Monday, 23 October 2017

Learn PowerShell DSC - Part 5


Welcome to part 5! Hopefully you’re getting the hang of pushing out DSC configurations and are wondering if there are other ways to deploy DSC configurations and in fact, you’re in luck! Today’s we’ll go through how you can get the target machine to automatically pull the DSC configuration rather than you having to push it out.

There are two methods you can use to pull DSC configurations - SMB and HTTP/HTTPS. We’ll go through the simplest one first - SMB pull.

Other parts in this series:

What is DSC SMB Pull?

SMB Pull allows you to store your DSC configurations (.MOF) in an SMB share which the target machines then connect to, download and apply their configurations. There are three steps we will go through:

  • Set up a DSC SMB Pull Server
  • Configure target machine for DSC SMB Pull
  • Create DSC configuration for SMB pull target machine

Once done, we basically create a DSC configuration, target it at the target machine and also create a checksum file. We’ll go through this in more detail later on.

Set up a DSC SMB Pull Server

Now, this is easy. Just create a share and provide read access to the computer account of the target machine. This is because DSC runs as the Local System account by default.

1. Create a folder e.g. C:\DSCSMB

2. Share the folder as DSCSMB and grant full control to Everyone:


3. Configure the NTFS permissions by disabling inheritance, removing permissions for Users and granting read only permissions for the target machine computer account or an AD group which contains the computer accounts.As I’m just doing a demo, I’ll assign permissions to “Contoso\Domain Computers”.


Configure target machine for DSC SMB Pull

By default, DSC is configured for push configurations only and obviously it has no idea that we have an SMB Pull server or what its UNC path is so we’ll need to configure this. The DSC local configuration is configured using the the DSC Local Configuration Manager or LCM for short. The LCM is a WMI provider built into PowerShell v4 and later.

To configure DSC using the LCM, you basically create a configuration specifying [DSCLocalconfigurationManager()] and then you can create a MOF file, and then push this out to your target server using Set-DscLocalConfigurationManager.

1. Create the LCM configuration as below. Note that we’re specifying the parameters:

    • ConfigurationID: This is the ID of the LCM on the target machine and is used to find the correct configuration to apply as there may be many configurations for other machines in the same share
    • RefreshMode: This sets out LCM to pull instead of push which is the default
    • SourcePath: This is the UNC path of our DSC SMB Pull server

Configuration Configure_LCM_SMBPULL 

Node $ComputerName
Settings {
            RefreshMode = 'Pull' 
            ConfigurationID = $guid
ConfigurationRepositoryShare DSCSMB {
            Sourcepath = "\\contchidsc01\DSCSMB" 

2. Specify the computer name and the GUID. Here we’re creating a new GUID.


3. Create the MOF file however it’s a .meta.mof file for the LCM

Configure_LCM_SMBPULL -ComputerName $ComputerName -Guid $guid -OutputPath C:\Scripts\DSC


4. We now configure the LCM on the target machine using Set-DscLocalConfigurationManager

Set-DscLocalConfigurationManager -ComputerName $ComputerName   -Path C:\Scripts\DSC -Verbose


5. Our LCM should now be configured and we can use Get-DscLocalConfigurationManager to confirm our settings:

$a = Get-DscLocalConfigurationManager -CimSession $ComputerName 
$a | ft PSComputerName,RefreshMode,ConfigurationID,`


We can see that RefreshMode is set to Pull, a ConfigurationID is assigned and the ConfigurationRepositoryShare to our DSC SMB Pull server UNC path. Great! Our next task is to create a configuration for the target server and store it in the SMB share.

Create DSC configuration for SMB pull target machine

This is basically the same as creating a normal DSC configuration but instead of naming the mof file contchisql01.mof, we need to name it using the ConfigurationID of the target machine LCM i.e. c46a4a4b-8b5f-49e5-90f4-faaf80e2ec9f.mof. We also need to create a checksum file called c46a4a4b-8b5f-49e5-90f4-faaf80e2ec9f.mof.checksum.

1. Create your configuration as normal. See my example one below which basically just creates a text file C:\testfile1.txt and sets the contents to My test file

Configuration CreateTestFile {
    Param (
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node $ComputerName {
        File CreateTestFile {
            Type = 'File'
            DestinationPath = 'C:\testfile1.txt'
            Contents = 'My test file'


2. Specify the computer name and create your MOF file

$ComputerName = "contchisql01"
CreateTestFile -ComputerName $ComputerName -OutputPath C:\Scripts\DSC


3. Get the LCM ConfigurationID and copy the mof file to the SMB share with a name <ConfigurationID>.mof

$guid=(Get-DscLocalConfigurationManager -CimSession $ComputerName).ConfigurationID
$DestinationFile = 'C:\DSCSMB\' + $guid + '.mof'
Copy-Item C:\Scripts\DSC\$ComputerName.mof $DestinationFile -Force


4. Create a checksum file in the SMB share: <ConfigurationID>.mof.checksum

New-DscChecksum $DestinationFile -Force


5. Now you can either wait 30mins for the target machine to apply the configuration or you can force it using Update-DscConfiguration

Update-DscConfiguration -ComputerName $ComputerName -Wait -Verbose


6. That looks successful so let’s confirm our file is there and the contents are set:

Get-Content '\\contchisql01\c$\testfile1.txt'


There you have it - our test file is created!


In this post, we configured an SMB pull server then configured the LCM on a target machine to use the pull server. We then created a configuration for the target machine and put this in the SMB share and confirmed the target machine can pull it and apply it.

In the next post, we’ll look at HTTP pull servers.

No comments:

Post a Comment