Pushing DSC configuration to an Azure VM

I had described in an earlier article that Desired State Configuration requires WinRM listeners for pushing the configuration to target systems. By default, WinRM is configured to listen on ports 5985 (HTTP) and 5986 (HTTPS). When deploying Windows VMs on Azure, you will find that the default WinRM listener is SSL (HTTPS) based and has a random public port number assigned to it. We use the Cloud Service DNS name along with the random port number assigned to the WinRM HTTPS listener.

For example, here is one of the Azure VMs I created. This is running Windows Server 2012 R2 and has the WinRM HTTPS listener created.


As you see here, the public port assigned to the HTTPS listener is 50798. Also note that we cannot directly access the VM hostname from public network. This means we have to go through the DNS name of the Cloud Service.

So, how do we push DSC configuration to this VM? By default, the Start-DscConfiguration cmdlet expects the WinRM listener at the default ports I mentioned in the beginning. Let us look at an example and see what happens when we push the configuration using DNS name of the Cloud Service.

Configuration TestAzureConfig {
    param (
    Node $NodeName {
       WindowsProcess TestProcess {
           Path = "Notepad.exe"
           Arguments = ""
           Ensure = "Present"
TestAzureConfig -NodeName WinVMs.CloudApp.net

I,now, will try and push this configuration script to my Azure VM.

azurevm2 The configuration push fails. The error could be misleading but it is because the WinRM HTTPS listener is not at port 5986 instead it is configured to a random port number. What we need here is a CIM session. Before creating the CIM session, make sure you download and install the certificate from the Cloud Service. This is required because the WinRM listener is HTTPS based. You can use the instructions mentioned in one of our earlier articles. Once you have the Cloud Service certificate installed, use the following code snippet to create a CIM session.

$cimSessionOption = New-CimSessionOption -UseSsl
$cimSession = New-CimSession -SessionOption $cimSessionOption -ComputerName WinVMs.CloudApp.net -Port 50798 -Authentication Negotiate -Credential (Get-Credential)

We can use the -CimSession parameter of the Start-DscConfiguration cmdlet to push the configuration to the Azure VM. By the way, this procedure can be used with any target system with non-default WinRM listeners. I just used a Azure VM because they by default have random port numbers assigned to WinRM listeners.


This is it for now. In a later article, I will show how to deploy HTTP listeners and use them for pushing DSC configuration.

Filed in: Articles, Azure, Online Only Tags: , ,
© 2018 PowerShell Magazine. All rights reserved. XHTML / CSS Valid.
Proudly designed by Theme Junkie.
%d bloggers like this: