Microsoft 365


Active Directory


Windows Server


Chance to win $250 in Petri 2023 Audience Survey


System Center

Deploying a Desired State Configuration Web Host Using DSC

Damian Flynn


In a previous post related to deploying a web pull DSC host (“Deploying a Desired State Configuration Web Host Using PowerShell“), I presented a script which would put all the components into place in a manual fashion to get a new DSC pull server online and working. However, this script approach – while useful in illustrating the components required to get the service functional – does not play into the whole concept of configuration using desired state services. In this post, we will try again, but we will leverage some new modules that Microsoft’s DSC team has created for us. More accurately referred to as providers to actually commission a DSC pull server, using DSC.

To get started, we will need to download the latest version of the package from the Microsoft TechNet Gallery to our designated server, and as with all Internet downloads, unblock the file and extract its content.

Desired State Configuration: Install the Module (Provider)

Our first task will be to place the module in the correct location on our server. Launch your PowerShell console, and navigate to the folder you just extracted. For example: Downloads\xPSDesiredStateConfiguration_1.0

​ cd $env:UserProfile\Downloads\xPSDesiredStateConfiguration_1.0
copy .\xPSDesiredStateConfiguration_1.0 $env:ProgramFiles\WindowsPowerShell\Modules –Recurse –Force

With our new module (provider) now located in its new home, we can proceed to establish our new service.

Desired State Configuration provider

Create a Configuration for our DSC Pull Server

In the the following snip-it, we define a DSC Configuration which is to be applied to the current server (localhost), to configure both our DSC Pull Server and a DSC Compliance Server, referencing the new module we just published and its xPSDesiredStateConfiguration resource provider.

​ Configuration Assert_DSCWebService
  param (
    [String] $certificateThumbprint

  Import-DSCResource -ModuleName xPSDesiredStateConfiguration

  Node localhost
    WindowsFeature DSCServiceFeature
      Ensure = "Present"
      Name   = "DSC-Service"

    xDSCWebService PSDSCPullServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCPullServer"
      CertificateThumbprint   = $certificateThumbprint
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCPullServer"
      ConfigurationPath       = "$env:ProgramFiles\WindowsPowerShell\DscService\Configuration"
      ModulePath              = "$env:ProgramFiles\WindowsPowerShell\DscService\Modules"
      Port                    = 80
      IsComplianceServer      = $false
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

    xDSCWebService PSDSCComplianceServer
      Ensure                  = "Present"
      EndPointName            = "PSDSCComplianceServer"
      CertificateThumbprint   = "AllowUnencryptedTraffic"
      PhysicalPath            = "$env:SystemDrive\inetpub\wwwroot\PSDSCComplianceServer"
      Port                    = 81
      IsComplianceServer      = $true
      State                   = "Started"
      DependsOn               = "[WindowsFeature]DSCServiceFeature"

In the previous post, I chose not to use SSL to secure the connection to the DSC pull server – an option I would never consider in a production deployment, but for the simplicity of demonstration we can leave out the extra steps. Similarly in this example I will also choose to use a non-SSL protected site, however you can easily change this for production.

The following command will execute the DSC configuration we just defined to provide a MOF file that will be used to apply the configuration. Our DSC configuration, named Assert_DSCWebService, will be executed just like any PowerShell function and provide the defined parameters (in this example, to define a non-SSL configuration).

​ Assert_DSCService –certificateThumbPrint “AllowUnencryptedTraffic” –OutputPath .

If you choose to use SSL, you simply require to have the certificate already in the computer store of your server and pass its thumbprint to the command, which will then validate that you have provided a valid match before completing its work.

​ Assert_DSCService –certificateThumbPrint “123213123123123123123” –OutputPath .

Desired State Configuration DSC pull server

Apply the Configuration

All that remains now is for us to apply our new DSC configuration to the local server. We will use the Start-DSCConfiguration command, instruct it to provide verbose feedback, and wait for the job to complete, so that we can monitor what is actually happening.

​ Start-DSCConfiguration –Path .\Assert_DSCWebService –Wait –Verbose –Force

Desired State Configuration

Once complete, we can check that the web services are online and working using our web browser. Assuming no issues were encountered we should be once again online, but this time using DSC itself to provision the service!

Article saved!

Access saved content from your profile page. View Saved