DSC Planning Update – June 2019

Michael Greene


It has been almost a year since the last DSC Planning update. There has been a lot going on, many decisions being made, and it just didn’t make sense to post earlier in this calendar year. In this post we will review what has been shipped and the high-level direction we are heading. 

I am accompanying this post with write-ups that are for the more technical audience. In two parts, I would like to explain the implementation of the Guest Configuration client/service and exactly how the new DSC engine functions. 

If you take nothing else away, here are the top-level items: 

  • The new implementation of DSC is Azure Policy Guest Configuration 
  • The solution is GA for built-in content and is moving towards a preview for custom content 
  • Your skill set and your DSC scripts/modules can be used in a new way 

Azure Policy Guest Configuration 

Previously we have referred to the new DSC codebase under different names. DSC Core and the new LCM. We also disclosed that the platform would be used in Azure Policy Guest Configuration. 

What have we shipped? 

The DSC codebase we have been working on is now fully GA as Azure Policy Guest Configuration but this is not the DSC you have known up to this point. It is best to think of Azure Policy Guest Configuration as based on the DSC syntax but functionally a new platform. 

The intention for this service is to build confidence so application developers/owners are free to deploy servers when they need them without putting the organization at risk. Building this platform on a tool that was designed with operations in mind helps us to look beyond the types of settings that we thought about in platforms such as Group Policy. We can include operational requirements such as making sure all servers have a healthy monitoring agent, logging configuration, and the correct certificates in place to function in an enterprise environment. 

DSC has been the basis for other Azure solutions such as the Azure DSC Extension and Azure Automation State Configuration, that help you to configure virtual machines. Azure Policy Guest Configuration currently provides an audit platform to validate settings inside virtual machines. 

The full documentation for this service is available at the following short url. 


If you would like to continue reading about how this service is technically implemented, the two technical write-ups are published to accompany this post. 

Azure Policy Guest Configuration – Service

Azure Policy Guest Configuration – Client

High level direction forward 

For the next semester (the second half of 2019 calendar year) we are focused on iterating upon our first release of this solution, introducing the ability for you to use your own content for auditing machines, and to enable you to also enforce settings inside virtual machines using Azure Policy. 

It is important for many people to understand what the options will be to use DSC in disconnected scenarios going forward.  We are considering our options in this area and taking the feedback seriously.  I hope to have more to share on this area in the future. 

Iterating upon our first release of the solution includes multiple areas where we believe we can make life easier for customers. One of the patterns we have observed is customers assigning an audit policy but forgetting to assign the policy that handles automatically onboarding servers.  In the future we believe we can make this simpler.  We have also heard from customers that they would like to have the option to bulk export data about virtual machine compliance so it can be used in other tools, and that they would like to use the solution to audit servers running outside of Azure. 

We hope to enable customers to use their own content, and the tools of their choice, when auditing settings inside virtual machines. As an example, we have heard from Chef customers that they would like to be able to use InSpec to audit Windows Servers. As a result, we announced in our session at Chef Conference that we will be co-maintaining a Guest Configuration provider for InSpec as a collaborative open source project that customers can use in Azure Policy Guest Configuration. More information can be found here. 

We are investing in getting the user experience right for developing custom content, cross platform for the developer workstation, and having a validation and troubleshooting experience that improves on lessons we learned with DSC. We will soon be moving into a public preview of custom content. In the meantime, you are welcome to give us feedback in our request for comments public GitHub repo here. 

Finally, we are investigating the right approaches for enforcing settings inside virtual machines using Azure Policy. With this scope in mind, I would like to invite you to respond to a (an anonymous) survey to provide feedback on your top requirements. 

Survey link 

Thank you!
Michael Greene
Principal Program Manger
Microsoft Azure

Michael Greene
Michael Greene

Follow Michael   

Javier Negro Dieste 2019-06-07 08:29:00
What does this means for people who don’t want to use Azure? Should we forget about DSC and move into other tools like Ansible?
Jiping 2019-06-07 09:51:08
what is DSC? Could you use the full name the first time? Also with link. (This post pops up to my browser homepage. Maybe I have searched PowerShell.)
Aleksander Pawlak 2019-06-11 10:43:28
How will it affect on-premises Windows Server DSC functionality? DSC should be treated now as deprecated feature?
Eric Pang 2019-06-13 02:39:07
I initially delved into DSC a few years back and created a number of configuration scripts for on-prem VMs. Since then our company adopted Chef and I moved into using this tool over DSC due to it's established platform. Working with Chef for over a year or two now, I haven't been following the changes in DSC. We use Chef with AWS platform. Will the future of DSC support this platform (or any other cloud platform) or is it just Azure only?  Why would I use the "new" DSC over Chef? There seems to be a lot of "catching-up" to do compared to established tools on the market. Don't get me wrong, I enjoyed using DSC at the time but I need solid examples what the new DSC has to offer before investing any more time in the tool.
Robert Biddle 2019-06-13 08:35:08
This statement is somewhat confusing: "The new implementation of DSC is Azure Policy Guest Configuration " Are you saying that Azure Policy Guest Configuration is A new thing, and it's based on DSC ...  Or is Azure Policy Guest Configuration THE only thing going foward and essentially replacing DSC? The latter would be very concerning to me.  I've built our entire production infrastructure using DSC.  We're mostly a Windows shop, but we also operate 100% in public cloud, most of which isn't Azure.  I've also been using DSC for more than machine management (i.e. cloud automations). I really hope I'm reading into this incorrectly.  If DSC (i.e. the LCM) is not going to be a core feature in PowerShell 7 that can be used anywhere (e.g. local, not dependant on internet access / cloud-agnostic ) then I'm going to have to start moving away from it immediately.  Please tell me that's not the case.