While working on one of the Azure Automation Accounts project I had to test and provide a demo of Desired State Configuration (DSC) on the Azure Virtual Machine, how it can be useful. There was a client requirment to not to use Group Policy for hardening, but the configuration must be done through DSC so servers can be targeted for hardening with proper reports. I had already did one huge project with Azure automation account DSC for On-Premise Virtual Machine on boarding earlier. I have already Created an Azure Automation account on using Portal PowerShell and AzureCLI.
To process configuring State Configuration (DSC), go to the left hand side navigation pane and select it. Click the Configurations Tab, at the moment there is no data or script added in it. Click + Add button to import ps1 dsc script file. (I have already prepared DSC script below).
I have written this demo PowerShell DSC script which I will apply to demo Azure VM. This creates a new folder and add it to environment variable, create a new user and add it to remote desktop group, Adds telnet-client feature and removes SMBv1 role feature.
Download this script here, or it is also available on github.com.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
#Written by vJanvi May 2021 #Azure Automation Accounts DSC (Desired State Configuration) $password = "Computer@1" | ConvertTo-SecureString -asPlainText -Force $username = "vJanvi" [PSCredential]$credential = New-Object System.Management.Automation.PSCredential($username,$password) $configurationData = @{ AllNodes = @( @{ NodeName = '*' PSDscAllowPlainTextPassword = $True } @{ NodeName = "localhost" } ) } Configuration AzVMSecurityConfig { [CmdletBinding()] param ( [Parameter()] [string]$ComputerName = 'localhost' ) Import-DscResource –ModuleName 'PSDesiredStateConfiguration' Node $ComputerName { File NewDirectory { Ensure = "Present" Type = "Directory" DestinationPath = "C:\Temp" Force = $true } Environment EnvVarAddPath { Ensure = "Present" Name = "Path" Path = $true Value = ";C:\temp" DependsOn = "[File]NewDirectory" } User NewUser { Ensure = "Present" UserName = "vJanvi" Description = "Second Admin" PasswordNeverExpires = $true Password = $credential } Group AddUserToGroup { Ensure = "Present" GroupName = "Remote Desktop Users" Members = "vJanvi" DependsOn = "[User]NewUser" } $features = @() $features += [pscustomobject]@{ConfigName = "TelnetClient"; Name = "Telnet-Client"; Ensure = "Present"} $features += [pscustomobject]@{ConfigName = "FSSMB1"; Name = "FS-SMB1"; Ensure = "Absent"} foreach ($feature in $features) { WindowsFeature $feature.ConfigName { Ensure = $feature.Ensure Name = $feature.Name } } } } AzVMSecurityConfig -ConfigurationData $configurationData #Start-DscConfiguration -Wait -Path AzVMSecurityConfig -Verbose -Force |
Part 1: Build your first Microsoft PowerShell DSC pull server
Part 2: Generate target server node config for PowerShell DSC pull server
Part 3: Configure PowerShell DSC Local configuration manager LCM in pull mode and update configuration
How to force a PowerShell DSC client to refresh configuration from pull server
I will upload import the PowerShell DSC script, You can either add a new configuration script or update an existing one.
Note: The configuration name in the script must match the configuration name in the textbox "Name". The file must be a DSC Configurations script (.ps1) smaller than 1 MB
Press Ok. Watch for Upload completed message.
Once I go back to Configurations tab I can see one configuration is added and compiled configuration count is 0. Click on the Configuration name.
Click on the Compile button. Provide a COMPUTERNAME, I will type locahost. This script will be run locally on the VM. Click OK. Compile job goes into queued then it start validating imported script file. It take couple of minutes and if no error or issues in the script It shows status as Completed. Also in the notification you can view Compilation job succeeded.
View more details of Compiled job by clicking Compilation jobs, if there are any error or issues in the script it shows the problem. You can view complete error, warnings logs or exception if any issue or invalidity in the DSC script.
Once everything is successful, Next go on the Configurations tab of State configuration (DSC). You can view 1 complied configuration is added.
Next go to Compiled configurations tab, localhost Node Configuration is added.
Next step I am going to apply DSC configuration on Azure Virtual Machine, Here I have logged in onto already created Azure VM and checked the current configuration what mentioned on DSC script. As it can be seen all the configuration is not there on the host.
I will configure same VM on the Automation Account DSC, click Nodes tab, then click + Add button to configure Azure Virtual Machine.
Select the virtual machine from list (I have only one VM) which I want to configure, and click on it. Click + Connect button (You can see status not connected to DSC and Power state should be VM running).
On the next page, Choose the Node configuration name we configured earlier. All other configuration I have kept default, once clicked Ok it will take some time to change Status to connected and configure VM. Once VM is connected go back to Automation Account.
As on the DSC Nodes I can see the Configurtation status pie chart is green with compliant. It takes every 30 minutes to apply DSC configuration on VM.
After some time I checked on the Azure cloud VM and compaired settings with the earlier screenshot, I can see the DSC configuration is deployed successfully.
Useful articles
POWERSHELL PS REMOTING BETWEEN STANDALONE WORKGROUP COMPUTERS
POWERSHELL DSC XACTIVEDIRECTORY ERROR - A NETBIOS DOMAIN NAME MUST BE SPECIFIED
DSC (DESIRED STATE CONFIGURATION) : DEPLOYING ACTIVE DIRECTORY
THE POWERSHELL XACTIVEDIRECTORY PROVIDER DOES NOT EXIST AT THE POWERSHELL MODULE PATH NOR IS IT REGISTERED AS A WMI PROVIDER