Azure Architect Demo Series 3a – Deploy a VM PowerShell Desired State Configuration (DSC)

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Exercise 1: Deploy a Virtual Machine PowerShell Desired State Configuration (DSC) using ARM
Tasks 1 and 2: Create a Windows Virtual Machine
  • GOAL: To create a Windows Server 2016 Datacenter” VM called autoconfigvm in a new resource group called MOD03VDSC in the East US” region using the Azure portal
  • Azure Portal → Create a resource → Windows Server 2016 Datacenter → Create → Purchase
    • Name: autoconfigvm
    • Username: Student
    • Password: StudentPa55w.rd
    • Resource Group: New → MOD03VDSC
    • Location: East US
    • Size: Standard_D2S_v3
    • Allow RDP port only
    • Leave other settings as default
Task 3: View DSC Configuration
  • GOAL: To review a DSC Configuration that is located on our lab VM (F:\Mod03\Labfiles\Starter\
  • Extract “F:\Mod03\Labfiles\Starter\”
    • There is a PowerShell DSC script called IISWebServer.ps1
      • The example we’ll use ensures that a server has the Web-Server (IIS) feature enabled
      • A DSC configuration is a special PowerShell function that defines how we want to configure one or more target computers (or nodes). It’s a keyword that we use in PowerShell

[code language=”bash”]
Configuration IISWebServer
param ($MachineName)
Node $MachineName
WindowsFeature IIS
Ensure = "Present"
Name = "Web-Server"

  • Before we can enact (or apply) a configuration, we first have to compile it into a MOF document
    • We compile by running the script E.g. .\Script.ps1
    • When we compile a DSC powershell script, it does the following:
      • Resolves all variables
      • Creates a folder in the current directory with the same name as the configuration.
      • Creates a file named NodeName.mof in the new directory, where NodeName is the name of the target node of the configuration. If there are more than one nodes, a MOF file will be created for each node.
      • The MOF file contains all of the configuration information for the target node.
      • The Azure DSC Extension handles this compilation for us!
Task 4: Upload DSC Configuration Module to Azure Storage
  • GOAL:
    • To create a new storage account in the existing MOD03VDSC resource group in the East US” region
    • To create a new public container called config in the blob service of the storage account
    • Upload the DSC configuration to this new container and obtain the blob URL
  • Azure Portal → Create a resource → Storage account → Create → Purchase
    • Name: Enter a unique name (recommended to add random numbers at the end E.g. dodscstor29)
    • Location: East US
    • Replication: LRS
    • Resource group: Use existing → MOD03VDSC
    • Leave other settings as default
  • Azure Portal → Storage accounts → Storage account that was recently created → Blobs → New container → OK
    • Name: config
    • Public access level: Blob (anonymous read access for blobs only)
      • Not best practice but if we set to private, we can specify a SAS token to be able to access
  • Azure Portal → Storage accounts → Storage account that was recently created → Blobs → Container that was recently created → Upload → “F:\Mod03\Labfiles\Starter\” → Upload
    • Copy the URL of the blob (to be used later)
      • The “zip” file is also important if we need to use custom modules
      • All dependent resources must be included in module folders in the .zip.
  • Azure DSC extension process
    • The Azure DSC extension uses the Azure VM Agent framework to deliver, enact, and report on DSC configurations running on Azure VMs. The DSC extension accepts a configuration document and a set of parameters. If no file is provided, a default configuration script is embedded with the extension. The default configuration script is used only to set metadata in Local Configuration Manager.
    • When the extension is called for the first time, it installs a version of WMF by using the following logic:
      • If the Azure VM OS is Windows Server 2016, no action is taken. Windows Server 2016 already has the latest version of PowerShell installed.
      • If the wmfVersion property is specified, that version of WMF is installed, unless that version is incompatible with the VM’s OS.
      • If no wmfVersion property is specified, the latest applicable version of WMF is installed.
      • Installing WMF requires a restart. After restarting, the extension downloads the .zip file that’s specified in the modulesUrl property, if provided. If this location is in Azure Blob storage, you can specify an SAS token in the sasToken property to access the file. After the .zip is downloaded and unpacked, the configuration function defined in configurationFunction runs to generate an .mof file. The extension then runs Start-DscConfiguration -Force by using the generated .mof file. The extension captures output and writes it to the Azure status channel.
Task 5: Deploy a Virtual Machine ARM Template using PowerShell DSC Extension
  • GOAL: To deploy a DSC extension (containing the uploaded DSC configuration) to the existing autoconfigvm VM
  • Azure Portal → Create a resource → Template deployment → Create → Build your own template in the editor → Copy and paste the template below → Save

[code language=”bash”]
"$schema": "",
"contentVersion": "",
"parameters": {
"virtualMachineName": {
"type": "string",
"defaultValue": "autoconfigvm"
"configurationModuleUrl": {
"type": "string"
"extensionFunction": {
"type": "string",
"defaultValue": "IISWebServer.ps1\\IISWebServer"
"resources": [
"apiVersion": "2017-03-30",
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(parameters(‘virtualMachineName’), ‘/dscExtension’)]",
"location": "[resourceGroup().location]",
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.19",
"autoUpgradeMinorVersion": true,
"settings": {
"ModulesUrl": "[parameters(‘configurationModuleUrl’)]",
"ConfigurationFunction": "[parameters(‘extensionFunction’)]",
"Properties": {
"MachineName": "[parameters(‘virtualMachineName’)]"
"protectedSettings": null

  • Complete the following:
    • Resource group: Use existing → MOD03VDSC
    • virtualMachineName: autoconfigvm
      • Name of the machine that we want to add the PowerShell DSC extension to
    • configurationModuleUrl: URL of the blob that we uploaded our DSC configuration script to
    • extensionFunction: IISWebServer.ps1\\IISWebServer
      • We can include multiple configuration functions in a .ps1 file. We do this by entering the name of the configuration .ps1 script followed by \ and the name of the configuration function. For example, if your .ps1 script has the name configuration.ps1 and the configuration is IisInstall, enter configuration.ps1\IisInstall.
    • Agree to terms → Purchase
  • The PowerShell DSC extension does the following:
    • Configures the LCM (Local Configuration Manager)
      • The Local Configuration Manager (LCM) is the engine of Desired State Configuration (DSC). The LCM runs on every target node, and is responsible for parsing and enacting configurations that are sent to the node. It is also responsible for the following:
        • Determining refresh mode (push or pull).
        • Specifying how often a node pulls and enacts configurations.
        • Associating the node with pull service.
        • Specifying partial configurations.
Task 6: Validate Virtual Machine Instance is Serving Web Content
  • GOAL: To open TCP port 80 to the autoconfigvm VM and verify that it is now service web content
  • Azure Portal → Virtual machines → autoconfigvm → Networking → Add inbound port rule
    • Destination port ranges: 80
    • Name: allow_port_80
    • Leave other settings as default
  • Obtain the public IP of the “autoconfigvm” VM and browse to it on port 80 (HTTP)


Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore


New Azure Container Instance Vulnerability — What to do?

Just yesterday, Microsoft disclosed a new (and yet to be clarified) Azure Container Instance vulnerability — From the information shared in the disclosure, it seems

Protecting against #ChaosDB

Cloud security researchers @sagitz and @nirohfeld who both work at Wiz recently discovered what I think is a major vulnerability that exploits the recent CosmosDB Jupyter notebook feature to

Do You Want To Boost Your Business?

drop us a line and keep in touch