Configuring Azure DSC Automation with PowerShell in 5 steps

In this blog, I will review the configuration and implementation process of the Desired State Configuration (DSC) automation in Azure in the simplest and easiest way, only 5 steps.

DSC review

DSC is a management platform in PowerShell that enables you to manage your IT and development infrastructure with configuration as code at the on-premises and in Azure.
DSC contains a lot of resources, while each resource has a different capability like registry, service, files, user, computer, WindowsFeature, and many more.
Using these capabilities, you can “Force” a configuration type for all machines with the same target.
For example, you can ensure a specific configuration on which all web servers will have a specific web page (file configuration), an IIS component (WindowsFeature), and a specific registry configuration using the Registry resource.
You can set the node/target machine’s configuration in a way, that in case one of the components will be missing or uninstalled somehow, it will be configured/installed back on the node.

Azure DSC is part of the Azure automation management service which allows you to write, import, manage and implement Desired State Configuration for
the following machines' locations:

  • Azure virtual machines

Pricing

“Managing Azure VMs with Azure Automation State Configuration is included at no extra charge if the installed Azure VM Desired State Configuration extension version is greater than 2.70.”

More information about DSC extension versions can be found here: https://docs.microsoft.com/en-us/azure/automation/automation-dsc-extension-history

Supported VMs

For nodes running Windows, the following versions are supported:

  • Windows Server 2019

For nodes running Linux, review the next link: https://github.com/Azure/azure-linux-extensions/tree/master/DSC#4-supported-linux-distributions

Azure DSC configuration steps

There are 5 basic steps for configuring Azure DSC for Azure VMs

  1. Create an Automation account.

Create an Automation account

In order to use DSC, we have to first create the Azure Automation Account which responsible and control the DSC mechanism.

To create an Automation Account in the easiest way, run the next Powershell command:

New-AzAutomationAccount -ResourceGroupName EXCH -Name DCAUTO -Location westeurope

To create the Automation account via the Azure portal, search and add “automation” at the Azure marketplace:

Choose the Automation and click create

Now fillup the name you would like to call the automation account, resource group where the automation will be located, and the location.
When completing, click create

Since we have not yet configured anything and didn’t register any node yet, the DSC will be empty

Create the configuration file

Now when the automation account exists, we can create and upload our configuration file.
I have created a small and simple configuration file which includes the next configuration:

  • Load the Powershell DSC Configuration module

After I have created the file and saved it as C:\Temp\DSC\Test.ps1

  • You can find the configuration script at the end of the blog.

Import the configuration file

Now we can upload and import the configuration file to Azure DSC.
If you would like to make the process shorter, you can run the next Powershell command:

Import-AzAutomationDscConfiguration -SourcePath C:\Temp\DSC\test.ps1 -ResourceGroupName EXCH -AutomationAccountName DCAUTO -Published

At the end of the process, you should get the next output:

In case you would like to import the file using the Azure portal, navigate to the State Configuration (DSC), click on Configuration and then click on +Add

Now choose the location and the file that you would like to upload like the next example:

After choosing the file, click on OK at the bottom of the screen.

You can see the uploaded configuration from the automation portal

Create the configuration file

Now we have imported the configuration file, we need to compile it.
The easiest way to do so is by using a PowerShell command:

Start-AzAutomationDscCompilationJob -ResourceGroupName exch -ConfigurationName test -AutomationAccountName DCAUTO

You can verify that the file was compiled successfully via Powershell

In case we would like to compile the configuration file using the Azure portal, we need first to create a MOF file (Management Object Format).
Actually it is a very simple step, just open Powershell and run the configuration file (C:\Temp\DSC\Test.ps1 in our example):

After we have created the MOF file, we need to upload it.
To do so, navigate to the State Configuration (DSC), click on Compiled configurations and then click on +Add

Now choose the file location:

Then click OK

You can verify that the file was compiled successfully via the Azure portal

Register VMs with the DSC configuration

The last part is registering (or attaching) the configuration we have set, to the VMs.

Again, the simple way is using PowerShell command:

Register-AzAutomationDscNode -AzureVMName DC01 -ResourceGroupName EXCH -AutomationAccountName DCAUTO -NodeConfigurationName Test.localhost -ConfigurationMode ApplyAndAutocorrect

We can set a very important configuration while registering the VM using the PowerShell command.
ConfigurationMode has 3 options that we can set for DSC in an Azure VM.
This value specifies how the LCM (Local Configuration Manager) actually applies the configuration to the target nodes.
Possible values are “ApplyOnly”,”ApplyAndMonitor”, and “ApplyAndAutoCorrect”.

  • ApplyOnly: DSC applies the configuration and does nothing further unless a new configuration is pushed to the target node or when a new configuration is pulled from service. After the initial application of a new configuration, DSC does not check for drift from a previously configured state. Note that DSC will attempt to apply the configuration until it is successful before ApplyOnly takes effect.

After we have registered DC01, we can see it's now in a Compliant state, means that all the configuration we “enforced” was implemented on DC01 VM:

We can drill down the status and see exactly whats the configuration status for each part of the settings, by clicking on the Compliant status:

Clicking on the most updated status will reveal the configuration

Another way to see the status of DSC on a specific VM is by navigating to the VM, then select Configuration management:

In case you would like to register a VM using the Azure portal, please notice that you can add only one VM each time.
To register a VM, verify that you have selected the Nodes tab, then click +Add

Now select the machine that you would like to register

  • As I mentioned earlier, using the Azure portal, you can select only one VM at the time, unlike Powershell:

Now click + Connect

Select the configuration name (test.localhost in our example) and the configuration mode according to your needs.
When you completed the settings click OK

After a few minutes, we will be able to see EX01 at the DSC dashboard:

Adding another VM will be reflected on the DSC dashboard as well:

Troubleshooting DSC configuration

  • The configuration is checked by default every 15 minutes, therefore sometimes it will take a few minutes until the configuration will be enforced or monitor:
  • To view the current Local DSC configuration (LCM), run the next command from the target VM:

Get-DscLocalConfigurationManager

  • To verify that all the components from the configuration file were implemented (3 in our example: WindowsFeature, Registry, and User), run the next command from the target VM:

Get-DscConfigurationStatus

  • In case one of the configuration components was changed the status of the VM will be changed from Compliant to Not compliant.
    I have removed the Telnet-Client Windows Feature from DC02 and the dashboard was changed accordingly:

Since the registration of DC02 was set to Apply and monitor I will only get alert that the VM is Not compliant, but the policy will not be enforced again

In case I would like to enforce the policy, I should register the VM with the Apply and autocorrect configuration.

  • The next example informs us, that the Telnet Client component is OK by checking the Ensure attribute.
    In case it is in a Present state, the configuration is set on the VM:

Get-DscConfiguration

After we have removed the Telenbt Client component, we can see that the Ensure attribute was changed to Absent

  • Another way to check the status of the DSC configuration is by running the next command and verify that the status is true.
    In case that the VM is not compliant, the status will be False:

Test-DscConfiguration

Summery

Azure DSC is a very simple, cheap and easy to use, in order to manage configuration on a variety of VMs, Windows, Linux, Azure VMs and On-Premises VMs, one place to manage all of them.

There are 5 simple steps for configuring and implementing Azure DSC:

  1. Create an Automation account:
    New-AzAutomationAccount -ResourceGroupName EXCH -Name DCAUTO -Location westeurope

Configuration script sample

During the last 13 years, I'm working as a Senior Customer Succes Engineer (former PFE) at Microsoft. My areas of expertise are Exchange, Powershell & Azure.