{"id":2190,"date":"2016-03-17T00:00:00","date_gmt":"2016-03-17T00:00:00","guid":{"rendered":"https:\/\/test.simple-talk.com\/uncategorized\/powershell-desired-state-configuration-lcm-and-push-management-model\/"},"modified":"2016-08-01T13:46:34","modified_gmt":"2016-08-01T13:46:34","slug":"powershell-desired-state-configuration-lcm-and-push-management-model","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/sysadmin\/powershell\/powershell-desired-state-configuration-lcm-and-push-management-model\/","title":{"rendered":"PowerShell Desired State Configuration: LCM and Push Management Model"},"content":{"rendered":"<div class=\"article-content\">\n<ul class=\"series-articles\">\n<li>PowerShell Desired State Configuration &#8211; Part 1: <a href=\"https:\/\/www.simple-talk.com\/sysadmin\/powershell\/powershell-desired-state-configuration-the-basics\/\">The Basics<\/a><\/li>\n<li class=\"series-articles--active\"><span class=\"icon--chevron-right\">PowerShell Desired State Configuration &#8211; Part 2: <a href=\"https:\/\/www.simple-talk.com\/sysadmin\/powershell\/powershell-desired-state-configuration-lcm-and-push-management-model\/\">LCM and Push Management Model<\/a><\/li>\n<li>PowerShell Desired State Configuration &#8211; Part 3: <a href=\"https:\/\/www.simple-talk.com\/sysadmin\/powershell\/powershell-desired-state-configuration-pull-mode\/\">Pull Mode<\/a><\/li>\n<li>PowerShell Desired State Configuration &#8211; Part 4: <a href=\"https:\/\/www.red-gate.com\/simple-talk\/sysadmin\/powershell\/powershell-desired-state-configuration-automating-and-monitoring-pull-mode\/\">Automating and Monitoring Pull Mode<\/a><\/li>\n<\/ul>\n<h2>Contents<\/h2>\n<ul>\n<li>Configuring the Local Configuration Manager (LCM)<\/li>\n<li>Push management model<\/li>\n<\/ul>\n<p class=\"start\">In my previous article, I described the basic ideas behind Desired Sate Configuration, Now I&#8217;ll be describing the components that are essential for the good functioning of Desired State Configuration (DSC). At the time that I&#8217;m writing this, the latest version of Windows Management Framework 5.0 (WMF) is available in a &#8220;Preview&#8221; version, so the examples in this chapter will be based on WMF 4.0. However, I will indicate the major points where DSC has evolved within WMF 5.0. <\/p>\n<p>Just to give you a feel for the changes, we will first display a table containing all of the cmdlets and functions supplied with the <strong>PSDesiredStateConfiguration<\/strong> module: <\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS &gt; Get-Command -Module PSDesiredStateConfiguration \r\n\r\nCommandType     Name\r\n-----------     ----\r\nFunction        Configuration\r\nFunction        Get-DscConfiguration\r\nFunction        Get-DscLocalConfigurationManager\r\nFunction        Get-DscResource\r\nFunction        New-DSCCheckSum\r\nFunction        Restore-DscConfiguration\r\nFunction        Test-DscConfiguration\r\nCmdlet          Set-DscLocalConfigurationManager\r\nCmdlet          Start-DscConfiguration \r\n<\/pre>\n<p>Now we will run the same PowerShell command with WMF 5.0 to show the difference<\/p>\n<pre class=\"lang:ps theme:powershell-output\">CommandType Name                             \r\n----------- ----                             \r\nFunction    Configuration                    \r\nFunction    Disable-DscDebug                 \r\nFunction    Enable-DscDebug                  \r\nFunction    Find-DscResource                 \r\nFunction    Get-DscConfiguration             \r\nFunction    Get-DscConfigurationStatus       \r\nFunction    Get-DscLocalConfigurationManager \r\nFunction    Get-DscResource                  \r\nFunction    New-DscChecksum                  \r\nFunction    Remove-DscConfigurationDocument  \r\nFunction    Restore-DscConfiguration         \r\nFunction    Stop-DscConfiguration            \r\nCmdlet      Invoke-DscResource               \r\nCmdlet      Publish-DscConfiguration         \r\nCmdlet      Set-DscLocalConfigurationManager \r\nCmdlet      Start-DscConfiguration           \r\nCmdlet      Test-DscConfiguration            \r\nCmdlet      Update-DscConfiguration           \r\n<\/pre>\n<p>You can see that the functionality of DSC is expanding rapidly. A number of functions and Cmdlets have been added to help administrators with their management of DSC. We can illustrate this easily when lang:ps theme:powershell-ise all available cmdlets on WMF 5.0 preview: <\/p>\n<p>You will notice that there are lots of innovations in WMF 5.0. Here is a quick description from Technet. I shall not comment on it for the time being as we shall study them gradually in this series.<\/p>\n<table>\n<thead>\n<tr>\n<th>Cmdlet<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Disable-DscDebug<\/td>\n<td>Stops debugging of DSC resources.<\/td>\n<\/tr>\n<tr>\n<td>Enable-DscDebug<\/td>\n<td>Start debugging of all DSC resources.<\/td>\n<\/tr>\n<tr>\n<td>Find-DscRescource<\/td>\n<td>Finds DSC resources (contained within modules) that match the specific criteria.<\/td>\n<\/tr>\n<tr>\n<td>Get-DscConfiguration<\/td>\n<td>Gets the current configuration of the node.<\/td>\n<\/tr>\n<tr>\n<td>Get-DscConfigurationStatus<\/td>\n<td>Retrieves data about completed configuration runs.<\/td>\n<\/tr>\n<tr>\n<td>Get-DscLocalConfigurationManager<\/td>\n<td>Gets Local Configuration Manager settings for the node.<\/td>\n<\/tr>\n<tr>\n<td>Get-DscResource<\/td>\n<td>Gets DSC resources present on the computer.<\/td>\n<\/tr>\n<tr>\n<td>Invoke-DscResource<\/td>\n<td>Executes a method of a specific DSC resource. <\/td>\n<\/tr>\n<tr>\n<td>New-DSCCheckSum<\/td>\n<td>Creates checksum files for DSC documents and resources.<\/td>\n<\/tr>\n<tr>\n<td>Publish-DscConfiguration<\/td>\n<td>Publishes a DSC configuration to a set of machines, but does not apply it.<\/td>\n<\/tr>\n<tr>\n<td>Remove-DscConfigurationDocument<\/td>\n<td>Removes a configuration document after configuration.<\/td>\n<\/tr>\n<tr>\n<td>Restore-DscConfiguration<\/td>\n<td>Restores the previous configuration for the node.<\/td>\n<\/tr>\n<tr>\n<td>Set-DscLocalConfigurationManager<\/td>\n<td>Applies Local Configuration Manager settings to nodes.<\/td>\n<\/tr>\n<tr>\n<td>Start-DscConfiguration<\/td>\n<td>Applies configuration to nodes.<\/td>\n<\/tr>\n<tr>\n<td>Stop-DscConfiguration<\/td>\n<td>Stops a configuration job that is currently running.<\/td>\n<\/tr>\n<tr>\n<td>Test-DscConfiguration<\/td>\n<td>Tests whether the actual configuration on the nodes matches the desired configuration.<\/td>\n<\/tr>\n<tr>\n<td>Update-DscConfiguration<\/td>\n<td>Runs the existing configuration on a computer.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The first thing to understand about DSC is the way the configurations are applied on the nodes. The Local Configuration Manager (LCM) is the PowerShell DSC engine and runs on all nodes that has PowerShell 4.0 or above installed. It controls the execution of DSC configurations on target nodes. When the LCM receives the MOF files, it is responsible for calling the DSC resources that are used in the DSC configuration script. Then, LCM applies configuration to the node. The LCM has many settings that describes how DSC operates locally on the target node. These settings are called &#8221; <strong>meta-configuration<\/strong>&#8221; and can be changed per machine or on all machines. <\/p>\n<p>In this article, we will focus on the LCM and how one can configure some of its settings so as to adapt it to its environment. The number of properties of the LCM may vary with the PowerShell version. You can get the LCM properties by using the following <strong>Get-DSCLocalConfigurationManager<\/strong> cmdlet. <\/p>\n<p>Here are the LCM properties on a node with PowerShell version 4: <\/p>\n<pre class=\"lang:ps theme:powershell-output\">AllowModuleOverwrite           : False\r\nCertificateID                  :\r\nConfigurationID                :\r\nConfigurationMode              : ApplyAndMonitor\r\nConfigurationModeFrequencyMins : 30\r\nCredential                     :\r\nDownloadManagerCustomData      :\r\nDownloadManagerName            :\r\nRebootNodeIfNeeded             : False\r\nRefreshFrequencyMins           : 15\r\nRefreshMode                    : PUSH\r\nPSComputerName                 :\r\n<\/pre>\n<p>And here is a node with PowerShell version 5 showing the equivalent list: <\/p>\n<pre class=\"lang:ps theme:powershell-output\">ActionAfterReboot              : ContinueConfiguration\r\nAllowModuleOverWrite           : False\r\nCertificateID                  :\r\nConfigurationDownloadManagers  : {}\r\nConfigurationID                :\r\nConfigurationMode              : ApplyAndMonitor\r\nConfigurationModeFrequencyMins : 15\r\nCredential                     :\r\nDebugMode                      : {NONE}\r\nDownloadManagerCustomData      :\r\nDownloadManagerName            :\r\nLCMCompatibleVersions          : {1.0, 2.0}\r\nLCMState                       : Idle\r\nLCMStateDetail                 :\r\nLCMVersion                     : 2.0\r\nStatusRetentionTimeInDays      : 10\r\nPartialConfigurations          :\r\nRebootNodeIfNeeded             : False\r\nRefreshFrequencyMins           : 30\r\nRefreshMode                    : PUSH\r\nReportManagers                 : {}\r\nResourceModuleManagers         : {}\r\nPSComputerName                 : \r\n<\/pre>\n<p>Common parameters between v4 and v5 are described in the first part of this series and some parameters will be explain in the next part. Numerous properties have been added in the latest version of PowerShell, but they are not all mandatory. Here are the new parameters:<\/p>\n<p> <strong>RefreshMode<\/strong>: A new value has been added to this property: &#8216;Disabled&#8217;. This value allows the LCM to be deactivated so as to prevent it from applying the configuration on the node. What does it mean? Imagine, you have another third party tools such as Puppet or Chef and you are looking to avoid conflict with DSC on this node. You don&#8217;t want that DSC applies a new configuration at the same time. This parameter disables any kind of MOF file processing, so you can&#8217;t push configuration on the target node when the value is &#8220;disabled&#8221;. <\/p>\n<p> <strong>ActionAfterReboot<\/strong>: This new property indicates to the LCM which action it should to carry out after the restart of the node. The accepted values are the following: <\/p>\n<ul>\n<li>&#8220;ContinueConfiguration&#8221;<\/li>\n<li>&#8220;StopConfiguration&#8221;<\/li>\n<\/ul>\n<p> <strong>LCMState<\/strong>: Determines the state of the LCM <\/p>\n<ul>\n<li>&#8220;Busy&#8221; when it is in execution mode on the node<\/li>\n<li>&#8220;PendingReboot&#8221; when the LCM is awaiting a restart<\/li>\n<li>&#8220;Ready&#8221; when the LCM is available. <\/li>\n<\/ul>\n<p><strong>LCMCompatibleVersions<\/strong>: Since PowerShell v5, a new LCM version has been introduced. It is then possible to choose one&#8217;s version. <\/p>\n<table>\n<thead>\n<tr>\n<th>WMF 4.0<\/th>\n<th>WMF 5.0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>LCM 1.0<\/td>\n<td>LCM 1.0 \/ LCM 2.0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p> <strong>LCMVersion: <\/strong>The applicable values are: 1.0 or 2.0. Especially useful in a test environment. <\/p>\n<p> <strong>LCMStateDetail<\/strong>: This property contains more information about the LCM state. <\/p>\n<p> <strong>StatusRetentionTimeInDays: <\/strong>The number of days the LCM keeps the status of the current configuration. <\/p>\n<p> <strong>PartialConfiguration<\/strong>: This property works solely in the &#8220;Pull Mode&#8221;. It makes it possible to break up a DSC configuration into several parts. Imagine that you are deploying a new SQL server: The SQL administrators could then create the SQL configuration dedicated to SQL, and the system administrators could write the configuration dedicated to the operating system. <\/p>\n<h2>How do we write a metaconfiguration?<\/h2>\n<p>A metaconfiguration is very similar to a normal\/standard configuration. It is carried out through the block &#8220;LocalConfigurationManager&#8221;. The properties present in this block will be updated on the LCM, but all the other properties will not be modified. Here is a simple example allowing us to configure the property &#8220;RebootNodelfNeeded&#8221; thus indicating that my workstation is allowed to restart after applying the configuration:<\/p>\n<p>Configuration LCMConfiguration<\/p>\n<pre class=\"lang:ps theme:powershell-ise\">Configuration LCMConfiguration\r\n{\r\n    Note Localhost\r\n    {\r\n        LocalConfigurationManager\r\n        {\r\n            RebootNodeIfNeeded = $True\r\n        }\r\n    }\r\n}\r\n\r\nLCMConfiguration\r\n<\/pre>\n<div class=\"note\">\n<p class=\"note\">Note: PowerShell v5 introduces the &#8220;Settings&#8221; block instead of &#8220;LocalConfigurationManager&#8221;. But the latter may be used in PowerShell v5.<\/p>\n<\/p><\/div>\n<p>After the execution of my metaconfiguration &#8220;LCMConfiguration&#8221;, a file &#8216;<strong>localhost.meta.mof<\/strong>&#8216; is created. Indeed, a metaconfiguration implies the creation of a file with an extension &#8220;<strong>meta.mof<\/strong>&#8220;. The name of the node is inserted in the name of the file: <\/p>\n<p class=\"illustration\"> <img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/imported\/2391-633d4702-0428-4443-9183-6e6d86159aad.png\" alt=\"2391-633d4702-0428-4443-9183-6e6d86159aa\" \/><\/p>\n<p class=\"caption\">Figure 1 &#8211; meta.mof file<\/p>\n<p>The file &#8220;localhost.meta.mof&#8221; contains the following:<\/p>\n<pre class=\"lang:ps theme:powershell-ise\">\/*\r\n@TargetNode='localhost'\r\n@GeneratedBy=nicolas\r\n@GenerationDate=02\/14\/2016 17:18:28\r\n@GenerationHost=Laptop01\r\n*\/\r\n\r\ninstance of MSFT_DSCMetaConfiguration as $MSFT_DSCMetaConfiguration1ref\r\n{\r\nRebootNodeIfNeeded = True;\r\n\r\n};\r\n\r\ninstance of OMI_ConfigurationDocument\r\n{\r\n Version=\"2.0.0\";\r\n MinimumCompatibleVersion = \"1.0.0\";\r\n CompatibleVersionAdditionalProperties= {};\r\n Author=\"adm_npri\";\r\n GenerationDate=\"02\/14\/2016 17:08:20\";\r\n GenerationHost=\"Laptop01\";\r\n id=\"LCMConfiguration\"\";\r\n};\r\n<\/pre>\n<p>The only thing left to do is to apply our metaconfiguration to our node. For this one just needs to use the <strong>Set-DSCLocalConfigurationManager<\/strong> cmdlet. Here it is the main difference with a normal configuration for which you would have used the <strong>Start-DSCConfiguration <\/strong>cmdlet. <\/p>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; Set-DSCLocalConfigurationManager -Path C:UsersNicolasLCMConfiguration<\/pre>\n<p>By displaying the properties of my LCM, the value is now equal to &#8220;TRUE&#8221;:<\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS&gt; Get-DSCLocalConfigurationManager \r\n\r\n\r\nAllowModuleOverwrite           : False\r\nCertificateID                  :\r\nConfigurationID                : \r\nConfigurationMode              : ApplyAndMonitor\r\nConfigurationModeFrequencyMins : 30\r\nCredential                     :\r\nDownloadManagerCustomData      : \r\nDownloadManagerName            : \r\nRebootNodeIfNeeded             : True\r\nRefreshFrequencyMins           : 15\r\nRefreshMode                    : PUSH\r\nPSComputerName                 : \r\n<\/pre>\n<p>According to your requirements, you may also want to configure the LCM differently on your machines. If you wish to obtain the LCM properties of a machine without connecting to it, you only need to create a CIM session:<\/p>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; $Session = New-CimSession -ComputerName \"ADM11\" -Credential DomainAdminAccount<\/pre>\n<p>In this case, I display the LCM properties of the ADM11 server:<\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS&gt; Get-DscLocalConfigurationManager -CimSession $Session\r\n\r\nAllowModuleOverwrite           : False\r\nCertificateID                  :\r\nConfigurationID                :\r\nConfigurationMode              : ApplyAndMonitor\r\nConfigurationModeFrequencyMins : 30\r\nCredential                     :\r\nDownloadManagerCustomData      :\r\nDownloadManagerName            :\r\nRebootNodeIfNeeded             : False\r\nRefreshFrequencyMins           : 15\r\nRefreshMode                    : PUSH\r\nPSComputerName                 : ADM11\r\n<\/pre>\n<p>For those of you that are asking whether it is possible to integrate the LCM configuration with a normal configuration, the answer is yes. However, I advise you to separate these two aspects to simplify management. <\/p>\n<h2>The push management model<\/h2>\n<p>Let&#8217;s talk about the &#8220;Push mode&#8221; in detail. It is the simplest mode to put in place. It is ideal in a test environment or with servers whose configuration is applied once for a long period. The user decides to apply manually a configuration on one or more nodes. I have summarised the &#8220;Push mode&#8221; in a diagram:<\/p>\n<p class=\"illustration\"> <img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/imported\/2391-add75ca0-3efd-4000-afa4-db1498159822.png\" alt=\"2391-add75ca0-3efd-4000-afa4-db149815982\" \/><\/p>\n<p class=\"caption\">Figure2 -Push management model<\/p>\n<p> <strong>Authoring<\/strong> <\/p>\n<p>This stage is about creating your DSC configuration. You may do it through a simple text editor such as Notepad or via the PowerShell ISE. When the configuration is created, one only needs to execute it so as to create one or several MOF files that will contain the necessary information for the configuration of the node. There can only be one MOF file per node. This allows the node to have the overall configuration at once and be certain to apply the correct configuration. <\/p>\n<p> <strong>Staging<\/strong> <\/p>\n<p>After the compilation of the MOF files on your workstation, they are &#8220;pushed&#8221; on the nodes with the help of the <strong>Start-DSCConfiguration<\/strong> cmdlet. There is one optional parameter <strong>-ComputerName<\/strong>that allows you to indicate the node on which to apply the configuration. If the latter is not indicated, then the LCM will verify each file that is present in the configuration folder (indicated with the help of the <strong>-Path<\/strong> parameter) so as to identify the nodes concerned. <\/p>\n<div class=\"note\">\n<p class=\"note\">Note: to avoid a deployment failure when applying a configuration, you must first actively check that the DSC resources are present on the node. That is the biggest disadvantage of the &#8220;Push mode&#8221; that requires a manual action to deploy the resources on the nodes. <\/p>\n<\/p><\/div>\n<p> <strong>Execution<\/strong> <\/p>\n<p>The last step is to configure the node with the information received via the MOF files. The LCM immediately executes these files after it has analysed them. These files are placed on each node in the following directory: <strong>$env:systemRoot\/system32\/configuration<\/strong> <\/p>\n<p>You have &#8220;pushed&#8221; one MOF file on to your node but you will get several MOF files appearing. Why? What is their purpose? <\/p>\n<p>Here is a list:<\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS&gt; Get-ChildItem -Path 'C:WindowsSystem32Configuration' -File \r\n\r\n\r\n    Directory: C:WindowsSystem32Configuration\r\n\r\n\r\nMode                LastWriteTime     Length Name\r\n----                -------------     ------ ----\r\n-a---        25.01.2016     15:17       1164 backup.mof\r\n-a---        25.01.2016     15:17       1164 Current.mof\r\n-a---        14.02.2016     14:55        198 DSCEngineCache.mof\r\n-a---        23.01.2016     18:55       1130 MetaConfig.mof\r\n-a---        25.01.2016     15:17       1292 Previous.mof\r\n<\/pre>\n<p>Or by accessing the directory directly&#8230;<\/p>\n<p class=\"illustartion\"> <img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/imported\/2391-4a710e90-823f-4d94-a7b8-777386de916b.png\" alt=\"2391-4a710e90-823f-4d94-a7b8-777386de916\" \/><\/p>\n<p class=\"caption\">Figure3 -MOF Files folder<\/p>\n<p>The files will have been created according to a specific process:<\/p>\n<ul>\n<li>The first step: the LCM receives and executes the MOF file. It renames it &#8216;<strong>pending.mof<\/strong>&#8216; <\/li>\n<li>The second step (optional): if it exists, it renames the actual MOF file &#8216;<strong>current.mof<\/strong> <strong>&#8216;<\/strong> to &#8216;<strong>previous.mof<\/strong>&#8216; <\/li>\n<li>The third step: when this new configuration has been applied successfully, it renames &#8216;<strong>pending.mof<\/strong>&#8216; to &#8216;<strong>current.mof<\/strong>&#8216; <\/li>\n<li>The last step: the &#8216;<strong>current.mof<\/strong>&#8216; is duplicated to &#8216;<strong>backup.mof<\/strong>&#8216; <\/li>\n<\/ul>\n<div class=\"note\">\n<p class=\"note\">Note: if it fails, the file &#8216; <strong>pending.mof&#8217;<\/strong> is kept and re-executed. <\/p>\n<\/p><\/div>\n<p>Here is a diagram of the process to explain:<\/p>\n<p class=\"illustration\"> <img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/imported\/2391-78c667a1-4639-49de-a080-3298cc0086b7.png\" alt=\"2391-78c667a1-4639-49de-a080-3298cc0086b\" \/><\/p>\n<p class=\"caption\">Figure4 -MOF Files workflow<\/p>\n<p>In some circumstances, you may need to delete a file from the node. It could, for example, have become corrupted. To deal with this, a new cmdlet <strong>Remove-DSCConfigurationDocument\u00a0<\/strong>has been implemented that allows their suppression from a script: <\/p>\n<p>To delete all the MOF files present on the node:<\/p>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; Remove-DSCConfigurationDocument -Stage Current, Previous, Pending -Verbose <\/pre>\n<p>To delete just the MOF file &#8220;previous.mof&#8221;:<\/p>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; Remove-DSCConfigurationDocument -Stage Previous -Verbose <\/pre>\n<h2>To go further<\/h2>\n<p>The &#8216; <strong>Push mode&#8217;<\/strong> is really very simple to set up when there is a &#8216;trust&#8217; relationship between your workstation and the node. The trust relationship is obtained when the machines are members of the same Active Directory domain. The prerequisite to use DSC is the WinRM HTTP 5895 protocol (Windows Remote Management &#8211; that is the implementation of the standard WS-Management on the Windows platform). It is therefore necessary to assure the correct functioning of this component so as to allow the remote execution of the PowerShell code. <\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS&gt; Get-Service -ComputerName ADM11 -Name WinRM | fl * \r\n\r\n\r\nName                : WinRM\r\nRequiredServices    : {RPCSS, HTTP}\r\nCanPauseAndContinue : False\r\nCanShutdown         : True\r\nCanStop             : True\r\nDisplayName         : Windows Remote Management (WS-Management)\r\nDependentServices   : {}\r\nMachineName         : ADM11\r\nServiceName         : WinRM\r\nServicesDependedOn  : {RPCSS, HTTP}\r\nServiceHandle       : SafeServiceHandle\r\nStatus              : Running\r\nServiceType         : Win32ShareProcess\r\nSite                :\r\nContainer           :\r\n<\/pre>\n<div class=\"note\">\n<p class=\"note\">Note: in the event that your WinRM service is not running, you just need to use the following command so as to activate it: <strong>Set-WSManQuickConfig<\/strong> <\/p>\n<\/p><\/div>\n<p>Before trying to &#8220;push&#8221; a configuration onto your node, I advise you to do a test to assure that WinRM is enabled. The command <strong>Test-WSMan<\/strong> should give you this: <\/p>\n<pre class=\"lang:ps theme:powershell-output\">PS C:Usersadmin&gt; Test-WSMan -ComputerName ADM11\r\n\r\n\r\nwsmid           : http:\/\/schemas.dmtf.org\/wbem\/wsman\/identity\/1\/wsmanidentity.xsd\r\nProtocolVersion : http:\/\/schemas.dmtf.org\/wbem\/wsman\/1\/wsman.xsd\r\nProductVendor   : Microsoft Corporation\r\nProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0 \r\n<\/pre>\n<p>Here, WinRM is active. If not, you will get an error.