Category Archives: PowerShell for Admins

DenverPSUG – Keith Hill Presenting

Hello everyone,

The Denver PowerShell User Group will be meeting again on September 4th and we will have Keith Hill presenting. Keith has published an ebook, is a repeat Microsoft MVP, and has been heavily involved in writing and maintaining the PowerShell Community Extensions.

You can find more information on the event as well as RSVP here:

Keith Hill – topic TBD

Thursday, Sep 4, 2014, 7:00 PM

899 Logan st
Suite 210 Denver, CO

4 PowerShell People Attending

PowerShell MVP Keith Hill,, will be giving a talk.

Check out this Meetup →


Urgent – Why you should speak at the 2015 NA PowerShell Summit.

I was speaking at TechMentor last week – a great and well-run conference – and it seemed I was overly using the phrase “You should speak at the PowerShell Summit”. I enjoy meeting old friends and making new ones at conferences, it’s one of the pleasures of working with people I enjoy the most. I not only learn about the latest challenges that the attendees face, but I learn very product specific knowledge from them. It feels like they should be the ones on stage talking about their latest foray into some deep dark corner of IT.

That’s when I started asking myself – “Why aren’t they speaking too?” So, I started asking that question, followed by a suggestion that they send in an abstract to speak at the PowerShell Summit.  I was a little surprised by the look on their faces – as if I had suggested something that never crossed their minds. Well, it’s time that it crosses your mind.

I’m not here to convince you to speak, or encourage you in opening up additional career options; I’m suggesting that you have skills and experience that can help others. Why not share that?

Afraid to speak? There are a lot of things that scare me; writing books, speaking at conferences, teaching, fixing Exchange, etc. I’m afraid of many things that might result in failure, but I’m not willing to let that fear prevent me from trying new things – especially if I might be able to help someone else. In the words of my best mentor and friend: “Stretch yourself”.

This is my callout to you. This is me asking you to share your knowledge and help the community grow. This is me saying: “Stretch yourself”.

So, send in an abstract – it doesn’t mean you will get chosen (that’s not a failure BTW) but it does mean you’re trying to help. Good for you!

Details below:


Video: An Entertaining Evening on the Art and Science of Writing Scripts in PowerShell

Cody Konior brought us this:

An entertaining evening on the art and science of writing scripts in PowerShell targeted especially for beginners.

Interspersed with live demos, we’ll glance through the basics such as variables, loops, and the pipeline, then briskly overview modules, remoting, a little SQL, and email control. All sample code will then be combined to solve* a “totally realistic scenario” with a Rube Goldbergian nightmare.

This is a once-off event of fun and frivolity not to be missed.

* Best practices not guaranteed.

Watch the video on YouTube.

Call for Presentations for PowerShell Summit North America 2015

The PowerShell Summit is the number one conference where PowerShell enthusiasts gather and learn from each other in fast-paced, knowledge packed presentations. PowerShell experts from all over the world including MVP’s, Guru’s, community leaders and PowerShell team members, will once again join together for a few days in Charlotte, North Carolina to discuss and learn how about maximizing PowerShell in the workplace. If you want to share your PowerShell expertise or story, then this is your official call to submit presentations for selection!

PowerShell Summit North America 2015 will be held April 20-22 2015 at the Microsoft Campus in Charlotte, North Carolina.

Topic Areas – What we are looking for

We are looking for 45-minute presentations covering a wide aspect of PowerShell expertise. We have two main topic areas that may assist you in building an abstract.

  • PowerShell Internals – A deep look into the inside workings of PowerShell and practical solutions that are built from them. These presentations are typically more directed to the PowerShell development community that is building extensions and solutions relating to PowerShell.
  • PowerShell Features Deep Dive – These presentations are a deep look into configuring and working with PowerShell features and capabilities such as Remoting, Desired State Configuration and more. These presentations tend to be more IT Pro focused.

We are open to presentations across the entire ecosystem that has been built around PowerShell; so don’t hesitate to send an abstract for your particular area of expertise. This includes Microsoft platforms and products that have PowerShell-based management tools as well as 3rd parties such as VMware.


