Uninstall-Windowsfeature - possible with DSC?

This topic contains 6 replies, has 2 voices, and was last updated by Profile photo of Arie H Arie H 3 months, 3 weeks ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #41991
    Profile photo of Peter Bleeker
    Peter Bleeker
    Participant

    Hi all,

    I've been reading up quite a bit on PS DSC and it looks like a great tool for the company i work for to ensure standardization of our server environment.

    However, what i tried to find and could not come across, is the support for uninstalling (with the -remove flag) of windows features. And this is one of the things i would like to do to clean up the WinSXS folder for each deployed server to limit the patch/update surface and also limit the attack surface of platforms.

    Does anyone know if there is support with powershell DSC for this? Or a nice way to implement it using powershell DSC?

    Thank you in advance & kind regards,

    Peter

    #42013
    Profile photo of Arie H
    Arie H
    Participant

    Removing a Windows Feature via DSC is simply using Ensure="False" in the WindowsFeature element.
    (That said I haven't tried it on every existing WindowsFeature out there, but that's the normal behavior)

    cleaning the WinSXS however is a different thing. I dare say you shouldn't and officially you can't really delete its content, although there are tools out there that might help reduce the size, but I dont know if its supported by MS.

    Only Windows 2016 nano server will finally have the logic to not increase SxS to keep its size minimal.
    No idea if they will implement something similar for non-nano versions or older OS.

    • This reply was modified 3 months, 3 weeks ago by Profile photo of Arie H Arie H.
    • This reply was modified 3 months, 3 weeks ago by Profile photo of Arie H Arie H.
    #42019
    Profile photo of Peter Bleeker
    Peter Bleeker
    Participant

    Hi Arie,

    Thank you for your response! But doesn't Ensure="False" only uninstall the feature? The source code for the feature will still available in the WinSXS directory and will therefor be updated, patched and is part of the attack surface of the O/S. I've read Microsoft articles written about the benefits of removing the features and how to do this (there is a simple PS command which lists the features and removes all which are not installed). But to make things "pretty" and easy to administer, i would like to remove them using a built-in command for PS DSC.

    So for additional clarification: the ultimate goal is not to clean up the WinSXS directory (i know this is limited and not beneficial), but rather remove unnecessary sources for windows features.

    Hopefully there's a way out there to make this pretty with DSC....?

    Thank you again & kind regards,

    Peter

    #42111
    Profile photo of Arie H
    Arie H
    Participant

    Not familiar with a script that actually completely removes the features. But any PS Script you have can be used inside
    the DSC Script resource.

    if you have a link to that script or paste it via gist would be interesting.

    I just dont think their existence is a matter of attack surface, if you got admin rights on a server, you have a bigger
    issue then what windows features the attacker would potentially install, to some extent.
    I do agree on the patching issue and the silly size increase.
    Moving to windows 2012 r2, I had to increase the C drive size of all my servers to 40G minimum just because of SXS
    so its a strain on resources.
    I did use the scheduled task as in
    https://technet.microsoft.com/en-us/library/dn251565.aspx
    to try and get some space back, not that it mattered much

    I'm not sure though DSC is the correct method to use, that's falls between Group Policy and DSC.

    Naturally you can turn most of the registry on your server into a DSC script using the Registry
    resource with a script that will take 200 pages long including what you want to have and what you absolutely do not want.
    Doesn't make choosing DSC as the optimum method.

    I usually try to use DSC for things I want and Group policy for things I dont want.

    Running that kind of PS script is ideal for Computer Based Group policy on the Computer startup/shutdown scripts
    or via Group Policy Preferences.

    #42192
    Profile photo of Arie H
    Arie H
    Participant

    Just for future correction, its Ensure='Absent' 🙂

    #42206
    Profile photo of Peter Bleeker
    Peter Bleeker
    Participant

    Hi Arie,

    About the absent – we stand corrected 🙂

    And this is the PS command to remove all features and their source code:

     Get-WindowsFeature | Where-Object {$_.Installed -match "False"} | Uninstall-WindowsFeature -Remove 

    I still have to perform a test deployment using DSC and check the impact on the size of the WinSXS directory with and without updates. I can post the results here if you're interested?

    And i understand your choices for the group policy usage, however, i'm trying to create server roles and enforce them using DSC and i was hoping to incorporate this uninstallation of features into DSC as well....

    Kind regards,

    Peter

    #42212
    Profile photo of Arie H
    Arie H
    Participant

    Hi,

    Yes I see what you mean about the removal from SXS now.

    Best option – write your own DSC resource, or as I stated earlier, use the Script DSC resource
    to be a wrapper for that command.

    Interesting to see numbers on how much it reduces, though I expect not much, most of the size
    is used by .NET assemblies – x86, x64 and then the various .NET versions along the years.

    And if the custom DSC resource works for you i suggest you offer it back to the DSC repo so
    it gets implementd in the core product for others to use as well 🙂

    Even if the goal is to create Roles and use DSC to implement it, you will still have some
    Group policy involved, its not like you can completely stop using it. Just have to remember
    that DSC is meant for Confguration, not necessarily enforcement. If someone change one of
    my nodes LCM to say ApplyAndMonitor for example I still want to know that GroupPolicy will
    make sure a certain service that shouldn't be running isn't running, no matter what.

    Yes you can overcome even GP, heck theres a GitHub project that takes a GP pol file and converts it to DSC
    Just cause it can be used, doesn't mean its the right method. Each method has it ups and downs,
    together they are stronger
    then each on its own 🙂

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.