Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Configure a Azure VM with Desired State Configuration in Automation Account

While working on one of the Azure Automation Accounts project I had to test and provide a demo of Desired State Configuration (DSC) on the Azure Virtual Machine, how it can be useful. There was a client requirment to not to use Group Policy for hardening, but the configuration must be done through DSC so servers can be targeted for hardening with proper reports. I had already did one huge project with Azure automation account DSC for On-Premise Virtual Machine on boarding earlier. I have already Created an Azure Automation account on using Portal PowerShell and AzureCLI.

To process configuring State Configuration (DSC), go to the left hand side navigation pane and select it. Click the Configurations Tab, at the moment there is no data or script added in it. Click + Add button to import ps1 dsc script file. (I have already prepared DSC script below).

Microsoft Azure Automation account desired state configuration DSC add configuration compose configuration access control iam inventory change tracking update management virtual machine powershell.png

I have written this demo PowerShell DSC script which I will apply to demo Azure VM. This creates a new folder and add it to environment variable, create a new user and add it to remote desktop group, Adds telnet-client feature and removes SMBv1 role feature.

Download this script here, or it is also available on github.com.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#Written by vJanvi May 2021
#Azure Automation Accounts DSC (Desired State Configuration)

$password = "Computer@1" | ConvertTo-SecureString -asPlainText -Force
$username = "vJanvi"
[PSCredential]$credential = New-Object System.Management.Automation.PSCredential($username,$password)

$configurationData = @{
    AllNodes = @(
        @{
            NodeName                    = '*'
            PSDscAllowPlainTextPassword = $True
        }
        @{
            NodeName = "localhost"
        }
    )
}

Configuration AzVMSecurityConfig
{
    [CmdletBinding()]
    param (
        [Parameter()]
        [string]$ComputerName = 'localhost'
    )
    Import-DscResource ModuleName 'PSDesiredStateConfiguration'
    Node $ComputerName
    {
        File NewDirectory
        {
            Ensure = "Present"
            Type = "Directory"
            DestinationPath = "C:\Temp"
            Force = $true
        }

        Environment EnvVarAddPath
        {
            Ensure = "Present"
            Name = "Path"
            Path = $true
            Value = ";C:\temp"
            DependsOn = "[File]NewDirectory"
        }

        User NewUser
        {
            Ensure = "Present"
            UserName = "vJanvi"
            Description = "Second Admin"
            PasswordNeverExpires = $true
            Password = $credential
        }

        Group AddUserToGroup
        {
            Ensure = "Present"
            GroupName = "Remote Desktop Users"
            Members = "vJanvi"
            DependsOn = "[User]NewUser"
        }

        $features = @()
        $features += [pscustomobject]@{ConfigName = "TelnetClient"; Name = "Telnet-Client"; Ensure = "Present"}
        $features += [pscustomobject]@{ConfigName = "FSSMB1"; Name = "FS-SMB1"; Ensure = "Absent"}
        foreach ($feature in $features) 
        {
            WindowsFeature $feature.ConfigName
            {
                Ensure = $feature.Ensure
                Name = $feature.Name
            }
        }
    }
}

AzVMSecurityConfig -ConfigurationData $configurationData

#Start-DscConfiguration -Wait -Path AzVMSecurityConfig -Verbose -Force

Part 1: Build your first Microsoft PowerShell DSC pull server
Part 2: Generate target server node config for PowerShell DSC pull server
Part 3: Configure PowerShell DSC Local configuration manager LCM in pull mode and update configuration
How to force a PowerShell DSC client to refresh configuration from pull server

I will upload import the PowerShell DSC script, You can either add a new configuration script or update an existing one. 

Note: The configuration name in the script must match the configuration name in the textbox "Name". The file must be a DSC Configurations script (.ps1) smaller than 1 MB

Press Ok. Watch for Upload completed message.

Microsoft Azure portal desired state configuration dsc import configuration update upload completed node automation account devops powershell script ps1 workflow.png

Once I go back to Configurations tab I can see one configuration is added and compiled configuration count is 0. Click on the Configuration name.

Micorsoft Azure Portal automation account compose configuration configuration Gallary desired state configuration dsc virtual machine reset filters node.png

Click on the Compile button. Provide a COMPUTERNAME, I will type locahost. This script will be run locally on the VM. Click OK. Compile job goes into queued then it start validating imported script file. It take couple of minutes and if no error or issues in the script It shows status as Completed. Also in the notification you can view Compilation job succeeded.

Microsoft Azure desired state configuration dsc compile export delete subscription id status published compilation jobs node configuration localhost powershell devops.png

View more details of Compiled job by clicking Compilation jobs, if there are any error or issues in the script it shows the problem. You can view complete error, warnings logs or exception if any issue or invalidity in the DSC script.

Microsoft Azure Automation account dsc desired state configuration Input Errors Warnings All logs Exeption powershell script devops compilation job json view configuration status completed.png

Once everything is successful, Next go on the Configurations tab of State configuration (DSC). You can view 1 complied configuration is added.

Microsoft Azure portal desired state configuration dsc powershell node configuration management inventory change tracking update management Access control iam.png

Next go to Compiled configurations tab, localhost Node Configuration is added.

Microsoft Azure automation account IAM access control tags inventory change tracking desired state configuration dsc update management node configuration management compiled configurations compose count .png

Next step I am going to apply DSC configuration on Azure Virtual Machine, Here I have logged in onto already created Azure VM and checked the current configuration what mentioned on DSC script. As it can be seen all the configuration is not there on the host.

Microsoft Azure Automation account desired State configuration dsc powershell script compiled node configuration test-path system.environment getenvironmentvariable path get-windowsfeature get-localuser localgroupmember.png

I will configure same VM on the Automation Account DSC, click Nodes tab, then click + Add button to configure Azure Virtual Machine. 

Microsoft automation account azure desired state configuration dsc add compose configuration access control inventory status compiled configuration galary add virtual machine powershell dsc script.png

Select the virtual machine from list (I have only one VM) which I want to configure, and click on it. Click + Connect button (You can see status not connected to DSC and Power state should be VM running).

Microsoft Azure desired state configuration automation account virtual machines vm subscription resource group location power state vm running os windows status not connected powershell connect.png

On the next page, Choose the Node configuration name we configured earlier. All other configuration I have kept default, once clicked Ok it will take some time to change Status to connected and configure VM. Once VM is connected go back to Automation Account.

Microsoft azure desired state configuration nod configuration dsc refresh frequency reboot node if needed allow module override actiion after reboot continueConfiguration connect VM powershell registration url dsc.png

As on the DSC Nodes I can see the Configurtation status pie chart is green with compliant. It takes every 30 minutes to apply DSC configuration on VM.

Microsoft Azure Automation Account desired state configuration dsc access rbac overview inventory node configuration management status complient in progress pending failed unresponsive vm dsc extension version powershell.png

After some time I checked on the Azure cloud VM and compaired settings with the earlier screenshot, I can see the DSC configuration is deployed successfully.

Microsoft Azure desired state configuration test-path azureadmin get environment variable powershell administrator get-localuser get-localgroupmember COMPUTERNAME env ps1 compiled configuration dsc system.environment.png

Useful articles
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS  
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED 
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY 
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER

Go Back

Comment

Blog Search

Page Views

5885106

Follow me on Blogarama