What kind of sessions get selected?

We’re looking for sessions that go beyond – possibly way beyond – “beginner.” We look for an abstract that’s compelling and makes us salivate to see your session – so spend time writing a punchy abstract! We want sessions that offer real-world usability combined with “wow, nobody talks about THAT” awesomeness. Remember, Summit sessions are recorded, so if you’re previously presented a topic at a Summit, we’re less likely to choose it for another Summit. We want sessions that are challenging, and that ideally present things that simply aren’t explained or documented elsewhere. New modules, new techniques, and crazy approaches are all welcome. Discussion-format sessions are great, too, especially if you plan to turn them into a community deliverable (like a “best practices for writing DSC Resources” session that gets turned into a free e-guide later). Think community, deep dive, engaging, and amazing as keywords. We want attendees to finish each day with information leaking… just a little bit… out their eyeballs. Help us make it happen.

We do have some goals for speaker selection, too. We obviously have, and appreciate, the great involvement we get from the product team. We aim to have a certain number of sessions from well-known members of the community, simply because they’re well-known for a reason – they do a great job! But we also set aside slots for newcomers who’ve never presented before, or who’ve maybe only presented once or twice before. We want to create opportunities for more folks to become engaged and active in our community, and the Summit is a great way to do that.

We aren’t looking for soft-skills sessions, like “how to get a new user group running,” although contact us via email (summit@) if you’d like to do something like that as an extra evening thing after the main content wraps for the day.


How to submit abstracts of presentations

Presentations will be 45-minutes in length and the submission should include the following:

  • Presentation Title
  • Presentation abstract – a description of the presentation and the topics covered. 250 words or less and suitable for marketing.
  1. Go to Create an account.
  2. You can always return to to login and access your abstracts.
  3. Click Abstracts
  4. Click Submit Abstract
  5. Provide a title and description; descriptions must be 50-250 words. Set the Status to “Ready to Review” when you are ready to send your session to us for consideration.

You can submit multiple presentations in the same topic area or for different ones. Be aware that even though the session length is 45 minutes we prefer to have at least 10 minutes set aside for questions. Summit presentations are intense and intimate often with plenty of audience interaction. Also because of the length, generally co-presenters are unnecessary, but that is not a requirement.

Presentation submission deadline – When you should send it by

Start sending your presentation submissions immediately! The selection committee will start selecting presentations as soon as they arrive so you don’t want to miss out. The last day we will accept presentation submissions will be September 15, 2014.

When you will know you’ve been selected

The selection committee will start reviewing submissions immediately and begin the selection process. You will be informed if one or more of your presentations have been selected and sent a contract on or before October 06, 2014. You will need to return the signed contract by October 31, 2014.

Selected speakers will be given free admission to the event, including attendance at all official Summit activities. However, AWPP membership is not included. Speakers may not bring guests to the event. We have a limited budget, and the number of speakers selected will be partially governed by that budget. Speakers are responsible for their own travel expenses, including hotel, airfare, and ground transportation.

The final agenda will be announced and posted on PowerShell.Org.

We look forward to your submissions and your help in making PowerShell Summit North America 2015 the most valuable IT/Dev conference of the year!

DSC Pull Server on Windows Server 2008 R2

Recently on the forums, a community member mentioned that they were having trouble setting up a Server 2008 R2 machine as a DSC pull server. It turns out, this is possible, but you have to install all the prerequisites yourself, since the Add-WindowsFeature DSC-Service command doesn’t do it for you on the older operating system.

Refer to this blog post for the checklist.

Quick Tip: WMI vs. CIM Syntax

# List all classes in a namespace
Get-CimClass -Namespace root\CIMv2
Get-WmiObject -Namespace root\CIMv2 -List

# list all classes containing “service” in their name
Get-CimClass -Namespace root\CIMv2 | Where CimClassName -like ‘*service*’ | Sort CimClassName


Get-CimClass -Namespace root\CIMv2 -Classname *service*
Get-WmiObject -Namespace root\CIMv2 -List | Where Name -like ‘*service*’ | Sort Name

# get all class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem

# filter class instances
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_LogicalDisk -Filter “DriveType=3″
Get-WmiObject -Namespace root\CIMv2 -Class Win32_LogicalDisk -Filter “DriveType=3″

# show all properties
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | Get-Member
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | Get-Member

# show all properties and values
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_OperatingSystem | fl *
Get-WmiObject -Namespace root\CIMv2 -Class Win32_OperatingSystem | fl *

# remote computer
Get-CimInstance -Namespace root\CIMv2 -ClassName Win32_BIOS -ComputerName dc,win81
Get-WmiObject -Namespace root\CIMv2 -Class Win32_BIOS -ComputerName dc,win81

# use CIM command to talk to non-CIM computer
Get-CimInstance -Namespace root\CIMv2 -ClassName win32_BIOS -CimSession (
New-CimSession -ComputerName OLD-XP-PC -SessionOption (
New-CimSessionOption -Protocol Dcom

Analyzing the “Black Magic” PowerShell “Exploit” and Appropriate Actions

Trend Micro released a report on a new PowerShell-vectored exploit named Black Magic. I had a lovely Twitter conversation about what this means in terms of PowerShell’s vulnerability to attack, and what admins should do. Unfortunately Twitter sucks for carrying on that kind of conversation, so I wanted to post this to clarify a few things.

First, I’m going to write this article as if “you” were hit by this exploit. Don’t take it personally, it’s just an easier style of language for me – it’s not actually addressing you.

Second, when it comes to security, the goal is to stop attacks from happening. That means you have to consider all the ways something could nail you, and try to block as many of them as is practical. That’s called “defense in depth,” giving you multiple layers of defense. The corollary to that is that your environment must still be functional. I mean, from a secure standpoint, if I unplugged all the WiFi access points and Ethernet switches you have, you’d be pretty secure. And non-functional.

Third… and I don’t know how to be delicate about this, but a lot of admins out there aren’t very sophisticated about security. There’s sometimes a tendency to fix what they can get their hands on, whether or not that makes any impact on security or not. So let’s be very clear about what you do when it comes to security: You do as little as possible, and impinge as little functionality as possible, while achieving your security goals. That helps maintain a “functional” environment, and keeps the security aspect of it “maintainable.” Sometimes, “as little as possible” is quite a lot indeed – but you look for that balance. Finally, you almost never do anything to “improve” security if it is in fact a null improvement. That is, you don’t lock the doors if the windows can’t be closed. There’s no point.

Now, let’s look at how Black Magic operates.


Step 1: Social Engineering

The exploit comes in the form of an .LNK e-mail attachment. That’s a Windows shortcut file. Users are meant to double-click it, and the shortcut launches a PowerShell session with the execution policy essentially turned off.

Problem 1: You let users get .LNK e-mail attachments from external users. This is stupid. Users shouldn’t be able to receive executable file types. Note that a .PS1 file isn’t an executable file type, which is why the exploit had to take this action. If you’d blocked .LNK attachments at the firewall, the exploit would be useless.

Problem 2: Your users are opening file attachments from people they don’t know. There is no technical way to protect an environment where users aren’t doing the right thing. No way. Just give up. This is why I keep going on about building a “culture of security.” If your users’ job descriptions, or your company employee manual, doesn’t say something to the effect of, “employees must be able to safely operate company computers in accordance with company policies and standards,” then you’re just doomed. If it does say that, and a user does open an attachment like this, you write them up and eventually fire them. If you think you can stop stupid users from bypassing every security measure you put in place, you are dumber than they are. You have to fix the social engineering element. There is almost no point in trying anything else, because users will get around it.

I know. A lot of you are shrugging and saying, “well, you can’t fix users, so I’ll just lock down PowerShell.” It won’t work.

I once, and rather famously, refused to help a law firm client get their NTFS file permissions under control, because they let users print sensitive documents and leave them lying around the office. Don’t bother locking the door if the windows are open.


Step 2: The Download

One of the elements of the Twitter discussion was, “maybe standard users shouldn’t have PowerShell able to run, because it’s so powerful and can be exploited so easily.”