<\/p>\n<p>If you have to deploy configurations on machines in a workgroup, the &#8220;Trust&#8221; relationship does not exist by default. Therefore, if you have to configure, for example, a web server located in a DMZ (Demilitarized zone), here are the steps:<\/p>\n<ul>\n<li>You must have a DNS resolution for the node located in DMZ. For this, you may edit your HOSTS file or create a static entry within your DNS server.<\/li>\n<\/ul>\n<p class=\"illustartion\"> <img decoding=\"async\" src=\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/imported\/2391-d422fbda-11ed-49bb-b96d-f51737f8cf7b.png\" alt=\"2391-d422fbda-11ed-49bb-b96d-f51737f8cf7\" \/><\/p>\n<p class=\"caption\">Figure5 &#8211; HOSTS file on your workstation<\/p>\n<ul>\n<li>Open an exception in your firewall so as to allow the WinRM port to communicate between your node and your workstation.<\/li>\n<li>Execute a CMD as administrator then enter the following command:<\/li>\n<\/ul>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; Set winrm\/config\/client '@{TrustedHosts=\"YourNonTrustedNode\"}'<\/pre>\n<p> This allows to add your node in the &#8216;Trust list&#8217; of WinRM<\/p>\n<ul>\n<li>finally, you must use a local administrator&#8217;s account of the node when you use the command <strong>Start-<\/strong> <strong>DSCConfiguration<\/strong> <strong><\/strong>with the parameter <strong> -Credential: <\/strong> <\/li>\n<\/ul>\n<pre class=\"lang:ps theme:powershell-ise\">PS&gt; Start-DSCConfiguration -Path &lt;&lt; DSCFolder &gt;&gt; -Verbose -Credential (Get-Credential) -ComputerName 'YourNonTrustedNode' <\/pre>\n<h2>Conclusion<\/h2>\n<p>We now have completed the analysis of the &#8220;Push mode&#8221; that has proved to be simple to implement. In the next sections, we will detail the &#8220;PULL mode&#8221; that is more adapted in a production environment with hundreds of machines to manage.<\/p>\n<p>As for the LCM, it is a key component of the DSC framework and it will reappear in the next sections of this series. It is important to understand its use, and its central role in a DSC architecture. I am sorry if this article contained a lot of theory but it was necessary to run through the basics so as to describe all the logic of the DSC. <\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>PowerShell&#8217;s Desired State Configuration (DSC) framework depends on the Local Configuration Manager (LCM) which has a central role in a DSC architecture. It runs on all nodes that have PowerShell 4.0 or above installed in order to control the execution of DSC configurations on target nodes. Nicolas Prigent illustrates the role of the LCM in the &#8216;Push&#8217; mode of configuring nodes.&hellip;<\/p>\n","protected":false},"author":158223,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[35],"tags":[4635,4179,4871],"coauthors":[6804],"class_list":["post-2190","post","type-post","status-publish","format-standard","hentry","category-powershell","tag-powershell","tag-source-control","tag-sysadmin"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/2190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/158223"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=2190"}],"version-history":[{"count":4,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/2190\/revisions"}],"predecessor-version":[{"id":66527,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/2190\/revisions\/66527"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=2190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=2190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=2190"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=2190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}