Use PowerShell DSC to Install DSC Resources


A lot of the functionality provided by Microsoft PowerShell Desired State Configuration (DSC) comes, not from the core product, but from the DSC Resources that are provided by Microsoft and the community. When you spin up a new Windows operating system, whether a physical machine, local virtual machine, or a Microsoft Azure virtual machine, you start out with a pretty barebones set of DSC resources. Those resources are listed here:

  • File
  • Archive
  • Environment
  • Group
  • Log
  • Package
  • Registry
  • Script
  • Service
  • User
  • WindowsFeature
  • WindowsProcess

Unfortunately, most people are going to need more capabilities than what is offered out of the box. To that end, Microsoft has been regularly providing “waves” of DSC resources to manage a variety of different applications. As of this article’s writing, the latest wave of DSC resources from Microsoft was “DSC Wave 6,” published on August 21, 2014. During the remainder of this article, our goal is to make sure that these additional DSC Resources are installed on our systems, in an automated fashion!

Continue reading

Use PowerShell DSC to Enable Screencast Recording on Azure VMs

Do you ever record screencasts, and post them to YouTube, or some other video sharing site? Well, maybe you do, maybe you don’t, but I sure do (when I find time)! For the sake of simplicity, I use an older, free Microsoft tool called Expresion Encoder 4.0 with Service Pack 2 (SP2). You can download it, again for free, from here! In some cases, it might be preferable to invoke screencast recording on a remote session, rather than recording on your local computer, however. In this post, we will take a look at how to use PowerShell Desired State Configuration (DSC) to automatically install Microsoft Expression Encoder 4.0 SP2 onto cloud-hosted Microsoft Azure Virtual Machines!

Unless you’re a MSDN subscriber, with access to Windows 8.1 VM images in Azure, most of your Azure Virtual Machines will be running some class of Windows Server. In this case, we’ll be using a Windows Server 2012 R2 VM. The first thing to point out is that Windows Server 2012 R2 requires the “Desktop-Experience” Windows Feature to be installed, in order to successfully run Microsoft Expression Encoder 4 SP2. If this Windows Feature isn’t installed, you’ll get a nasty error telling you that wmvcore.dll is missing, when you try to run the Expression Encoder program.

While working with Expression Encoder in Azure, one limitation you’ll want to keep in mind is that Expression Encoder has a problem rendering your screencast content inside the editor. So, if you want to make any modifications to your screencast, after you’ve recorded it, you’ll have to download the content locally onto your computer.

With all of that out of the way, let’s get DS-configuring! The first thing we need to do is ensure that the “Desktop-Experience” Windows Feature is installed. To do that, we will use the built-in WindowsFeature DSC resource. To start building our configuration, let’s use this code:

Continue reading

Learn how to use Compliance Settings in Configuration Manager

Have you ever wished that you could use the Compliance Settings feature in Microsoft System Center 2012 R2 Configuration Manager, but weren’t quite sure how it works? Well today’s your lucky day, because I recently developed a couple of example videos that will help you to get started! One of the videos covers how to use PowerShell in conjunction with Compliance Settings, to ensure that a particular process is always running on a given computer. The other video shows how to use a simple registry rule to build a dynamic ConfigMgr Collection of systems that are compliant with a particular registry value.

Start using Compliance Settings today to take control of your IT environment! Here are the links to the videos, which are also embedded below.

PowerShell-based Compliance Setting
Registry-based Compliance Setting

PowerShell: Add Users to Active Directory Group from Text File

A customer recently requested a PowerShell script, to add Active Directory users to a security group. The list of users would come from a text file that resides on the filesystem. To that end, I wrote a short PowerShell script that does just that, complete with parameter validation.

#requires -version 4.0
#requires -Module ActiveDirectory
param (
      [Parameter(Mandatory = $true)]
      [ValidateScript({ if (Get-ADGroup -Identity $PSItem) { $true; }; })]
      [string] $GroupName
    , [Parameter(Mandatory = $true)]
      [ValidateScript({ Test-Path -Path $PSItem; })]
      [System.IO.FileInfo] $Path

$UserList = Get-Content -Path $Path;
foreach ($User in $UserList) {
    $ADUser = Get-ADUser -Identity $User -ErrorAction SilentlyContinue;
    if ($ADUser) {
        Add-ADGroupMember -Identity $GroupName -Members $ADUser;
    $ADUser = $null;

Using the Script

PowerShell ISE: Add-UsersToADGroup

Running script from PowerShell ISE

To use the script from PowerShell Integrated Scripting Editor (ISE), follow these steps:

  1. Create a text file (eg. c:\test\UserList.txt) and add one user account to each line
  2. Launch the PowerShell ISE
  3. Copy and paste the script into the PowerShell ISE, and press F5 to invoke it
  4. You will be prompted for the Active Directory security group’s name
  5. You will be prompted for the full path to the text file that contains the list of users

Alternatively, you can follow these steps to execute the script from the PowerShell console:

  1. Create a text file (eg. c:\test\UserList.txt) and add one user account to each line
  2. Save the script to a file with a .ps1 extension (eg. c:\test\AddADGroupMembers.ps1)
  3. From a PowerShell console prompt, use either call operator (& or .) to invoke the script
  4. You will be prompted for the Active Directory security group’s name
  5. You will be prompted for the full path to the text file that contains the list of users

& c:\test\AddADGroupMembers.ps1

PowerShell 4.0: Obscure DSC Errors

WS-Management Error

DSC Error - Unrecognized Argument

DSC Error – Unrecognized Argument

While playing around with PowerShell’s Desired State Configuration (DSC) feature this evening, I discovered a rather odd error message. I was developing a custom DSC resource, and attempting to use it in a Configuration block. When attempting to call Start-DscConfiguration, the error I received was:

The WS-Management service cannot process the request. The object contains an
unrecognized argument: “ConfigurationData”. Verify that the spelling of the
argument name is correct.
+ CategoryInfo : ProtocolError: (root/Microsoft/…gurationManager:St
ring) [], CimException
+ FullyQualifiedErrorId : HRESULT 0×80338041
+ PSComputerName : client01

While it doesn’t seem very clear, it seems that this error crops up if you’re running PowerShell ISE as a non-administrator. Make sure that you launch your PowerShell host, whichever application that might be, as Administrator, when you call Start-DscConfiguration.

DSC Error - Access DeniedAccess Denied

Another somewhat similar situation is when you’re running PowerShell ISE as non-administrator, you’ll get a much more friendly error message that indicates access is denied.

The WS-Management service cannot process the request. The WMI service returned an ‘access denied’ error.
+ CategoryInfo : PermissionDenied: (root/Microsoft/…gurationManager
:String) [], CimException
+ FullyQualifiedErrorId : HRESULT 0×80338104
+ PSComputerName : client01

Get-TargetResource Error

After launching PowerShell ISE as Administrator, to resolve the two earlier DSC error messages, I came across another error. This one was fairly self-explanatory, but kinda hard to figure out the root cause of. I came across a post by Steven Murawski, who suggested that it was a problem with the new-line characters in Git. Coincidentally, I had my custom DSC resource in a Git repository, so it is quite possible that this is true. However, I couldn’t seem to fix my module manifest to make PowerShell happy, so instead I simply removed the module manifest file (.psd1) for the time being. The error message was:

Failed to get exported command Get-TargetResource from module ConfigMgr_Application. Please check the module definition.
+ CategoryInfo : InvalidOperation: (root/Microsoft/…gurationManager:String) [], CimException
+ FullyQualifiedErrorId : GetTargetResourceCommandNotFound
+ PSComputerName : client01

DSC Error - Could not get moduleCould Not Get Module

Yet another error message I came across has pretty sparse information about it, but was successfully resolved by rebooting the Windows operating system on the problematic machine. In this case, it was a vanilla Windows 8.1 client (virtual machine) running PowerShell 4.0. It’s crazy that rebooting a system can resolve transient error messages these days, but … it is what it is, I guess. Here is Jacob Benson’s blog, which mentions the error.

Could not get the module with the following name: ConfigMgr_Application. Check if the module exists under PSModulePath.

Decentralized Revision Control Tooling on Windows

Today I’d like to take a few minutes to talk about setting up Git for your development projects on the Windows platform. I’ve long been a fan of Mercurial, because the installation process is easy, and the tooling is native to the Windows platform. While Git and Mercurial are very similar version control tools, GitHub appears to be a stronger community hub, compared to Mercurial hosting sites like CodePlex and Bitbucket, and it’s worthwhile getting familiar with it.

Mercurial Tooling

TortoiseHg Overlay IconsAs I stated before, Mercurial is very easy to install on Windows, and it doesn’t have any additional dependencies that you have to worry about manually installing. While Mercurial itself is a command line tool, there’s also a project called TortoiseHg that offers GUI screens to perform common source control tasks, including: commits, file adds/removes, branching, repository configuration, and so on. In addition, TortoiseHg enables some handy Windows Explorer integration, namely overlay icons and context-sensitive context menu tools! Continue reading

CU2 for System Center 2012 R2 Configuration Manager

Microsoft has just released Cumulative Update 2 (CU2) for System Center 2012 R2 Configuration Manager! I discovered this via a tweet from Robert Marshall, a Microsoft MVP in Enterprise Client Management (ECM). There are two Microsoft Support documents that detail the changes in CU2:

  • General fixes in the Configuration Manager product (KB2970177)
  • Improvements to the Configuration Manager PowerShell module (KB2962855)


Some of the highlighted fixed/improvements from CU2 are as follows:

  • Content Management: Fix for an issue where Configuration Manager clients do not properly fall back to Distribution Points that are not preferred.
  • Content Management: Fix for: Driver packages cannot be downloaded to Pull Distribution Points when the name of the source share ends in a backslash character.
  • Remote Control: Fix for: A paste operation fails when you try to copy files from a Windows Server 2012 R2 computer to a Windows 8.1 client computer in a Configuration Manager Remote Control session
  • Admin Console: When you view the Primary Device that is associated with a user, you may see other devices that have the same name, even if they are associated with a different user.

Automating the Lync Client with PowerShell

You love PowerShell, right? And you love the Microsoft .NET Framework? Are you setting out to automate the Microsoft Office 2013 Lync Client with PowerShell? If you answered “yes” to the last three questions, then you’ve come to the right place! We’re going to take a look at how to get started automating the Lync 2013 client using PowerShell! Thanks to PowerShell’s direct support for Microsoft .NET Framework types, we can easily manage Lync Client functions from PowerShell, much in the way that C# developers can!

Download and Install the SDK

The first thing you need to do is go out to Microsoft’s download site and grab the Lync 2013 SDK. The installation process is fairly painless, so just click “Next” through it. By default, the installation path is: %ProgramFiles(x86)%\Microsoft Office\Office15\LyncSDK.

Figure: The root folder of the Lync 2013 SDK.

The root folder of the Lync 2013 SDK.

When you install the Microsoft Lync 2013 SDK, what you get is basically a series of Microsoft .NET assemblies (aka. .NET libraries) that allow you to perform automation functions on the Lync 2013 Client! Additionally, there is a CHM (compiled HTML help) file that contains some detailed documentation on how to utilize the SDK. If you’re interested in developing, get used to reading documentation!

Continue reading

ConfigMgr OSD: Dynamically Named WIM Captures with PowerShell

In the context of the Operating System Deployment (OSD) feature in Microsoft System Center Configuration Manager (ConfigMgr), it is common that customers will perform a “build & capture” of their target operating system, and then deploy new computers using that reference (aka. “gold” or “base”) WIM image. This process is typically automated through a build & capture task sequence. The last step of a build & capture task sequence is typically the Capture Operating System task sequence item.

Capture Operating System

Capture Operating System

Within the configuration of the Capture Operating System task sequence step, most users of ConfigMgr will simply specify a static path to the destination of the resulting WIM image. This static naming can cause conflicts if the task sequence is executed multiple times, without first renaming the target file. Additionally, the same scenario can occur if the build & capture task sequence is executed on multiple, distinct systems simultaneously.

Continue reading

Failure connecting to Azure point-to-site VPN

I’m trying to set up an Azure point-to-site VPN connection, and I’m receiving the following error: “The remote access connection completed, but authentication failed because the certificate that authenticates the client to the server is not valid. Ensure that the certificate used for authentication is valid. (Error 853).” I ran through the MSDN documentation that talks about generating a self-signed root certificate, and then generating a client VPN certificate (with a private key / PFX), from that self-signed root.

Azure Virtual Network Point-to-Site FailureFor some reason, it seems that the VPN connection is not finding the correct certificate to use for establishing a secure tunnel.

I found some directions on the Microsoft TechNet forums to manually create a VPN connection, instead of using the pre-packaged VPN settings from the Azure Portal. When using a manually created VPN connection, that points to the Azure gateway DNS address, you have the option of selecting a certificate, from the CurrentUser certificate store, to use during the connection. I like this method better than using the Azure VPN package, because it feels more “native” to the Windows operating system. When you’re using the Azure automatically-created VPN connection, you don’t get the same level of control over the VPN connection configuration.2014-05-06 EapHost Certificate Error Azure VPN

When establishing the VPN connection, here’s what it looks like in Windows 8.1:


When I explored the EapHost event log in the event viewer, I noticed the following error:

EapHostPeerGetResult returned a failure.
Eap Method Friendly Name: Microsoft: Smart Card or other certificate
Reason code: 2148074252
Root Cause String: The authentication failed because the user certificate required for this network on this computer is invalid

Repair String: Choose a different and valid certificate for authentication with this network.
If this is not helpful, contact your network administrator for further assistance.

As of this point, I have not come up with a solution to this problem, and cannot find much information online about it. When I find a solution, I will be sure to update this post.

UPDATE: The problem seems to have fixed itself. I am now able to connect to the Virtual Network.

Trevor Sullivan
Microsoft PowerShell MVP