How Do I Query the DSC Compliance Server?

Note: This is an an old article and contains content which may be out of date.

Having previously installed the Windows Desired State Configuration service, configuring both pull and compliance servers, I was left wondering how to query the compliance server. I found that before I could query the the compliance server, I had to tweak a configuration file to allow Windows Authentication.

Edit “C:\Windows\System32\inetsrv\config\applicationHost.config” directly, changing:

<section name="windowsAuthentication" overrideModeDefault="Deny" />

to

<section name="windowsAuthentication" overrideModeDefault="Allow" />

Alternatively, instead of editing the file, you can try:

 %windir%System32\inetsrv\appcmd.exe unlock config /section:windowsAuthentication

With this change applied, we can then use a PowerShell function to query the DSC Compliance Server. Here’s a function that I’ve lifted from a post by _Berhe Abrha’s_that appeared on PowerShell Team MSDN blog when that was a thing:

function QueryNodeInformation
{
  Param (      
       [string] $Uri = "http://win2k12r2-dc1:8081/PSDSCComplianceServer.svc/Status",                         
       [string] $ContentType = "application/json"           
     )

  Write-Host "Querying node information from pull server URI  = $Uri" -ForegroundColor Green

  Write-Host "Querying node status in content type  = $ContentType " -ForegroundColor Green

   $response = Invoke-WebRequest -Uri $Uri -Method Get -ContentType $ContentType -UseDefaultCredentials -Headers @{Accept = $ContentType}

   if($response.StatusCode -ne 200)
 {
     Write-Host "node information was not retrieved." -ForegroundColor Red
 }

 $jsonResponse = ConvertFrom-Json $response.Content

  return $jsonResponse
}

Execute the above function as follows:

(QueryNodeInformation).value | ft TargetName, ConfigurationId, ServerChecksum, TargetCheckSum, NodeCompliant, LastComplianceTime, LastHeartbeatTime, StatusCode

And you should hopefully see a row for each DSC Configured target node in your results:

TargetName              ConfigurationId         ServerCheckSum          TargetCheckSum                    NodeCompliant LastComplianceTime      LastHeartbeatTime                   StatusCode
----------              ---------------         --------------          --------------                    ------------- ------------------      -----------------                   ----------
192.168.1.100            1a5a3314-35b0-41c1-a... 1B12879647A44D171E1D... 1B12879647A44D171E1D...                    True 2015-10-12T17:40:46.... 2015-10-12T17:40:46....                      0
192.168.1.101            1a5a3314-35b0-41c1-a... 1B12879647A44D171E1D... 1B12879647A44D171E1D...                    True 2015-10-12T17:41:07.... 2015-10-12T17:41:07....                      0

If you don’t see any results, it’s likely that you’ve configured your DSC clients with a ConfigurationMode of ‘Apply’ rather than ‘ApplyAndAutocorrect’ or ‘ApplyAndMonitor’.