What is PowerShell DSC and how does the current DSC work?

Worldbytes » Linux » What is PowerShell DSC (Desired State Configuration): Complete guide and differences with cross-platform DSC

DSC is a declarative and idempotent model: it describes the state and the engine converges to it.
PSDSC uses MOF and LCM in Windows; The current DSC is cross-platform and uses JSON/YAML.
Integrates with Azure Automation, WinGet, and other tools for orchestration at scale.
Best practices: modularization, version control, testing, and alignment with NIST/FISMA.

If you administer Windows systems, Linux or macOS, sooner or later you will come across the concept of a desired state. PowerShell Desired State Configuration (DSC) is the most direct way to express that state and maintain it in There, avoiding scares, correcting deviations and speeding up deployments. Here you will find a complete guide, with practical examples and the differences between the classic PowerShell DSC and the newer cross-platform DSC.

Beyond formal definitions, think of DSC as a promise you make to your servers: 'I want you set up like this, and if you change, I'll put you back where you belong.'The best part is that this promise is declarative and idempotent: you describe the result, and the engine takes care of getting there and staying there, no matter how many times you run the same configuration.

What is DSC and why you might care

DSC is a declarative configuration platform. Declarative because you describe the state you want (active services, roles and features, packages, files, registry keys, etc.), not the sequence of painstaking steps to achieve it. The engine compares the current state with the desired state and makes minimal changes to converge.

Its basic unit is resources. A DSC resource encapsulates how to 'Get', 'Test' and 'Set' the state of something: a service, a file, Active Directory, SQL Server, etc. This Get/Test/Set interface allows you to check if a node is already as it should be and, if not, apply the change.

In classic PowerShell DSC (PSDSC), the glue component is the Local Configuration Manager (LCM). The LCM is the engine that applies configurations, monitors them, and can re-enforce them periodically.. It works in push mode (you push the configuration) or pull mode (the node downloads it from a Pull Server).

DSC is supported by management standards such as CIM and IMO. This open base facilitates interoperability and allows third-party tools to coexist without friction., something crucial if your infrastructure mixes different manufacturers and platforms.

Differences between PowerShell DSC (PSDSC) and the current cross-platform DSC

Differences between PSDSC and cross-platform DSC

In recent years, Microsoft has pushed a DSC that goes beyond PowerShell and Windows. This 'new' DSC runs on Windows, Linux and macOS and is invoked with the command-line tool commands Dsc, without relying on PowerShell or its PSDesiredStateConfiguration module.

PowerShell IndependenceThe current DSC does not require PowerShell. However, you can use PSDSC resources using adapters: Microsoft.DSC/PowerShell for resources in PowerShell classes and Microsoft.Windows/WindowsPowerShell for those who rely on Windows PowerShell.
Document formatIn PSDSC, configurations are compiled to MOF. In the current DSC, configuration documents and resource schemas are defined in JSON or YAML.
Execution model: PSDSC features the LCM, which can run as a service and maintain state. Modern DSC is invoked as a command; does not include LCM or resident service.
Multilanguage: you can write resources in bash, Python, C#, Rust or whatever you prefer. The focus is on platform, not shell.
Integration: The cross-platform DSC exposes JSON schemas to integrate with WinGet, Microsoft Dev Box, and Azure Machine Configuration, among other tools.

Intel Smart Sound Technology: Problems, Causes, and How to Fix Them

In short, PSDSC remains key on Windows and very mature for OS and role administration. The cross-platform DSC offers a broader, more portable, and language-untethered path, ideal for hybrid organizations..

Supported systems and requirements on Windows

The classic DSC implementation on Windows is available natively or through the Windows Management Framework. Windows Server 2016, 2019 and 2022 are supported, in addition to Windows 10 and Windows 11. The recommended package in environments that do not have the latest version is WMF 5.1.

There is one important exception: Microsoft Hyper-V Server (standalone product) does not include DSC, so you won’t be able to manage it with PSDSC or Azure Automation State Configuration.

