DscBaseline is a PowerShell module that creates DSC configurations based on the configuration of the current system. It aims to expedite the adoption of Microsoft Desired State Configuration (DSC) for configuration management. DscBaseline does not make any changes to the system. It only reads the current settings and creates several configuration files in the specified working directory. This post provides a very brief overview of DSC followed by how to use DscBaseline.
Microsoft DSC is a management platform in PowerShell that enables you to manage your IT and development infrastructure with configuration as code. DSC uses a declarative syntax which means settings are specified with their desired value. This approach requires the DSC module to perform the heavy lifting and does so by providing three functions:
Set-TargetResource. When a configuration file is processed,
Test-TargetResource is invoked for each setting. If it returns
$false, it then invokes
Set-TargetResource to configure the setting as desired.
If you’re new to DSC, the following three posts are a great place to start.
Arguably the greatest downside to using DSC is creating the configuration files. There are plenty of tutorials detailing how to install a Windows Feature and apply basic settings. However, creating a thorough configuration takes significant time. I first encountered this issue while creating a DSC configuration for a non-domain joined system. Just creating a configuration for the services was taking far too long which lead me to my prior post: Automate Services DSC Configuration Via PowerShell. Upon completion, it quickly became apparent that more automation was needed. There are basic areas of configuration for any Microsoft system where this same technique can be applied. Thus the emergence of DscBaseline. As of this writing, it covers the following areas:
- Security Policy — Account Policy (SecurityPolicyDsc)
- Security Policy — Security Option (SecurityPolicyDsc)
- Security Policy — User Rights Assignment (SecurityPolicyDsc)
- Audit Policy (AuditPolicyDsc)
- Network (NetworkingDsc)
- Services (PSDscResources)
- *Group Policy — EXPERIMENTAL. See known issues for details. (PSDscResources)
Before proceeding, read this post in its entirety along with the README.
Installing and Importing
This is by far the easiest method; just run the following commands.
PS C:\> Install-Module DscBaseline
PS C:\> Import-Module DscBaseline
Download the source zip file and extract it to a desired directory or clone the repository. Then import the module by specifying the
PS C:\> Import-Module C:\DscBaseline\DscBaseline.psd1
The only function is
Invoke-DscBaseline which has just two parameters. The first is
-Folder which should specify the location where the DSC configuration files are written. The second parameter is optional as it doesn’t get all group policy settings and is thus considered EXPERIMENTAL (see README for details). That said, the second parameter is a switch parameter that can be invoked by just including
Invoke-DscBaseline returns a
hashtable object showing the configuration files it created.
Along with the configuration files, there’s another file called
ApplyDscConfig.ps1. It contains a series of commands that will apply the configuration files to the current system. Two points worth mentioning about that file:
- There is a return statement early in the script to prevent accidentally running the configuration. If you wish to proceed, just remove or comment out that line.
-RebootNodeIfNeeded $false. If you’re testing on a private VM you may want to change this setting to
Review Configuration Files Before Use
The README is clear that configuration files must be reviewed before getting applied to a system. There are documented known issues needing to be addressed.