Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!
System Center

Deploying a Desired State Configuration Web Host Using DSC

In a previous post related to deploying a web pull DSC host (“Deploying a Desired State Configuration Web Host Using PowerShell“), I presented a script which would put all the components into place in a manual fashion to get a new DSC pull server online and working. However, this script approach – while useful in illustrating the components required to get the service functional – does not play into the whole concept of configuration using desired state services. In this post, we will try again, but we will leverage some new modules that Microsoft’s DSC team has created for us. More accurately referred to as providers to actually commission a DSC pull server, using DSC.

To get started, we will need to download the latest version of the package from the Microsoft TechNet Gallery to our designated server, and as with all Internet downloads, unblock the file and extract its content.

Desired State Configuration: Install the Module (Provider)

Our first task will be to place the module in the correct location on our server. Launch your PowerShell console, and navigate to the folder you just extracted. For example: Downloads\xPSDesiredStateConfiguration_1.0

​ cd $env:UserProfile\Downloads\xPSDesiredStateConfiguration_1.0
copy .\xPSDesiredStateConfiguration_1.0 $env:ProgramFiles\WindowsPowerShell\Modules –Recurse –Force

With our new module (provider) now located in its new home, we can proceed to establish our new service.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Desired State Configuration provider

Create a Configuration for our DSC Pull Server

In the the following snip-it, we define a DSC Configuration which is to be applied to the current server (localhost), to configure both our DSC Pull Server and a DSC Compliance Server, referencing the new module we just published and its xPSDesiredStateConfiguration resource provider.

​ Configuration Assert_DSCWebService
  param (
    [String] $certificateThumbprint

  Import-DSCResource -ModuleName xPSDesiredStateConfiguration

  Node localhost
    WindowsFeature DSCServiceFeature
      Ensure = "Present"
      Name   = "DSC-Service"

    xDSCWebService PSDSCPullServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCPullServer"
      CertificateThumbprint   = $certificateThumbprint
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
      ConfigurationPath       = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
      ModulePath              = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
      Port                    = 80
      IsComplianceServer      = $false
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

    xDSCWebService PSDSCComplianceServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCComplianceServer"
      CertificateThumbprint   = "AllowUnencryptedTraffic"
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
      Port                    = 81
      IsComplianceServer      = $true
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

In the previous post, I chose not to use SSL to secure the connection to the DSC pull server – an option I would never consider in a production deployment, but for the simplicity of demonstration we can leave out the extra steps. Similarly in this example I will also choose to use a non-SSL protected site, however you can easily change this for production.

The following command will execute the DSC configuration we just defined to provide a MOF file that will be used to apply the configuration. Our DSC configuration, named Assert_DSCWebService, will be executed just like any PowerShell function and provide the defined parameters (in this example, to define a non-SSL configuration).

​ Assert_DSCService –certificateThumbPrint “AllowUnencryptedTraffic” –OutputPath .

If you choose to use SSL, you simply require to have the certificate already in the computer store of your server and pass its thumbprint to the command, which will then validate that you have provided a valid match before completing its work.

​ Assert_DSCService –certificateThumbPrint “123213123123123123123” –OutputPath .

Desired State Configuration DSC pull server

Apply the Configuration

All that remains now is for us to apply our new DSC configuration to the local server. We will use the Start-DSCConfiguration command, instruct it to provide verbose feedback, and wait for the job to complete, so that we can monitor what is actually happening.

​ Start-DSCConfiguration –Path .\Assert_DSCWebService –Wait –Verbose –Force

Desired State Configuration

Once complete, we can check that the web services are online and working using our web browser. Assuming no issues were encountered we should be once again online, but this time using DSC itself to provision the service!

Related Topics:

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By