To operate remotely, Windows must have WinRM properly configured. You can enable it with administrator privileges by running Set-WsManQuickConfig -ForceThis prepares the computer to receive remote PowerShell commands, even if you apply settings on localhost.

If you need to diagnose, DSC events in Windows are logged in Microsoft-Windows-Dsc/Operational. They can be activated logs additional for advanced debugging when you need to go deeper.

Getting Started with PowerShell DSC on Windows

It's common to start with the built-in resources and add modules from the PowerShell Gallery. The 'PSDscResources' module offers up-to-date resources to cover common scenarios.:

# Instalar recursos DSC desde PowerShell Gallery
Install-Module 'PSDscResources' -Verbose

A PSDSC configuration is defined with the keyword Configuration and compiles to MOF. Below is an example that creates an environment variable and ensures it is present.:

Configuration CrearVariableEntorno {
  param ()
  Import-DscResource -ModuleName 'PSDscResources'
  Node localhost {
    Environment CrearRutaVariableEntorno {
      Name   = 'CrearVariableEntorno'
      Value  = 'Hola mundo'
      Ensure = 'Present'
      Path   = $true
      Target = @('Process','Machine')
    }
  }
}

# Compilar el MOF en una carpeta de salida
CrearVariableEntorno -OutputPath './CrearVariableEntorno'

With the MOFs generated, it's time to apply them. The cmdlet Start-DscConfiguration invokes the LCM to process the configuration and can be run in interactive mode to follow the details:

Start-DscConfiguration -Path 'C:\CrearVariableEntorno' -Wait -Verbose

To inspect how the node looks, you can check the current state that DSC sees. Get-DscConfiguration returns the actual values applied y Get-DscLocalConfigurationManager shows the current metaconfiguration:

# Estado efectivo del nodo
Get-DscConfiguration

# Metaconfiguración (LCM)
Get-DscLocalConfigurationManager

If you need to 'unpin' a configuration, there is also a way out. Remove-DscConfigurationDocument -Stage Current -Verbose deletes the applied document and leaves the node ready to receive another MOF.

In managed scenarios, you may sometimes want to apply an LCM metaconfiguration (for example, to change the refresh mode or target a Pull Server). This is done by generating a metaconfiguration MOF and applying it with Set-DscLocalConfigurationManager -Path 'c:\metaconfig\localhost.meta.mof' -Verbose.

Local Configuration Manager: Modes, Frequency, and Partial Configurations

The LCM defines how and when configurations are enforced. Parameters like ConfigurationMode (ApplyOnly, ApplyAndMonitor or ApplyAndAutoCorrect) and the frequencies RefreshFrequencyMins y ConfigurationModeFrequencyMins They control whether the node only applies once, monitors, or monitors and corrects automatically.

How to Manage Network Interfaces in PowerShell: A Complete, Practical, and Up-to-Date Guide

Additionally, you can work in push or pull. In pull, nodes query a configuration server (Pull Server) to download MOFs and modules based on their identifier. This approach is very useful at scale because it centralizes versions and compliance.

Since Windows Server 2016 (DSC v2), the LCM supports partial configurations. It consists of breaking the configuration into independent fragments. that the LCM combines: for example, one security team defines its part and another team defines the applications part, without stepping on each other's toes.

Real-life usage scenarios

DSC is ideal for repeatable and auditable 'operating standards'. Some typical applications include configuring roles and features, securing services, preparing IIS, installing packages, touching the Registry, or defining environment variables.You can find practical guides on how to manipulate the registry with PowerShell to integrate it into your configurations.

For applications, you can automate installation, dependency configuration, site publishing, and fine-tuning. The beauty is that the resulting display is consistent. across all nodes, whether a lab or a production environment.

For security and compliance, DSC is a great fit. Hardening policies, firewall settings, local accounts, or audit policies They become a versioned and auditable configuration, not a manual 'cookbook'.

Network management (Adapters, IPs, rules, services) also falls into the bag. If something is altered, the engine detects it and, depending on the mode, re-imposes the state, which reduces unexpected derivatives and support hours.

As a simple idea, imagine you want a critical service to always be running. With a resource Service and ApplyAndAutoCorrect mode, if someone stops it, the LCM picks it up againYou can even rely on scheduled tasks to reinforce checking.

Integration with Azure and orchestration

DSC shines when it is part of an automation chain. Azure Automation can orchestrate provisioning (runbooks, workflows) and delegate VM configuration to DSC., both in Azure and on-prem.

A common pattern is to publish your configuration to a storage and associate it with VMs with the DSC extension. Commands like Publish-AzureVMDscConfiguration pack your script in a .zip with the necessary modules, and Set-AzureVMDSCExtension applies it in creation.

# Publicar la configuración (convierte el .ps1 y módulos en .zip)
Publish-AzureVMDscConfiguration -ConfigurationPath './MiConfig.ps1' -Force

# Asignar la configuración a una VM al desplegarla
Set-AzureVMDSCExtension -VM $vm -ConfigurationArchive 'MiConfig.zip' -ConfigurationName 'NombreDeConfig'

In IaaS deployments, the idea is simple: Orchestration creates and connects cloud resources (network, storage, VMs) and DSC configures the operating system and applications within each VMIf you also version and test your configurations, you'll have reproducible environments.

Installing and using the cross-platform DSC

Modern DSC is distributed as portable binaries. You can download the latest edition from the PowerShell/DSC GitHub repository, unzip it, and add the folder to your PATH.. No complicated installations or extra dependencies.

Discover PowerToys: Essential tools for Windows 11

On Windows, you can also install it from the Microsoft Store via WinGet. First locate the package and then install stable or preview:

# Buscar los paquetes publicados
winget search DesiredStateConfiguration --source msstore

# Instalar la versión estable
winget install --id 9NVTPZWRC6KQ --source msstore

# Instalar la versión preliminar
winget install --id 9PCX3HX4HZ0Z --source msstore

This DSC works with configuration documents written in JSON or YAML and with schemas also in JSON. The CLI dsc allows you to invoke individual resources, apply entire documents, and write resources in any language. In addition, the aforementioned adapters allow you to leverage existing PSDSC resources.

By standardizing the structure of documents and outputs using JSON schemas, Integration with other platform tools (WinGet, Dev Box, Azure Machine Configuration) It is more direct, facilitating modern pipelines and workflows.

Good practices and regulatory compliance

To avoid chaos, it is advisable to modularize. Break your configurations into reusable components and create resource modules for complex parts.. This allows you to maintain and scale with less friction.

Version everything in source control (Git). Saving configurations and resources in repositories facilitates teamwork, history and revertsIf you also use branches and pull requests, you'll have reviews and quality.

Test before deploying to production. Tools like Pester help validate resources and configurations and avoid side effects, and a pre-production environment must be part of the process.

Many organizations follow frameworks such as NIST SP 800-53 (e.g., CM-2 control over base configurations) or FISMA. DSC provides consistency and auditability to align your systems with policies and standards., reducing manual compliance effort.

Records and diagnosis

When something doesn't add up, the event log is your ally. On Windows, the channel Microsoft-Windows-Dsc/Operational centralizes what happened (resource implementation, fixes, errors, etc.). If you need more detail, enable additional debug-oriented logs.

In Azure, also review the DSC extension logs and VM diagnostics. Correlate the output of Start-DscConfiguration -Verbose with the event viewer you save time to locate the exact resource that has failed.

DSC, whether classic PowerShell or cross-platform, gives you a solid foundation for IaC on servers and workstations. Define the state, share it as code, test it, and let the engine do the repetitive work.; so your teams can focus on real value, not on putting out fires.

What is DSC (Desired State Configuration)-2 for?

What is DSC (Desired State Configuration)? A definitive guide, uses, and examples.

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.