PowerShell Desired State Configuration is an extremely promising technology that was released as part of PowerShell 3.0 and has continued to make improvements in PowerShell 4.0. DSC can be used to not only detect problems with configuration drift but also to completely configure a system according to your exact specifications. You can perform checks on the Registry, files, groups and users, adding or removing server roles, and even installing software.
I recently was challenged with using DSC to look at System Center Configuration Manager client health. There have been quite a few great examples of VBscripts or PowerShell scripts over the past few years that do a great job. Many of those scripts are hundreds of lines long and have a lot of logic to detect problems with the Configuration Manager client. One of the most comprehensive solutions was written by Dan Thomson and is available on CodePlex.
One of the biggest advantages of using PowerShell DSC over traditional scripts is that all of the logic for doing things like checking for services, registry settings, software installation, etc. is built right into the product. So all you have to do is write the specifications for what you want to check and DSC does the rest for you.
After learning the basics of DSC in a couple of hours I looked through Dan’s scripts and pulled out most of the health check items and created this simple DSC configuration file. This accomplishes most of what other scripts accomplish in less than 100 lines!
In this script I have made the installation of the SCCM client install with parameters mandatory. So if the client is not installed it will be installed. Once the client is installed all of the services and registry entries are checked and will be fixed automatically every 30 minutes if there is “drift” from the settings.
Here is my configuration script:
Configuration ConfigMgrHealthCheck
{
[Parameter(Mandatory=$True)]
[string]$CMInstallArguments
Package ConfigMgrClient
{
Ensure = “Present”
Path = “\\modelsc02\smsClient\ccmsetup.exe”
Arguments = $CMInstallArguments
Name = “Configuration Manager Client”
# Logpath = “c:\users\tim.mintner\desktop”
ProductId = “D6804B3A-BFEC-4AB4-BFA5-FD9BECC80630”
}
Service BITS
{
Name = “BITS”
StartupType = “Automatic”
State = “Running”
}
Service winmgmt
{
Name = “winmgmt”
StartupType = “Automatic”
State = “Running”
}
Service wuauserv
{
Name = “wuauserv”
StartupType = “Automatic”
State = “Running”
}
Service lanmanserver
{
Name = “lanmanserver”
StartupType = “Automatic”
State = “Running”
}
Service RpcSs
{
Name = “RpcSs”
StartupType = “Automatic”
State = “Running”
}
Service ccmexec
{
Name = “ccmexec”
StartupType = “Automatic”
State = “Running”
}
Service lanmanworkstation
{
Name = “lanmanworkstation”
StartupType = “Automatic”
State = “Running”
}
Service CryptSvc
{
Name = “CryptSvc”
StartupType = “Automatic”
State = “Running”
}
Service ProtectedStorage
{
Name = “ProtectedStorage”
StartupType = “Automatic”
State = “Running”
}
Service PolicyAgent
{
Name = “PolicyAgent”
StartupType = “Automatic”
State = “Running”
}
Service RemoteRegistry
{
Name = “RemoteRegistry”
StartupType = “Automatic”
State = “Running”
}
Registry EnableDCOM
{
Ensure = “Present”
Key = “HKEY_Local_Machine\SOFTWARE\Microsoft\Ole”
ValueName = “EnableDCOM”
ValueData = “Y”
Force = $true
}
}
ConfigMgrHealthCheck -CMInstallArguments “/mp:modelsc02” -OutputPath .\
#Start-DscConfiguration -path .\ -verbose
By no means is this a perfect client health script. One thing it does not do is check for WMI corruption. Part of the reason for that is that DSC is dependent on WMI so if WMI is broken DSC would not function.
Hopefully this will show you both the power and simplicity of DSC and you can start creating your own configurations.
Tim Mintner