Create an IP to report on DSC drifts / compliance
PowerShell DSC is currently poor in reporting on configuration drifts and compliance levels. Collect this data in Ops Insight to answer questions like:
- which systems are experiencing a configuration drifts and for which DSC policies?
- which is the compliance level for this specific DSC policy / setting?

Great feedback. We are looking at potentially delivering a solution in this area. Thank you!
8 comments
-
Joe Levy (Azure Automation Team) commented
Automation DSC is part of the OMS suite (https://www.microsoft.com/en-us/server-cloud/operations-management-suite/pricing.aspx) and provides this functionality (https://azure.microsoft.com/en-us/documentation/articles/automation-dsc-overview/).
Can folks please comment as to the gaps in Automation DSC preventing this from being marked 'completed,' in their view?
-
Jeff Bryant commented
I suspect the Azure Automation DSC feature will be enhanced with a centralize view of all nodes and compliancy, but a view in OMS would be nice as well.
-
If you are using Operations Manager the private cloud blog has a sample MP that runs Test-DSCConfiguration to check if a DSC node has drifted from its configuration:
http://blogs.technet.com/b/privatecloud/archive/2014/10/09/desired-state-configuration-dsc-nodes-deployment-and-conformance-reporting-series-part-4-using-operations-manager-to-check-for-configuration-enforcement.aspx -
Daniele Muscetta commented
"Microsoft-Windows-DSC/Operational" log works, anyhow. But I am not sure how much info that alone has.
-
Daniele Muscetta commented
Also commented on the ETW idea: our team already has an implementation of an ETL parser module for the agent, but right now this is specialized to collect some very specific telemetry from the VMM stack in Cloud Platform Systems - learn more about CPS at http://www.microsoft.com/cps
If there is enough interest we will think of making this code more generic to support other scenarios such as this one.
-
Daniele Muscetta commented
Well, yes Stefan - in theory. Except that it currently we only pick up 'classic' and EVTX eventlogs, not those /analytics and /debug logs that are ETL traces under the hood - vote this one for that http://feedback.azure.com/forums/267889-azure-operational-insights/suggestions/6691402-collect-etw-trace-logs
then yes, after that is in place, this scenario can probably use that information as data source. -
Stefan Stranger commented
You can already use DSC event logs to retrieve that info. Enable Analytics and Debug logs for DSC events with wevtutil tool. In the message property you can also find DSC operations.
-
Daniele Muscetta commented
Would you consider this a part of 'Change Tracking' ? Or a separate IP? Can you elaborate a little?