe which provides the ability to configure user rights assignments
SqlServerDsc Microsoft Corporation Module with DSC Resources for deployment and configuration of Microsoft SQL Server.
StorageDsc Microsoft Corporation This module contains all resources related to the PowerShell Storage module, or pertaining to disk management.
UpdateServicesDsc Michael Greene Module with DSC Resources for deployment and configuration of Windows Server Update Services.
WindowsDefender Microsoft Corporation Windows Defender module allows you to configure Windows Defender settings.
xActiveDirectory Microsoft Corporation The xActiveDirectory module is originally part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit. This version has been modified for use in Azure. This module contains the xADDomain, xADDomainController, xADUser, and xWaitForDomain resources. These DSC Resources allow you to configure and manage Active Directory.
xDhcpServer Microsoft Corporation Module with DSC Resources for DHCP Server area
xDismFeature Microsoft Corporation Module with DSC Resources for Deployment Image Servicing and Management features.
xDnsServer Microsoft Corporation Module with DSC Resources for DNS Server area
xFailOverCluster Microsoft Corporation Module containing DSC resources used to configure FailOver Clusters.
xInternetExplorerHomePage Microsoft Corporation This DSC Resources can easily set an URL for the home page of Internet Explorer
xPendingReboot Microsoft Corporation This module identifies pending reboots in Windows Server and acts on them.
xPSDesiredStateConfiguration Microsoft Corporation The xPSDesiredStateConfiguration module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the xDscWebService, xWindowsProcess, xService, xPackage, xArchive, xRemoteFile, xPSEndpoint and xWindowsOptionalFeature resources.
xRemoteDesktopAdmin Microsoft Corporation Module with DSC Resources for enabling administrative Remote Desktop Connections
xSmbShare Microsoft Corporation Module with DSC Resources for SmbShare area
xSystemSecurity Arun Chandrasekhar Handles Windows related security settings like UAC and IE ESC. xUAC enables or disables the User Account Control prompt, while xIEEsc enables or disables IE Enhanced Security Configuration.
xTimeZone Microsoft Corporation This DSC Resources can easily set the System Time Zone.
xWebAdministration Microsoft Corporation Module with DSC Resources for Web Administration
xWindowsEventForwarding Microsoft Corporation This module can be used to manage configuration of a Windows Event Forwarding server in a Collector role.
xWindowsUpdate Microsoft Corporation Module with DSC Resources for Windows Update
xWinEventLog Microsoft Corporation Configure Windows Event Logs

Want to get started and use the template?

You will need an Azure Automation account to start.

You can then use the Deploy to Azure button on the Git Repository or download the latest release and deploy using Azure CLI or PowerShell.

What to contribute?

The project is up on GitHub and I welcome everyone to make suggestions and recommendations. If you need a had with your first PR, check out this guide from egghead.io. I have connected this project to Azure DevOps build pipelines so all PRs will be validated for any issues.

Seeking Feedback: Melbourne Microsoft Cloud and Datacenter Meetup

Posh-SYSLOG version 4 is now available