Desired State Configuration

Desired State Configuration (DSC) is a management framework in PowerShell that can provide a standardized way of defining how a system should be configured. This enables the complete automation of device configuration using a declarative model: you create a configuration that states how a device should be configured, publish that configuration, then wait for the devices to update themselves to match the configuration.

A single configuration can be used across multiple devices, ensuring they are maintained with identical and standardized settings. This prevents configuration drift when multiple changes occur over a period of time.

DSC supports two deployment methods:

  • Push mode: In this mode, the administrator makes the configurations and then manually pushes them out to the target devices. This is a one-way communication, and can only work if the devices are available on the network at the time of the push. It also assumes the appropriate PowerShell modules are available on all devices. This option is best suited to small environments where all devices are connected at all times.
  • Pull mode: In this mode, the administrator creates a pull server that is used to host the configurations. Then, each of the devices is configured to contact this server at regular intervals (such as every 15 minutes) to look for any changes to configurations. If found, the device can pull both the DSC data as well as any required modules. This automates the deployment of configurations to a high frequency and doesn't require further interaction from the administrator.

DSC has both a configuration and a resource side, and a configuration manager runs the show between the two:

  • Configurations: These are PowerShell scripts that define and configure the resources. The DSC engine will look at the configuration and resources available and make the system adopt the desired state.
  • Resources: A resource is code that keeps the target of a configuration in a specific state. These are in PowerShell modules most typically. By default, DSC has several resources, which you can see by running the get-dscresource cmdlet:
  • Local Configuration Manager (LCM): This runs on the local device to ensure that the configuration is applied correctly. The LCM polls the system to ensure the state defined by the configuration is maintained and corrects any errors.

An example of how you would use DSC configurations would be to prevent a specific process from running, or having a registry key or security policy set in a specific way to meet your security requirements. Think of this capability as Group Policy, but augmenting it with much greater flexibility.

For more advanced configuration, use the official Microsoft DSC resource kit: https://gallery.technet.microsoft.com/scriptcenter/DSC-Resource-Kit-All-c449312d.