Published on 3 February 2016 by

This is the first post in our new DSC Deep Dive series and we’re starting with the basics before moving on to more complex use cases. The first thing you’ll want to do is install our newly supported PowerShell DSC module. The DSC module extends the Windows management capabilities of Puppet by allowing you to write Puppet code to manage DSC resources. With this integration, Puppet users have access to an additional 200+ modules created by Microsoft and the Microsoft community. These resources often span items that Puppet itself doesn’t have a module or a type and provider for — items like Sharepoint, SQL Server clusters, or even Exchange. A full list of the resources included in the DSC module can be found here.

Puppet and DSC seem similar on the surface — after all, they are both declarative and use a similar syntax. However, the differences between the two products make them extremely powerful and complementary when used together. Using them together gives you an immensely powerful platform for administering Windows systems. For instance, DSC has limited reporting for what actions are being taken on a system. When a system resource being managed by DSC is out of sync or has experienced drift, it will return a simple boolean. Puppet, on the other hand, gives you visibility into what is changing, and more importantly the state it’s changing from and to.

Additionally, DSC doesn’t have the notion of pluginsync. This is important because let’s say you write a new module in DSC. Now you want to use that same module on the rest of the machines you administer. This will require a DSC Pull Server, which introduces additional complexity and effort. Puppet on the other hand, ships with this functionality baked in, and will sync that data for you automatically to ensure every machine gets the same functionality.

But what about Puppet? Puppet is awesome for a lot of things on Windows platforms, but it doesn't yet support every function or administration task. For example, let’s say you want to create a local user on this system, and then have that user change their password on first login. In Puppet, you’d have to cobble together multiple things to make this happen since the basic “user” resource doesn’t support the changing of a password on first login. You’d have to write a user resource like this:

user { 'spencer_puppet':
  ensure   => present,
  comment  => 'user account for Spencer with Puppet',
  groups   => ['BUILTIN\Administrators'],

Then you'd need to add in some PowerShell to set the password reset property.

In DSC, however, this is supported natively, so instead you can just declare all of this in one go, like this:

 dsc_user { 'User account for Spencer': 
     dsc_ensure                   => 'present',
     dsc_username                 => 'spencer_dsc',
     dsc_description              => 'user account for Spencer with DSC',
     dsc_passwordchangerequired   => 'true',
     dsc_passwordneverexpires     => 'false',
     dsc_passwordchangenotallowed => 'false',
     dsc_disabled                 => 'false',
     dsc_fullname                 => 'Spencer Seebald',

So, are you totally sold on Puppet + DSC yet? Ready to try it out?

There are a couple of prerequisites you’ll need to satisfy on your machines. First, you’ll have to install WMF 5.0. Note that while WMF5 is installable on Windows 2012 and 2008, Windows 2003 is not supported by Microsoft with DSC. For those of you out there already using Chocolatey, this is even easier because you can write Puppet code to do this for you:

package { 'powershell':
  ensure   => latest,
  provider => 'chocolatey',
  install_options => ['-pre'],

Once your machines have WMF 5.0, you’ll need to install the puppetlabs/dsc module from the Forge using the following command on your Puppet master:

puppet module install puppetlabs-dsc

That’s all it takes, it’s that easy. Note that if you used an earlier version of the DSC module, DCM used to have to be disabled before you could used DSC and Puppet together on a system. With the latest supported release, this is no longer necessary.

From this point on, you can start declaring DSC resources in Puppet! For more great examples, check out the readme on the Puppet Forge. Stay tuned for our next post in this series on setting up basic Windows profiles using DSC.

Spencer Seebald is a technical solutions engineer at Puppet Labs.

Learn more

Share via:

Add new comment

The content of this field is kept private and will not be shown publicly.

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.