Um, no.

First: PowerShell’s execution policy is not a measure against malware. It was never designed to be, so don’t be disappointed when it isn’t. If you thought it was, you were wrong, and that’s your fault for not educating yourself, not Microsoft’s fault for failing to do something they never set out to do in the first place.

Second: PowerShell only lets you do what you have permission to do. The Black Magic exploit used PowerShell simply to download a file from the Internet. That’s it. It didn’t wipe out Active Directory, it didn’t erase a file server, and it didn’t start grabbing messages out of Exchange, because normal users can’t do those things.

Would locking down PowerShell, so that normal users couldn’t run it, have stopped this exploit? No, because normal users have an abundance of ways to download files, and the exploit would simply have used a different one. PowerShell was convenient here, not necessary. If you’re going to posit locking down PowerShell, you must also lock down every other possible means of downloading a file from the Internet, or you’ve done nothing to impact security. Nothing.

PowerShell is not powerful. Erase that from your mind. Everything PowerShell is and does comes from the .NET Framework installed on every one of your computers, which your users have full access to. PowerShell is nothing more than a human-friendly way of getting to the Framework without needing Visual Studio on-hand. You could erase PowerShell and 100% of its functionality would still be present and absolutely usable by an exploit. Get your brain wrapped around that, because it’s an important concept.

Problem 3: You let your users download files from trashy websites. Your firewall should have been blocking access, and if it had integrated malware tools and realtime block lists, it probably would have caught this access.

Problem 4: You’re not using a local to block outgoing access by applications. For standard users, there’s little reason to access the Internet by means other than a web browser or known applications. This is a well-known technology and approach that’s been around for a decade.

Step 3: Run a File

Black Magic’s last step is to run the downloaded payload, which it does under normal user permissions.

Problem 5: You’re allowing users to run arbitrary applications. AppLocker has been around since Windows Vista, and provides a way of “whitelisting” applications that may run. This payload would never have been allowed to execute if you’d been using a built-in tool that’s been around since 2008. AppLocker even offers the ability to build that whitelist for you.

Problem 6: You’re not running updated anti-malware software that would have detected the payload and blocked it – and alerted someone. Most would have blocked access to the URL where the payload came from, too.


So you’ve had six opportunities to stop this exploit, all of which involve well-known, years-old technologies and techniques. You probably haven’t done most of them, and so you want to blame PowerShell.

OK… I’ll step out of the “you” attack-y mode :).

The point is that, once you have arbitrary code running on users’ systems, you’re owned. Nothing you can do to PowerShell will stop that. This attack could easily have been a .LNK file that ran Cmd.exe and the Telnet or FTP client – it could have achieved the same thing. It could easily have been an .EXE (“no, we block EXE file attachments;” “why the hell don’t you also block .LNK then, dummy?”).

I don’t want to come across as defending PowerShell per se; I’m trying to help folks understand where the real security problems lie. PowerShell is a red herring in all this; it was a convenient way of getting innocuous code to execute. There were six other places where this attack would have been stopped in its tracks, and any six of those would also have stopped every other similar kind of attack that didn’t rely specifically on PowerShell. That’s what makes those six effective – they’re global, not targeted at one specific piece of code. All of those six act to stop malware.

Before you take actions in security, you need to make sure you’re doing so from a holistic, professional security perspective. The first time a fire broke out in a crowded theater, officials didn’t say, “well, we should put sprinklers and alarms in that theater.” They put them in every theater, and started demanding flame-retardant fabrics and other measures. You address security across the board, not on a piecemeal basis.


A Tangent Argument

“Ah,” the argument goes, “but we should reduce moving parts. Users don’t have a legit need to run PowerShell, so we should lock them out of it.”

Valid. Except that PowerShell.exe isn’t PowerShell. PowerShell is a .NET Framework-based engine; PowerShell.exe is just a console application that lets you feed typed commands to that engine. You can’t remove PowerShell, and you can’t “block” users’ access to it, because it’s part of the Framework. It’s an integral part of the operating system. Things you don’t even realize are using it, are using it.

