DSCEA has been released – Introducing exciting new updates to Start-DSCEAscan



AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!


***This post was written by Ralph Kyttle, PFE, and back linked to the original post. The original post can be found at: https://blogs.technet.microsoft.com/ralphkyttle/2017/04/05/dscea-1-2-0-0-has-been-released-introducing-exciting-new-updates-to-start-dsceascan/

For more information on DSCEA, please review the original post on the topic located at https://blogs.technet.microsoft.com/ralphkyttle/2017/03/21/introducing-dscea/ or https://blogs.technet.microsoft.com/askpfeplat/2017/04/04/introducing-dscea/

DSCEA has been released!!!

Just as a recap on DSCEA:

DSC Environment Analyzer (DSCEA), is an open source PowerShell module that uses the declarative nature of Desired State Configuration to scan systems in an environment against a defined reference MOF file and generate compliance reports as to whether systems match the desired configuration.

DSCEA includes a customizable reporting engine that can provide reports on overall compliance and details on any DSC resource found to be non-compliant.  DSCEA utilizes the DSC processing engine and DSC resources to audit and report on the existing configuration of machines in an environment.

By using PowerShell Desired State Configuration at its core, DSCEA obtains some unique advantages. Most notably, by defining the desired configuration state using DSC, an admin can benefit from using the same work to both scan for compliance and then correct items that were found to be non-compliant. Building an audit file in DSC can help ease remediations, and in some cases it can be as simple as applying the same MOF file that was used to scan an environment onto systems to correct drift and bring things into the desired state.

DSCEA is hosted at https://github.com/Microsoft/DSCEA and can be downloaded from the PowerShell Gallery.

Details on this release are listed below:

  • Introduced exciting new updates to Start-DSCEAscan
    • Automatic copying of any custom resources needed for a scan from the management system to the remote endpoints being scanned
    • Added a new Path parameter, which allows Start-DSCEAscan to take in a folder path containing machine specific MOF files to allow for a scan of those systems against unique per system settings
  • Added additional config examples
    • Config that uses non built-in DSC resources
    • Config that showcases using the DSC script resource
      • Thank you to Patrick Mercier for your contributions and feedback on this!
  • Bug fixes
    • Fixed issue where errors were thrown when running Import-Module DSCEA
    • Fixed quote character issue when running Get-Help Start-DSCEAscan
  • Documentation updates
    • Clarified instructions on Report Generation with Power BI page
    • Clarified instructions on PowerShell Gallery – Offline Install page
    • Added page – Convert DSCEA scan result to CSV
    • Added page – DSCEA Functions Reference

Real world examples of how DSCEA can be used include

  • Verifying a single setting, for example if a registry key is set appropriately across your entire environment
  • Auditing your systems to ensure that they meet the base level system configuration settings that are required to be a part of your environment
  • Scanning the systems in your environment against all of the items that make up your organization’s security baseline
  • Verifying that settings configured via Group Policy are being applied correctly to the systems in your environment
  • Verifying settings configured on Windows Server 2016 Nano servers (which do not support Group Policy)