Uninstall-Windowsfeature - possible with DSC?

Hi all,

I’ve been reading up quite a bit on PS DSC and it looks like a great tool for the company i work for to ensure standardization of our server environment.

However, what i tried to find and could not come across, is the support for uninstalling (with the -remove flag) of windows features. And this is one of the things i would like to do to clean up the WinSXS folder for each deployed server to limit the patch/update surface and also limit the attack surface of platforms.

Does anyone know if there is support with powershell DSC for this? Or a nice way to implement it using powershell DSC?

Thank you in advance & kind regards,

Peter

Removing a Windows Feature via DSC is simply using Ensure=“False” in the WindowsFeature element.
(That said I haven’t tried it on every existing WindowsFeature out there, but that’s the normal behavior)

cleaning the WinSXS however is a different thing. I dare say you shouldn’t and officially you can’t really delete its content, although there are tools out there that might help reduce the size, but I dont know if its supported by MS.

Only Windows 2016 nano server will finally have the logic to not increase SxS to keep its size minimal.
No idea if they will implement something similar for non-nano versions or older OS.

Hi Arie,

Thank you for your response! But doesn’t Ensure=“False” only uninstall the feature? The source code for the feature will still available in the WinSXS directory and will therefor be updated, patched and is part of the attack surface of the O/S. I’ve read Microsoft articles written about the benefits of removing the features and how to do this (there is a simple PS command which lists the features and removes all which are not installed). But to make things “pretty” and easy to administer, i would like to remove them using a built-in command for PS DSC.

So for additional clarification: the ultimate goal is not to clean up the WinSXS directory (i know this is limited and not beneficial), but rather remove unnecessary sources for windows features.

Hopefully there’s a way out there to make this pretty with DSC…?

Thank you again & kind regards,

Peter

Not familiar with a script that actually completely removes the features. But any PS Script you have can be used inside
the DSC Script resource.

if you have a link to that script or paste it via gist would be interesting.

I just dont think their existence is a matter of attack surface, if you got admin rights on a server, you have a bigger
issue then what windows features the attacker would potentially install, to some extent.
I do agree on the patching issue and the silly size increase.
Moving to windows 2012 r2, I had to increase the C drive size of all my servers to 40G minimum just because of SXS
so its a strain on resources.
I did use the scheduled task as in
https://technet.microsoft.com/en-us/library/dn251565.aspx
to try and get some space back, not that it mattered much

I’m not sure though DSC is the correct method to use, that’s falls between Group Policy and DSC.

Naturally you can turn most of the registry on your server into a DSC script using the Registry
resource with a script that will take 200 pages long including what you want to have and what you absolutely do not want.
Doesn’t make choosing DSC as the optimum method.

I usually try to use DSC for things I want and Group policy for things I dont want.

Running that kind of PS script is ideal for Computer Based Group policy on the Computer startup/shutdown scripts
or via Group Policy Preferences.

Just for future correction, its Ensure=‘Absent’ :slight_smile:

Hi Arie,

About the absent - we stand corrected :slight_smile:

And this is the PS command to remove all features and their source code:

 Get-WindowsFeature | Where-Object {$_.Installed -match "False"} | Uninstall-WindowsFeature -Remove 

I still have to perform a test deployment using DSC and check the impact on the size of the WinSXS directory with and without updates. I can post the results here if you’re interested?

And i understand your choices for the group policy usage, however, i’m trying to create server roles and enforce them using DSC and i was hoping to incorporate this uninstallation of features into DSC as well…

Kind regards,

Peter

Hi,

Yes I see what you mean about the removal from SXS now.

Best option - write your own DSC resource, or as I stated earlier, use the Script DSC resource
to be a wrapper for that command.

Interesting to see numbers on how much it reduces, though I expect not much, most of the size
is used by .NET assemblies - x86, x64 and then the various .NET versions along the years.

And if the custom DSC resource works for you i suggest you offer it back to the DSC repo so
it gets implementd in the core product for others to use as well :slight_smile:

Even if the goal is to create Roles and use DSC to implement it, you will still have some
Group policy involved, its not like you can completely stop using it. Just have to remember
that DSC is meant for Confguration, not necessarily enforcement. If someone change one of
my nodes LCM to say ApplyAndMonitor for example I still want to know that GroupPolicy will
make sure a certain service that shouldn’t be running isn’t running, no matter what.

Yes you can overcome even GP, heck theres a GitHub project that takes a GP pol file and converts it to DSC
Just cause it can be used, doesn’t mean its the right method. Each method has it ups and downs,
together they are stronger
then each on its own :slight_smile: