PowerShell DSC - Compliance Server: What's the Deal?

Hello All,

Let me start by saying that I’ve read the “The-DSC-Book” and found it very helpful, particularly since there are absolutely no reference materials on the subject (that I can find at least), which I find highly disapointing (I’m looking at you Microsoft). Based on the lack of official documentation on DSC, I’m starting to think that this is THE DSC book after all :-).

I’ve been testing DSC internally and have had much success with it so far. I’ve got an HTTPS pull server set up and a few clients successfully talking to it. I must say that much of my success with DSC has been based on the information provided by the DSC book provided on this website, however I noticed an almost complete lack of information around the compliance server configuration piece (small blurb at the end of the DSC book notwithstanding). Exhaustive searches online reveal little to no information on this subject. I’ve tried several different ideas to get this to work but to date have been unsuccessful. I noticed that there is a “DEVICES.MDB” file provided with the product and there are web.config “app settings” that are documented for configuring connection details regarding the interaction with this MDB file. However no matter what I do to configure website properties or different port bindings etc., I never see this file updated - I’m suspecting/assuming that the compliance server piece should use this MDB file for recording drift, etc. I’ve cracked open the server 2012 modules for setting up the http pull server (i.e. PSWSIISEndpoint.psm1, etc.) and still can’t figure out what’s missing.

Also, I noticed in the DSC book that the compliance server is configured to use port 9080, however the module provided by Microsoft configures the compliance server port as 7070. Not sure if this matters at all, but I thought I’d mention it since I’m trying to attack any angle possible.

I personally find this drift information vital for supporting DSC in any production capacity since reporting on what has drifted and which clients are not in compliance is a huge piece of the puzzle for any solution of this type. Thus, I’d be really interested in anyone who has got this functioning properly and who is willing to share the details regarding how they got this working.

Has anyone out there been successful in getting the compliance server piece to work properly? If so, what methods are you using to extract and view the data from the data repository?

P.S. It is worth noting that my pull server is also my compliance server and that it is running Windows 2008 (not that I think it should matter from the compliance server bit, but since I’m not sure I’ll state that for the record).

The “compliance server” isn’t documented anyplace, and we don’t really have any info on it. We know what is basically does, but that’s it. I’ve a feeling it’s not entirely baked, yet. It can be configured to use whatever port you like. I used a different example than MS did. And I’m not sure it reports “drift.” My understanding is that it reports the compliance status - e.g., compliant or not.

But until MS releases more, we won’t know.

Hi Don,

Thanks for the reply. So am I safe to assume that you guys haven’t gotten this to work yourselves either? Based on your comments, it sounds like you’ve tinkered somewhat, but I’m unclear as to whether you’ve actually been able to get to a state where you were able to validate that the compliance server piece works in any capacity. Also, do you know if I’m correct in assuming that the MDB file plays a role here? Have you been able to get actual data from DSC client’s into this MDB file?



Tinkered, but as I say - this isn’t baked and ready to use. Beyond that I can’t really discuss it. The MDB is indeed used by it and by the pull server, but it’s not as simple as it just dumping data into it. There’s more going on there.

Fair enough. Thanks for the replies. Please keep us updated as soon as you are able to publish any hard data around this feature - I for one will certainly be interested :).

By the way, are you aware of any ETA for when Microsoft will be releasing more information/enhancements in this space? If not, we are going to have Jeff Snover onsite as a special speaker in a month or two and I’ll definitely hit him up with questions relating to this subject for sure.

If I did know, it’d be covered by NDA anyway. But, see the preview release of WMF 5.0. There’s some DSC enhancements there.

Thanks. I’ve taken a quick peek at the WMF 5.0 release notes, but unfortunately there are no details relating to what specifically is enhanced there. I’m keeping my fingers crossed that “compaliance” is one of those areas that are covered :). In the meantime, I’m going to see if I can get my hands on another 2012 server that I can convert to a pull server (WMF 5.0 only supports 2012) and see first hand if there are any changes in this space with WMF 5.0.

Thanks again for all the help.


The powershell team made a post recently about what it is and how to use it for retrieving node information


This thread is quite dated but all the complaints here seem to still reign true. I am working to build a custom reporting dashboard for DSC Node results. It appears we can get node status using {server}/PSDSCReportServer.svc/Nodes(AgentId= ‘MyNodeAgentId’)/Reports but I have not been able to find any method of querying the nodes that are actually registered on the Pull server.
/Status seems to no longer exist or there is still no documentation on Compliance/Reporting with the latest DSC version.
Does anyone have a resource for information on Reporting with DSC?


Hi Ross,

Have you looked at Azure Automation DSC?
You can onboard on-prem machines and get awesome reporting ootb.