Prerequisites

PowerShell

All nodes that will be used to author or receive configurations are running WMF version 5.1 or later.

Authoring nodes that are used to write configurations locally need to have internet connectivity to download new DSC-related resources.

Remote Management

WS-Management (WS-MAN) traffic is permitted on the network. It will be enabled by default on nodes that have PowerShell version 5 installed, but you must ensure it’s not being blocked by firewalls or other network elements. Read further for more information.

Communication with our backend

In order to communicate with our backend, the following ports need to be open:

https://configuration-management.api.dev.xoap.io/dsc on port 443.

Proxy Configuration for Nodes

In order for PowerShell DSC nodes being forced to use a proxy server to communicate with the cloud hosted backend, some adjustments to the node configuration must be done before registering the node.

DSC does not communicate in a user context and therefore uses the SYSTEM context.

For DSC to connect successfully and register the node, adjust the following lines inside the machine.config in your .NET installation directory. You should find the file in these locations:

32-bit

**%windir%\Microsoft.NET\Framework\[version]\config\machine.config**

64-bit

**%windir%\Microsoft.NET\Framework64\[version]\config\machine.config**

[version] should be equal to v1.0.3705, v1.1.4322, v2.0.50727 or v4.0.30319. v3.0 and v3.5 just contain additional assemblies to v2.0.50727 so there should be no config\machine.config. v4.5.x and v4.6.x are stored inside v4.0.30319.

Then add the following lines:

 <defaultProxy>
  <proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" />
 </defaultProxy>
</system.net>

Firewalls

SSL decryption can get you into trouble when clients inside your corporate network try to communicate with cloud backend.

DEP

We have seen some Virus Scanners with DEP enabled to prevent users from logging into the cloud backend successfully.

TLS

Be sure to enable TLS 1.2 wherever possible. Not doing so will keep Configurations Management from working successfully.

Set it via PowerShell:

Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v2.0.50727' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12