Compliance is always a hot topic, so in this Ask the Admin, I’ll look at how Microsoft’s DSCEA can be used to create compliance reports for servers configured using PowerShell DSC.
PowerShell Desired State Configuration (DSC) is a configuration management solution that allows system administrators to configure and manage servers using text files that define declarative resources instead of procedural PowerShell code. But unless you intend to use Azure Automation Desired State Configuration, which makes DSC easier to deploy and extends it by providing some basic reporting features, PowerShell DSC doesn’t have built-in reporting to quickly check which nodes are compliant.
For more information on Azure Automation DSC, see Introduction to Azure Automation Desired State Configuration and Azure Automation DSC Reporting on Petri.
Last year, Microsoft addressed that issue by introducing the Desired State Configuration Environment Analyzer (DSCEA), which itself is a DSC resource that scans systems to check compliance against a .MOF file. Reports show the compliance status of scanned nodes in HTML format or DSCEA XML can be converted to .csv format and imported into other tools, like Power BI.
I installed and ran DSCEA to see what the reports look like. There are two basic types of HTML report that can be generated from the XML output files. The first report lists all the devices scanned when a report was generated and lists its compliance status. The InDesiredState field is set to True or False. The second report gives more detailed information about configuration that doesn’t match your reference .MOF file. Again, the InDesiredState field is set to True or False. DSCEA’s XML files can also be converted to .CSV format for use in Power BI, where you can create custom reports. Loading data into Power BI gives you a report with a dashboard-style appearance.
DSCEA is easy to use. Start by installing the DSCEA module from the PowerShell Gallery using Install-Module from an elevated PowerShell prompt:
Install-Module -Name DSCEA
Then, start a scan using a reference .MOF file. The DSCEA module folder (C:\Program Files\WindowsPowerShell\Modules\DSCEA) contains an example .ps1 configuration file, in the configs folder, that you can use to generate a .MOF file for testing.
Tip: To create a .MOF file from a DSC configuration file, all you need to do is run the .ps1 file using PowerShell and the .MOF file will be generated in the same directory as the .ps1 file.
Start-DSCEAscan -MofFile 'C:\temp\localhost.mof' -ComputerName localhost
Finally, run Get-DSCEAreport to generate reports in HTML format:
Get-DSCEAreport -Overall Get-DSCEAreport -Detailed
If you want to create a .CSV file for importing the data into PowerBI, use Convert-DSCEAresultsToCSV.
However you look at it, the data generated in the reports is quite limited, at least by the time they are converted to HTML or CSV format. I quickly scanned the XML files generated by Start-DSCEAscan and I didn’t find any additional data to suggest that the reports could be more detailed.
Any improvement to DSC is welcome but Puppet provides superior reporting and centralized management capabilities, even with the addition of DSCEA. I would always opt to use Puppet with DSC instead of DSC alone. Microsoft has improved DSCEA a couple of times since its initial release last year but I doubt we’ll see this develop into a comprehensive reporting system like that available in Puppet.