But yes, you could block users’ access to the console application, PowerShell.exe. I might even buy that argument, especially in a highly secure environment where you simply don’t want users having access to anything they don’t explicitly need to do their jobs. In fact, I would buy that argument, if and only if you block users’ access to everything they don’t explicitly need. Notepad. Windows Paint. Solitaire. Etc. Because based on the theory you’re working from, all code is bad code (a valid security perspective) and you block everything not explicitly needed. Remember, PowerShell doesn’t give users any special capabilities. Anything a normal user can do in PowerShell can be done in at least 2 other ways using other native tools. This is why AppLocker is a better approach: the list of apps a user needs is smaller than the list of apps they don’t, and so a whitelist is more maintainable, no matter how huge it is.



There you go. Now, you’re welcome to make comments on this, and offer your perspective. However, I have a couple of guidelines.

  1. Keep the conversation civil and professional. I’ll delete anything obnoxious.
  2. Keep the conversation focused on security. And remember that security isn’t about locking down the doors when the windows are open; it’s about holistically achieving specific goals. You don’t take security measures that simply move the target elsewhere. “Defense in depth” doesn’t mean 80 security restrictions and 20 ways around them. If something is super-easy to bypass, you don’t bother.



May NoVa PowerShell User Group Meeting Notes

Here are some links for some of the topics discussed last night.

Simple example of Unit Testing PowerShell with Pester.

PowerShell Provider Framework

We agreed that the next meeting will be in one month, likely June 25th. Again at 7PM and at the same location.

If you have questions, you can email me directly at NoVaPsug at You can also communicate through the mailing list. Email listmanager at if you want to add or remove yourself from the list. Emails sent to info at will be forwarded to everyone on the list if you have a question, but don’t know exactly who to ask.

If you have a topic you’d like to talk about, send me an email. There was some interest from the group in learning more about CDXML. Also, if you are working on something and want to share, bring it with you. We have some people very comfortable with PowerShell that can help you solve problems and take your script to the next level.

I hope to see you at are our next meeting.

– Chris

Working on a new PowerShell module: ProtectedData

I’m working on a new module intended to make it easier to encrypt secret data, and share it among multiple users and computers in a secure fashion. It’s not quite ready for “release” yet, but I’ve made it public on GitHub anyway, so I can start to get feedback early.

Check out my original blog post (link) for details. The GitHub repository is here.

NA 2014 PowerShell Summit wrap-up and speaker slides

This years North American PowerShell Summit was an amazing event, not only because of the outstanding speakers and sessions, but also because of you – the attendees. The enthusiasm you brought from the first mornings welcome to the evening events – like Iron Scripter – was contagious. Even the PowerShell.Org organization team, which was very tired by the time the Summit launched, got re-energized by everyone’s excitement.  How can I forget Kendall Maddox winning that amazing trophy from the Iron Scripter event!

The speakers from both Microsoft and around the world brought the latest and best information about PowerShell. As an attendee, you were the first to see new technologies – like the PowerShell Team demonstrating DSC with Linux!

On behalf of the organizers at PowerShell.Org I want to say a huge thank you to all of the attendees and speakers. I also want to thank our special Sponsor SAPIEN Technologies for taking the time to come to the Summit and for handing out free fully licensed versions of their version control product Version Recall.

Are there resources from the Summit available?

Yes. More than you might think. As an example of how the PowerShell community never stops amazing me, @vhusker (Jacob Benson) created a Curah site with a ton of resources from the Summit. Start here!

Also, Many of the speakers contributed their slides and code, which can be downloaded here.

Derek Ardolf put together a great link page to video’s and slides on his site here.

Help us for next year!

If you have suggestions on how we can improve next years Summit, send me a tweet or email to @theJasonHelmick. We listen carefully to your suggestions and I want to hear from you.

In fact, from suggestions we received, we started a campaign during this years Summit to raise enough funds to record all of next years sessions – AND YOU MADE IT HAPPEN!  I’m not saying we can accommodate everyone’s likes and dislikes, but we certainly want to hear about them and see how we can improve your experience.

Thanks to everyone for making this year’s North American 2014 PowerShell Summit a huge success. Watch PowerShell.Org for upcoming news on next year’s Summit.


Installing PowerShell v5? Be a Little Careful, OK?

I’m getting a lot of questions from folks, via Twitter and other venues, regarding Windows Management Framework 5.0 – which is where PowerShell v5 comes from. It’s awesome that people are installing v5 and kicking the tires – however, please help spread the word:

  • v5 is a preview. It isn’t done, and it isn’t guaranteed bug-free. It shouldn’t be installed on production computers until it’s officially released.
  • v5 doesn’t install ‘side by side’ with v3 or v4. You can’t run it with “-version 3″ to “downgrade.” Now, v5 shouldn’t break anything – something that runs in v3 or v4 should still work fine – but there are no guarantees as it’s a preview and not released code at this stage.
  • Server software (Exchange, SharePoint, etc) often has a hard dependency on a specific version of PowerShell. You need to look into that before you install v5.
  • After installing v5, you might not be able to cleanly uninstall and revert to a prior version.

Generally speaking, v5 should be installed in a test virtual machine at the very least, not on a production computer. It’s great to play with it, and you should absolutely log bugs and suggestions to

This situation will be true for any pre-release preview of PowerShell or WMF going forward. “Preview” is the new Microsoft-speak for “beta,” and you should treat it as such. Play with it, yes – that’s the whole point, and it’s how we get a stable, clean release in the end. But play with caution, and never on production computers.

TechEd N.A. 2014 Session Recordings

There’s some great PowerShell content now online for your viewing pleasure.

Jeffrey Snover and I had a blast doing “Windows PowerShell Unplugged,” and I reviewed some best PowerShell practices (and hopefully provided a little inspiration for your career) in “Windows PowerShell Best Patterns and Practices: Time to Get Serious.” And the #2 overall session of TechEd? “DSC: A Practical Overview,” including a surprise demo (and announcement) from Snover showing DSC running on Linux.


Why “Puppet vs. DSC” isn’t Even a Thing

After all the DSC-related excitement this week, there have been a few online and Twitter-based discussions including Chef, Puppet, and similar solutions. Many of these discussions start off with a tone I suppose I should be used to: fanboy dissing. “Puppet already does this and is cross-platform! Why should I bother with DSC?” Those people, sadly, miss the point about as entirely as it’s possible to do.

Point 1: Coolness

First, what Microsoft has accomplished with DSC is cool. Star Wars Episode V was also cool. These facts do not prevent previous things – Puppet/Chef/etc and Episode IV – from being cool as well. Something new being cool does not make other things less cool. This shouldn’t be a discussion of, “Puppet did this first, so nothing else can possibly be interesting at the same time.” As IT professionals, we should be looking at everything with an eye toward what it does, and what new ideas it might offer than can be applied to existing approaches.

Point 2: Switching

Have you seen the magazine ads suggesting you ditch Puppet and start using DSC? No, you have not – and you will not. If Puppet/Chef/etc is meeting your needs, keep using it. The fact that Microsoft has introduced a technology that accomplishes similar things (make no mistake, they’re not the same and aren’t intended to be), doesn’t mean Microsoft is trying to convince you to change.

I know where people get confused on this, because in the past that’s exactly what Microsoft intended to do. They’re not, this time. And I’ll explain why in a minute.

Point 3: DSC on Linux

Snover demonstrated a DSC Local Configuration Manager running on Linux, consuming a standard DSC MOF file, being used to set up an Apache website on the server. The underlying DSC resources were native Linux code.

This is not an attempt to convince Linux people to switch to Windows, nor is it an attempt to convince them to use DSC. Saying so is like saying, “Microsoft made PowerShell accept forward slashes as path separators in an attempt to convert Linux people…. but we’re too smart for that, hahahahah!” It’s idiotic. Microsoft knows you’re not going to suddenly break down and switch operating systems. They may be a giant corporation that sometimes makes silly moves, but they’re not dumb.

No, DSC on Linux is for Windows admins who choose to use DSC, and who want to extend that skill set to other platforms they have to manage. People who aren’t, in other words, faced with a “switch” decision.

Point 4: Puppet/Chef/etc Should Use DSC

Linux is, in many many ways, a more simplistic OS than Windows. And I mean that in a very good way, not as a dig. Most config information comes form text files, and text files are ridiculously easy to edit. Getting a solution like Puppet to work on Linux is, form a purely technical perspective, pretty straightforward. Windows, on the other hand, is built around an enormous set of disparate APIs, meaning getting something like Chef/DSC/whatever working on Windows is not only harder, it’s essentially a never-ending task.

Microsoft is pouring time and money into creating DSC resources that can, through a very simple and consistent interface, configure tons of the OS. The coverage provided by DSC resources will continue to grow – exponentially, I suspect. That means Microsoft is doing a lot of work that you don’t have to.

Even if you’re using Puppet/Chef/etc instead of DSC, you can still piggyback on all the completely open and human-readable code that actually makes DSC work. Your recipes and modules can simply call those DSC resources directly. You’re not “using” DSC, but you’re snarfing its code, so that you don’t have to re-invent that wheel yourself. This should make Puppet/Chef people super-happy, because their lives got easier. Yes, you’ll doubtless have to write some custom stuff still, but “save me some work” should always be a good thing.

Point 5: Tool vs. Platform

Another thing that sidetracks these discussions is folks not understanding that Puppet/Chef/etc each provide a complete solution stack. They are a management console, they are a domain-specific language, and they are a platform-level implementation. When you adopt Puppet, you adopt it from top to bottom.

DSC isn’t like that.

DSC only provides the platform-level implementation. It doesn’t come with the management tools you actually need in a large environment, or even in many medium-sized environments. I completely expect tools like System Center Configuration Manager, or something, to provide the management-level tooling on top of DSC at some point – but we aren’t discussing System Center.

So arguing “Puppet vs. DSC” is a lot like arguing “Toyota vs. 6-cylinder engine.” The argument doesn’t make sense. Yes, at the end of the day, Puppet/Chef/etc and DSC are meant to accomplish every similar things, but DSC is only a piece of the picture, which leads to the most important point.

Point 6: Microsoft Did Something Neat

You can’t take your Puppet scripts and push them to a Chef agent, nor can you do the reverse. Puppet/Chef/etc are, as I mentioned, fully integrated stacks – and they’re proprietary stacks. “Proprietary” is not the same as “close-sourced;” and I realize that the languages used by these products aren’t specifically proprietary. But the Puppet agent only knows how to handle Puppet scripts, and the Chef agent only knows how to read Chef scripts. That’s not a dig at those products – being an integrated, proprietary stack isn’t a bad thing at all.

But it’s interesting that Microsoft took a different approach. Interesting in part because they’re usually the ones making fully-integrated stacks, where you can only use their technology if you fully embrace their entire product line. This time, Microsoft bucked the trend and didn’t go fully-integrated, proprietary stack. Microsoft did this, and the simple fact that they did is important, even if you don’t want to use any of their products.

From the top-down, that is from the management side down, Microsoft isn’t forcing you to use PowerShell. They’re not forcing you to use Microsoft technology at all, in fact. The configuration file that goes to a managed node is a static MOF file. That’s a plain-text file, as in “Management Object Format,” as in developed by the Distributed Management Task Force (DMTF). A vendor-neutral standard, in other words.

See, Microsoft isn’t pushing DSC as a fully integrated stack. DSC is just the bottom layer that accepts a configuration and implements it. Puppet Labs could absolutely design their product to turn Puppet scripts into the MOF file that DSC needs. You’d be able to completely leverage the OS-native, built-in configuration agent and all its resources, right from Puppet.

Frankly, de-coupling the administrative tooling from the underlying API should make people happy. If we’re having a really professional, non-fanboy discussion about declarative configuration, I think you have to admit that Microsoft has kinda done the right thing. In a perfect world, the Puppet/Chef/etc administrative tools would let you write your configuration scripts in their domain-specific language, and then compile those to a MOF. Everyone’s agents would accept the same kind of MOF, and execute the MOF using local, native resources. That approach means any OS could be managed by any tool. That’s cross-platform. You’d be free to switch tools anytime you wanted, because the underlying agents would all accept the same incoming language – MOF.

