How to Apply Azure DSC Configurations in Azure ARM Templates


VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

Scenario: After you create an Azure ARM template and deploy it, users might want to apply DSC configurations during runtime. To do this, the user has to modify their copy of the template with a new configuration in Microsoft PowerShell or Windows PowerShell. But what if you need more than one instance? In that case, how can someone create multiple copies of your original template without having access to the source files? This blog post will go over two methods for applying changes on-the-fly from within Azure RemoteApp instances.

The “azure dsc install software” is a command that allows users to apply Azure DSC configurations in the Azure ARM templates.

How to Apply Azure DSC Configurations in Azure ARM Templates

This article is for you if you’re using ARM templates to deploy Azure Windows virtual machines (VMs) and need to setup Windows. You’ll learn how to leverage the Desired State Configuration (DSC) extension for ARM templates to deploy and configure an Azure VM Scale Set using only one template in this article.

You don’t merely deploy a VM (or a VM scale set) on Azure; you deploy a VM scale set. Other activities such as providing disks, networking, and so on are constantly present. Engineers, on the other hand, often need to execute OS-level setup, such as program installation, Windows features, and so on. PowerShell and Desired State Configuration (DSC) scripts are useful at the OS level.

The majority of respondents believe that an ARM template is useful for establishing Azure infrastructure. ARM templates are fantastic for deploying virtual machines, networking, and other Azure resources, but they can also execute scripts on virtual machines to configure them.

Extension handlers for ARM templates are optional and enable you to enhance the functionality of ARM templates. The Azure DSC extension handler is the extension profile we’re interested in for this post.

The Azure DSC extension is an ARM template extension that downloads and executes DSC scripts on a newly deployed VM. When deploying VMs using ARM templates, the extension is an excellent method to bundle together all of the post-configuration processes you need to do.

This article will show you how to use the Azure DSC extension to run DSC scripts by performing ARM deployments using a template. Although you’ll be using PowerShell to run the templates, many of the techniques covered here may be applied to different ways of doing ARM template deployments.

Before You Begin

This is a step-by-step tutorial that will show you how to complete a collection of activities. If you plan on following along, make sure you have the following requirements.

  • To contain all of the resources you’ll be developing, create an Azure resource group. AzureDSCDemo will be used in this tutorial.
  • The tutorial will utilize the azuredscdemostorage Azure storage account.
  • In the ARM deployment, you’ll utilize an Azure Key vault to retrieve sensitive information like the VM scale set’s admin login and password. The AzureDSCDemoKv key vault will be used in this tutorial. To provide the ARM deployment access, select Azure Resource Manager for template deployment in the key vault under Access Policies.
  • This tutorial uses v3.4 of the Azure PowerShell module, which is authorized.
  • How to Make a DSC Zip File on Windows 10 will not function on MacOS or Linux.

All of the files used in this lesson may be found here.

How to Make a DSC Zip File

You must first have a DSC script to apply before you can apply a DSC configuration. You’ll be utilizing a super-simple DSC script to install a single Windows feature in this lesson.

This DSC script ensures that the Web-Server Windows functionality is installed on the computer it runs on, as seen below. The Azure VM scale set that will be deployed subsequently will be the local machine. Please save this file as iis setup.ps1. It will be stored in my demo folder in this example.

iis setup configuration WindowsFeature WebServerRole Name = “Web-Server” Ensure = “Present” Param () Import-DscResource -ModuleName PSDesiredStateConfiguration Node ‘localhost’

After you’ve finished writing the DSC script, you’ll need to zip it up. This ZIP file is required by Azure DSC since it enables you to package up dependant resources when constructing more complex DSC scripts.

The Publish-AzVmDscConfiguration PowerShell cmdlet is the simplest approach to generate the requisite DSC zip file. The DSC script is packaged up in a file named iis, as seen below.

Publish-AzVMDscConfiguration.iis setup.ps1 -OutputArchivePath ‘.iis’ Publish-AzVMDscConfiguration.iis

Not only does the Publish-AzVmDscConfiguration cmdlet zip up the DSC script, but it also adds a file named dscmetadata.json to the bundle. It will just have a single Modules node in this case. Any dependant modules in the DSC script would be copied from the local system, included in the ZIP file, and added to the Modules JSON node.

You may be tempted to manually compress the DSC script or use the Compress-Archive cmdlet to do so. This isn’t working! Publish-AzVmDscConfiguration, in my experience, zips the file and generates the required dscmetada.json file.

How to Upload the DSC Zip File to Azure

Now that the DSC zip file has been prepared, you must upload it to a location where the ARM template may finally download it. The DSC package does not matter to the ARM deployment. It’s OK as long as it has access to it. However, you’ll be uploading it to an Azure storage container for this lesson.

Assuming you already have a storage account set up, execute the PowerShell code below to establish an envsetupscripts storage container and upload the iis file to it.

‘azuredscdemostorage’ as $storageAccountName ‘AzureDSCDemo’ as $resourceGroupName ‘.iis’ as $dscZipFilePath ‘envsetupscripts’ as $storageContainerName Get-AzStorageAccount -Name $StorageAccount -ResourceGroupName $storageAccountName $resourceGroupName # Make a new container and store it. New-AzStorageContainer -Name $StorageAccount $storageContainerName # Upload a single file using $Container = $StorageAccount | Get-AzStorageContainer Set-AzStorageBlobContent -File $Container $dscZipFilePath

If the DSC configuration can be made public, another appropriate way to keep it is in a GitHub repository alongside the rest of the project’s files.

Creating the SAS Token for the Storage Account

You must offer a means for the pipeline to download the DSC archive since it is kept on a private storage account. A temporary SAS token is one method to do this.

(Get-AzStorageAccount -ResourceGroupName ‘*AzureDSCDemo*’ -AccountName ‘*azuredscdemostorage*’) $context = (Get-AzStorageAccount -ResourceGroupName ‘*AzureDSCD . context -Context $sasToken = New-AzStorageAccountSASToken -ResourceType Service,Container,Object -Permission r $context -Service Blob

Check see the article How to Generate Azure SAS Tokens to Access Storage Accounts for additional details on generating SAS tokens.

Adding Secrets to the Key Vault

Because the ARM template that deploys the VM scale set needs you to define the VMs’ admin login and password, it’s critical that you don’t leave them in plain text in the template or the parameters file. Instead, store them in a safe place, such as an Azure Key Vault.

Add three secrets for this tutorial: DefaultAdminUsername, DefaultAdminPassword (for the VMs), and SASToken (the SAS token you just produced).

‘*AzureDSCDemoKv*’ as $kvName ConvertTo-SecureString -String ‘adam’ -AsPlainText -Force $vmAdminUserNameSec ConvertTo-SecureString $vmAdminPasswordSec -String ‘I enjoy azure.’ -AsPlainText -Force ConvertTo-SecureString -String ‘I like azure.’ -AsPlainText -Force Set-AzKeyVaultSecret -VaultName $encSasToken = ConvertTo-SecureString -String ‘I like azure.’ -Name DefaultAdminUsername -SecretValue $kvName Set-AzKeyVaultSecret -VaultName $vmAdminUserNameSec DefaultAdminPassword -SecretValue $kvName -Name Set-AzKeyVaultSecret -VaultName $vmAdminPasswordSec $encSasToken $kvName -Name SASToken -SecretValue

ARM Template Parameters File Creation

The ARM template parameters file isn’t very impressive. This tutorial just uses it to pass the template’s needed arguments. Check out the Create a parameter file Microsoft documentation to learn more about parameter files.

In this parameters file, there are a few things to keep in mind.

  • storageAccountSasToken – When performing the ARM deployment, this argument will be filled up interactively. There is no value supplied on purpose here.
  • The deployment fills the adminUsername and adminPassword parameters by reading the two secrets established previously in the Azure Key Vault.

Make sure [your subscription id] is replaced with your real Azure subscription ID.

“$schema”: “”, “contentVersion”: “”, “parameters”: “storageAccountName”: “value”: “azuredscdemostorage”

Developing an ARM Template

Let’s concentrate on what’s relevant to DSC rather than covering the complete ARM template that provides an example VM scale set. A working example of how to set up an extensionProfile for a VM scale set can be seen below.

There are a few key aspects of this code that should be highlighted.

“extensionProfile”: “extensions”: [“name”: “Microsoft.Powershell.DSC”, “properties”: “publisher”: “Microsoft.Powershell”, “type”: “DSC”, “typeHandlerVersion”: “2.9”, “autoUpgradeMinorVersion”: true, “typeHandlerVersion”: “2.9”, “typeHandlerVersion”: “2.9”, “typeHandlerVersion “3”, “forceUpdateTag” , “protectedSettings”: “configurationUrlSasToken”: “[parameters(‘storageAccountName’),’’,parameters(‘setupScriptContainerName’),’/’,variables(‘iisDSCSetupArchiveFileName’)]”, “script”: “iis setup.ps1”, “function”: “iis_

Azure Resources Deployment

You’re ready to try it out after you’ve generated the DSC script, uploaded it, and produced the ARM template and parameters file.

As seen below, run New-AzResourceGroupDeployment using the template, template parameter file, resource group name, and SAS token produced. This command will initiate the deployment and provide all of the resources specified in the ARM template, including the DSC extension that we’ll be looking at in this tutorial.

-TemplateFile./vmss.json New-AzResourceGroupDeployment ./vmss.parameters.json -TemplateParameterFile -storageAccountSasToken -ResourceGroupName AzureDSCDemo -Verbose $sasToken

Once the deployment is finished, you may check any VM in the scale set to see whether the Web-Server Windows capability has been deployed!


Remember to delete the resource group produced along with all of the resources after you’re through with this lesson so you don’t get charged!

Remove-AzResourceGroup | Get-AzResourceGroup -Name AzureDSCDemo


If you have any issues with the DSC extension, the extension logs at C:WindowsAzureLogsPluginsMicrosoft.Powershell.DSC2.80.0.0 on the VMs may help you figure out what’s wrong.


The “azure bicep dsc extension” is a tool that allows you to easily apply Azure DSC configurations in Azure ARM Templates.

Related Tags

  • azure dsc extension
  • azure dsc examples
  • https docs microsoft com en us azure automation automation quickstart dsc configuration
  • azure dsc mof file
  • azure dsc for linux