Windows 10, Azure, and DSC

There are many posts on the Internet about DSC and its interoperability (or lack there of) between Windows Servers and Windows Desktops, such as Windows 10.

Many threads state you shouldn’t use DSC scripts from Windows Servers and apply them to Windows Desktop. For me, this couldn’t be further from the truth. Who would want to redo all the work already done, just because they are targeting Windows Desktops vs Servers? Additionally, DSC is built on top of the Windows Management Framework (WMF), which clearly states it supports Windows 10, and even Windows 7.

There is one confusing part though that you need to know if you go down the path–Windows 10, by default has Set-ExecutionPolicy as Restricted. This means you can’t pass it DSC Configuration Scripts. Also don’t think you can use DSC’s ComputerManagementDSC to set this policy up either–that too can’t load.

What you need to do is simple, yet not documented as far as I can tell anywhere on the Internet.

In DSC, before you jump into the Node, you need to set the ExecutionPolicy there.

Configuration XYZ
{
   param(
   ...
   )
   Set-ExecutionPolicy -ExecutionPolicy <policy> -Scope <scope> -Force
   
   Import-DscResource ...
   
   Node localhost
   {
   ...
   }
}

This runs these cmdlets first, ensuring no scripts are loaded which potentially are blocked from the Set-ExecutionPolicy of that system. Of course, change it to whatever you want the policy and scope to be in the above example.

For a live example, check our DefendTheFlag project, which is incorporating this with an AD environment composed of Servers and Desktops.

Hopefully this helps someone–especially now that Windows 10 in Azure is a real thing, even more compared to before thanks to Windows Desktop Virtualization.

Andrew