Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
System Center

Desired State Configuration and Local Configuration Manager

In our previous post we covered the procedure of defining the settings we wish to use for configuring the Local Configuration Manager and leveraging the Set-DSCLocalConfigurationManager commandlet. (Editor’s note: Need to catch up? Check out our previous articles on Deploying a Desired State Configuration Web Host Using Powershell and Deploying a Desired State Configuration Web Host Using DSC.)

DSC and Local Configuration Manager

In order to check if the new configuration was successfully deployed to the nodes, we can connect to the node and then leverage the command Get-DscLocalConfigurationManager, which will return its current configuring details.

Local configuration manager: Get-DscLocalConfigurationManager

However, as we are working in PowerShell there is always going to be a simpler way to do this. The second server that we configured was called PDC-SC-VMM01, so using a remote connection to the server we can also get our requested information back, as in the following example:

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

​ $session = New-CimSession -ComputerName PDC-SC-VMM01
Get-DscLocalConfigurationManager -CimSession $session

AllowModuleOverwrite           : True
CertificateID                  :
ConfigurationID                : ba59fd02-04e2-4452-a817-b8e750b4efb8
ConfigurationMode              : ApplyAndAutoCorrect
ConfigurationModeFrequencyMins : 45
Credential                     :
DownloadManagerCustomData      : {MSFT_KeyValuePair (key = "ServerUrl"), MSFT_KeyValuePair (key = "AllowUnsecureConnection")}
DownloadManagerName            : WebDownloadManager
RebootNodeIfNeeded             : True
RefreshFrequencyMins           : 15
RefreshMode                    : Pull
PSComputerName                 : PDC-SC-VMM01

Local Configuration Manager: What’s Under the Hood?

When our local configuration is set to run in pull mode, the delivered meta.mof file instructs the CIM to configure the computer’s task scheduler to automate the Local Configuration Manager. Essentially this might be considered as a script, which is defined to run on a schedule based our configuration.

Local configuration manager: Task Scheduler

This task launches a new PowerShell instance with the following parameters:

​ -NonInt -Window Hidden -Command "Invoke-CimMethod -Namespace root/Microsoft/Windows/DesiredStateConfiguration -Cl MSFT_DSCLocalConfigurationManager -Method PerformRequiredConfigurationChecks -Arguments @{Flags = [System.UInt32]1}"

Server Maintenance: Two Methods

Understanding what is happening under the hood provides us with an ability to consider what we might need to happen on the node during a maintenance procedure. If we assume that the server is configured to run in the ApplyAndAutoCorrect mode, then any maintenance we may be executing could possibly be modified if some of the change operations that we are completing conflicts with the configuration that the server is enforcing.

There are two obvious methods to put the nodes Local Configuration Manager into a stand-down configuration while the server is in maintenance mode.

1. Scheduled Tasks

We can manipulate the tasks using two simple PowerShell commands, which will place the LCM into the desired states.

Maintenance Get-ScheduledTask -TaskPath “\Microsoft\Windows\Desired State Configuration\” | Disable-ScheduledTask
Active Get-ScheduledTask -TaskPath “\Microsoft\Windows\Desired State Configuration\” | Enable-ScheduledTask

Local configuration manager: Task Scheduler

2. Local Configuration Manager

The other approach is to actually just reconfigure the LCM itself, changing the configuration mode. Of course, all we need to do is change the server from its ApplyAndAutoCorrect mode when we are in the Maintenance window and return it once the window is expired or the maintenance is completed. Unfortunately we can not just execute a simple Set-DscLocalConfigurationManager –CondigurationMode.

Instead, we need to create a configuration, which will then allow us to generate a meta.mof to apply to the Local Configuration Manager, just as we defined in previous post.

Related Topics:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: