Tag: Desired State Configuration

PowerPlan, WMI, GUI and Windows Server 2012

Howdy !

If you try to configure the power plan settings of your servers using DSC, you might come into the below issue if you are using one of the following resource : xPowerPlan or cPowerPlan. They both call WMI classname.

The WMI class ‘Win32_PowerPlan‘ of the namespace ‘root/cimv2/power’ is only available when using a FULL GUI Windows Server 2012 (R2). If you switch to CORE flavor, the classname becomes inaccessible.

At the moment you are using a Core only OS, this classname doesn’t works anymore under Windows 2012 and 2012 R2 except for Windows 2016 Core.

You can quickly check the falvor of your OS with the following cmdlets :

$Computer = ‘yourMachine’
$sb = {
Get-ItemProperty ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion’ -Name Productname | Select -expa ProductName
Get-Item ‘HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels’ | ft -AutoSize
}

icm -ScriptBlock $sb -ComputerName $Computer

Cheers,
MW

Advertisements

PowerShell DSC Encryption issue

Context

While working on a new setup, we had to deploy some binaries on a server using DSC.

To make the process scale for many machines, we created a network share to host the binaries in order to centralize the access. In the DSC world, this meant we had 2 options :

1- Add the computer account of each machine accessing the share in the permissions of the share.

2- Use the encryption feature in DSC (define an account in the MOF in order to access the share)

During the testing phase, everything went well. The configuration was as is :
Authoring machine : Windows 10, Powershell 5.1.14393.693
Target machine : Server 2016, Powershell 5.1.14393.0

Issue

We then deployed the configuration on a Windows Server 2012 R2 and the LCM kept getting in error, throwing the message “Decryption failed. LCM failed to start desired state configuration manually.”
powershell_2017-01-19_10-00-07

Digging a little deeper in the ‘Microsoft-Windows-Desired State Configuration/Operational’ event log, just before the “Decryption failed” error, another error was caught :
“Message Invalid provider type specified.”mremoteng_2017-01-19_10-23-16

With the help of the Internet and some querying, I was able to “decrypt” our issue. I began by reading this nice article :
https://hyper-v.nu/archives/bgelens/2015/02/integrating-vm-role-with-desired-state-configuration-part-7-creating-a-configuration-document-with-encrypted-content/
Which led me to review the certificate we used for the DSC encryption.

The initial setup was using a CA issued custom certificate we created following Microsoft’s recommendation stated here :
https://msdn.microsoft.com/en-us/powershell/dsc/securemof#certificate-requirements
firefox_2017-01-19_10-31-36
And since we wanted to follow the MS’ Best practices, we configured our certificate template using the provider ‘Microsoft RSA SChannel Cryptographic Provider’.

Solution

The caveat with this configuration is that Windows Server 2012 R2 doesn’t know how to decrypt anything using the ‘Microsoft RSA SChannel Cryptographic Provider‘. Even if you deploy WMF 5.1 Preview, it won’t help.
If you use the Self-Signed certificate generator script, it will work flawlessly because it actually uses the legacy provider named ‘Legacy Cryptographic Service Provider‘.

Either you create a certificate template using the Provider category ‘Legacy Cryptographic Service Provider’ thus not following Microsoft’s certificate requirements or you use only self-signed certificate using the custom script or you upgrade your OS to Windows 2016.

Regards,
MW