I’m not saying Puppet/Chef/etc should do that. But if you’re going to make an argument about cross-platform and vendor-agnostic tooling, Microsoft’s approach is the right one. They’ve implemented a service that accepts vendor-neutral configurations (MOF), and implements them using local, native resources. You can swap out the tooling layer anytime you want to. You don’t need to write PowerShell; you just need to produce a MOF.

At the End of the Day

I think the folks behind Puppet/Chef/etc totally “get” all this. I think you’re probably going to see them taking steps to better leverage the work MS is doing on DSC, simply because it saves them, and their users, work. And I don’t think you’re going to see Microsoft suggesting you ditch Puppet in favor of DSC. That’s a complete non-argument, and nobody at Microsoft even understands why people thing the company wants that.

I fully recognize that there’s a lot of “Microsoft vs. Linux” animosity in the world – the so-called “OS religions.” I’ve never understood that, and I certainly am not trying to convince anyone of the relative worth of one OS over another. – a community dedicated to a Microsoft product – runs on a CentOS virtual machine, which should tell you something about my total lack of loyalty when it comes to choosing the right tool for a job. If you’re similarly “non-religious” about operating systems, I think DSC is worth taking a look at just to take a look at it. What’s it do differently? How can you leverage that in your existing world? Are there any approaches that might be worth considering?

Part of my frustration about the whole “Puppet vs DSC” meme is that it smacks of, “my toys are shinier than your toys,” which is just… well, literally childish. And it worries me that people are missing some of the above, very important, points – mainly, that Microsoft is trying really damn hard to play nicely with the other kids in the sandbox for a change. Encourage that attitude, because it benefits everyone.

Once More…

And again, I don’t think Microsoft is trying to convince you to use DSC, or any other MS product, here. I’m certainly not trying to do so. I think DSC presents an opportunity for folks who already have a declarative configuration management system, strictly in terms of saving you some work in custom module authoring. And I think for folks that don’t have a declarative configuration management solution, and who already have an investment in Microsoft’s platform, DSC is going to be an exceptionally critical technology to master. That doesn’t in any way diminish the accomplishment of the folks behind Puppet/Chef/etc. In fact, if nothing else, it further validates those products’ goals. And I think it’s massively interesting that Microsoft took an approach that is open to be used by those other products, rather than trying to make their own top-to-bottom stack. It’s a shift in Microsoft’s strategic thinking, if nothing else, and an explicit acknowledgement that the world is bigger than Redmond.

Let’s at least “cheers” for that shift in attitude.





My TechEd 2014 “Patterns and Practices” Example Scripts

I’ll be using these examples in my TechEd 2014 session on PowerShell patterns and practices. They won’t make much sense, perhaps, until you see the session (live, or in the recordings – and I believe this session is one of the “Taste of TechEd” ones that will be live-streamed), but here are the scripts.


Community Brainstorming: PowerShell Security versus malicious code

A couple weeks ago, some malicious PowerShell code was discovered in the wild, dubbed the “Power Worm” in the Trend Micro article that originally publicised the malware. Matt Graeber has done a great analysis of the code on his blog. In the comments for that blog post, we started discussing some options for locking down PowerShell, preventing it from being used in this type of attack. (Unfortunately, Execution Policy is currently no barrier at all; PowerShell.exe can simply be launched with the -Command or -EncodedCommand parameters, bypassing ExecutionPolicy entirely.) Matt’s idea is to have PowerShell run in Constrained Language mode by default, similar to how it works on the Windows RT platform.

This post is to engage some community discussion on the topic; please do so in this thread:

What are your thoughts on this topic? Do you feel that PowerShell.exe needs some additional security features to try to prevent it from being used in this sort of malware? What impact would these ideas have on your normal, legitimate uses of PowerShell (if any)? How would you suggest minimizing that impact while still making it more difficult for PowerShell malware to execute?