DSC GUI Tool

DSC
1

I’d like to pick the brains of community on a DSC GUI tool that we’re building to enable users to deploy a pre-built DSC template (e.g., CIS Control 3 server hardening for Server 2012 R2) or custom templates (limited functionality at the moment) to target host(s). Below are 2 features that we are hoping to add to make the tool more useful.

  1. DSC config rollback – we got the following error when running the Restore-DscConfiguration cmdlet on a test server running WMF 5.0. Since we’re using partial configs via Pull Mode and not the Publish-DscConfiguration cmdlet, what can we do to rollback a config? Is it possible to copy the previous.mof from the test server and publish it to a Pull Server for the test server to pull/enact? We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

PS C:> Restore-DscConfiguration
Restore-DscConfiguration : The only way DSC Partial Configurations can be used in Push mode is if the
Publish-DscConfiguration Cmdlet is used. No other push cmdlet is supported. To avoid this error, either set a metaconfiguration without partial configurations, or use the Publish-DscConfiguration cmdlet to deploy your partial configuration.
At line:1 char:1

  • Restore-DscConfiguration
  • CategoryInfo : NotImplemented: (MSFT_DSCLocalConfigurationManager:root/Microsoft/…gurationManager) [R
    estore-DscConfiguration], CimException
  • FullyQualifiedErrorId : MI RESULT 7,Restore-DscConfiguration
  1. Detect conflict on a target host that also has GPOs deployed.

Any comments or suggestions are greatly appreciated. Thank you.

2
what can we do to rollback a config?

There’s no “rollback” built-in; you could probably use a previous MOF, as you suggest, provided that MOF “counters” everything you wanted. E.g., it wouldn’t be a “rollback” so much as a “last known good.” For example, if you’re source-controlling config script and MOFs, reverting to a previous version would in fact revert the desired config. In a DevOps environment, this is exactly what you’d do. Only you don’t manage “rollback” at the MOF level, you manage it in the configuration script. That way you can re-generate any “version” MOF and deploy it.

We also noticed that the previous.mof/current.mof files no longer contain readable texts like a regular MOF does.

As of 5.0, MOFs are encrypted on-disk.

2) Detect conflict on a target host that also has GPOs deployed.

Not really possible. See http://snoverisms.com/14-2/. DSC wasn’t conceived as an adjunct to GPO, it was seen as an “instead of” thing.