Simple Push DSC with SCCM Compliance Items Matthew H. Teegarden Systems Software Engineer Lifetouch Inc. Joseph AMOSA

@JosephDKaster Being awesome SCCM, SCORCH, PS, etc MCT, MCSE, MCSA Working with SCCM since SMS 1.2. Working with PowerShell since 1.0 Have pit tickets to both nights of Pearl Jam at Wrigley Field Presenter Name 2 Presenter Name 1

Y'all now DSC yo? What do you know about DSC?

Title What is PowerShell DSC Feature in PS v 4 and above Declarative Scripting – maintain consistent configuration sets across computers or devices. Write the script to describe what the system should ‘look like’ Enable or disable a server role Deploy new software Manage registry settings Manage files and directories Manage services and processes Manage groups and user accounts Fixing ‘drift’

Imperative versus Declarative Imperative Add-WindowsFeature Windows-Server-Backup Declarative Configuration BaseBuild { WindowsFeature Backup { Ensure = "Present" Name = "Windows-Server-Backup" }

Requirements.NET Framework 4.5 PowerShell remoting enabled Requirements for PUSH PowerShell DSC modules (see demo) Requirements for PULL IIS File Share

Built-In Resources (v4) 7 File Archive Environment Group Log Package Registry Script Service User WindowsFeature WindowsProcess

What about Group Policy? DSC No domain needed Works with no network at all MOF based (open platform) Reverts a change Resources drive coverage Authentication flexibility Requires PS v4.0 and remoting (WSMAN) Can emulate GPO by setting Policy registry path values Learning curve GPO Only works in domain scenario Connectivity generally needed Born from registry control Prevents a change No WMF dependency Well-known and established

Local MOFs 9 Directory: C:\Windows\System32\Configuration Mode LastWriteTime Length Name d---s- 3/29/2015 7:55 PM BaseRegistration d---s- 3/30/ :27 PM ConfigurationStatus d---s- 3/29/2015 7:55 PM PartialConfigurations d---s- 8/22/ :36 AM Registration d---s- 8/22/ :36 AM Schema -a---- 8/25/2014 2:55 PM 2636 backup.mof -a---- 3/30/ :14 AM 3880 Current.mof -a---- 3/31/2015 9:25 AM 198 DSCEngineCache.mof -a---- 3/31/2015 9:26 AM 2492 DSCResourceStateCache.mof -a---- 3/31/2015 9:25 AM DSCStatusHistory.mof -a---- 3/29/2015 9:31 PM 714 MetaConfig.backup.mof -a---- 3/30/2015 9:55 AM 1104 MetaConfig.mof -a---- 3/30/ :13 AM 3880 Previous.mof -a---- 3/29/2015 7:00 PM 3 PullRunLog.txt Current DSC configuration Current LCM settings

Microsoft Confidential LCM Properties Get-DscLocalConfigurationManager ConfigurationMode ApplyOnly ApplyAndMonitor ApplyAndAutoCorrect ConfigurationModeFrequencyMins Interval to apply configuration RefreshFrequencyMins Interval to pull configuration RefreshMode Push Pull Disabled 10 PS C:\> Get-DscLocalConfigurationManager ActionAfterReboot : ContinueConfiguration AgentId : 2F09ADC2-EE73-11E4-... AllowModuleOverWrite : False CertificateID : ConfigurationDownloadManagers : {} ConfigurationID : ConfigurationMode : ApplyAndMonitor ConfigurationModeFrequencyMins : 15 Credential : DebugMode : {All} DownloadManagerCustomData : DownloadManagerName : LCMCompatibleVersions : {1.0, 2.0} LCMState : Idle LCMStateDetail : LCMVersion : 2.0 MaxPendingConfigRetryCount : StatusRetentionTimeInDays : 10 PartialConfigurations : RebootNodeIfNeeded : False RefreshFrequencyMins : 30 RefreshMode : PUSH ReportManagers : {} ResourceModuleManagers : {} PSComputerName :

Title How does it work Start with a configuration script listing the elements you want configured and how you want them configured Configuration also specifies the machine(s) or ‘nodes’ to target The configuration is a MOF file – each machine gets its own Each machine can only have one configuration MOF file. However, partial configurations can be edited. MOF files get distributed to the nodes PUSH – manual file copy via WinRM PULL – nodes check a web server to retrieve their MOF Cool kids use PULL. Nodes check every few minutes for new or updated MOF and make sure settings match the MOF

Title How to configure a PUSH server Download the DSC Resource Kit - Resource-Kit-All-c449312d Resource-Kit-All-c449312d Or at a minimum download xPSDesiredStateConfiguration module dc71d 417dc71d Add the Windows PowerShell Desired State Configuration Windows Feature Also can run from PS: Add-WindowsFeature DSC-Service WinRM needs to be enabled as well: WinRM quickconfig PSRemoting: Enable-PSRemoting

Demo Now for the fun stuff!

Troubleshooting DSC Using Event Logs to Diagnose Errors in Desired State Configuration event-logs-to-diagnoseerrors-in-desired-state-configuration.aspx DSC Diagnostics Module– Analyze DSC Logs instantly now! diagnostics-moduleanalyze-dsc-logs-instantly-now.aspx Troubleshooting DSC

Troubleshooting DSC - Continued PowerShell: Get-DscConfigurationStatus Get-DscConfigurationStatus | Format-List * Test-DscConfiguration –Detailed Get-Content C:\Windows\System32\Configuration\DSCStatusHistory.mof Get-DscConfigurationStatus -All | Out-GridView Event Logs: Get-WinEvent –ListLog *dsc*,*desired* -Force | Out-GridView Get-WinEvent -LogName Microsoft-Windows-DSC/Operational -MaxEvents 50 | Out- GridView xDscDiagnostics Module: Get-Command –Module xDscDiagnostics Enable analytic and debug logs: 'Analytic','Debug' | ForEach-Object {Update-xDscEventLogStatus –Channel $_ -Status Enabled} Get-xDscOperation –Newest 10 Trace-xDscOperation –JobID ‘{JobID}’ | Out-GridView

And Then …