DscBaseline is a PowerShell module that creates DSC configurations based on the configuration of the current system. It aims to expedite the adoption of Microsoft Desired State Configuration (DSC) for configuration management. DscBaseline does not make any changes to the system. It only reads the current settings and creates several configuration files in the specified working directory. This post provides a very brief overview of DSC followed by how to use DscBaseline.
DSC Overview
Microsoft DSC is a management platform in PowerShell that enables you to manage your IT and development infrastructure with configuration as code. DSC uses a declarative syntax which means settings are specified with their desired value. This approach requires the DSC module to perform the heavy lifting and does so by providing three functions: Get-TargetResource, Test-TargetResource, Set-TargetResource. When a configuration file is processed, Test-TargetResource is invoked for each setting. If it returns $false, it then invokes Set-TargetResource to configure the setting as desired.
If you’re new to DSC, the following three posts are a great place to start.
DscBaseline Overview
Arguably the greatest downside to using DSC is creating the configuration files. There are plenty of tutorials detailing how to install a Windows Feature and apply basic settings. However, creating a thorough configuration takes significant time. I first encountered this issue while creating a DSC configuration for a non-domain joined system. Just creating a configuration for the services was taking far too long which lead me to my prior post: Automate Services DSC Configuration Via PowerShell. Upon completion, it quickly became apparent that more automation was needed. There are basic areas of configuration for any Microsoft system where this same technique can be applied. Thus the emergence of DscBaseline. As of this writing, it covers the following areas:
- Security Policy — Account Policy (SecurityPolicyDsc)
- Security Policy — Security Option (SecurityPolicyDsc)
- Security Policy — User Rights Assignment (SecurityPolicyDsc)
- Audit Policy (AuditPolicyDsc)
- Network (NetworkingDsc)
- Services (PSDscResources)
- *Group Policy — EXPERIMENTAL. See known issues for details. (PSDscResources)
DscBaseline should be launched in an elevated command prompt since many of the settings require that level of access.
Before proceeding, read this post in its entirety along with the README.
Installing and Importing
There are two ways one can install this module for use. The first is by installing from PowerShell Gallery while the other is by getting the source from GitHub.
PowerShell Gallery
This is by far the easiest method; just run the following commands.
PS C:\> Install-Module DscBaseline
PS C:\> Import-Module DscBaselineGitHub
Download the source zip file and extract it to a desired directory or clone the repository. Then import the module by specifying the psd1 file.
PS C:\> Import-Module C:\DscBaseline\DscBaseline.psd1Launching DscBaseline
The only function is Invoke-DscBaseline which has just two parameters. The first is -Folder which should specify the location where the DSC configuration files are written. The second parameter is optional as it doesn’t get all group policy settings and is thus considered EXPERIMENTAL (see README for details). That said, the second parameter is a switch parameter that can be invoked by just including -TryGroupPolicy.
Invoke-DscBaseline returns a hashtable object showing the configuration files it created.
Results
Along with the configuration files, there’s another file called ApplyDscConfig.ps1. It contains a series of commands that will apply the configuration files to the current system. Two points worth mentioning about that file:
- There is a return statement early in the script to prevent accidentally running the configuration. If you wish to proceed, just remove or comment out that line.
Set-LcmSettingis configured-RebootNodeIfNeeded $false. If you’re testing on a private VM you may want to change this setting to$true.
Review Configuration Files Before Use
The README is clear that configuration files must be reviewed before getting applied to a system. There are documented known issues needing to be addressed.
