What Does Desired State Configuration Mean?
On This Page
Quick Definition
Think of Desired State Configuration as a recipe book for your servers. Instead of manually tweaking settings or running the same commands over and over, you write a simple script that says exactly how the server should be set up. The system then makes sure the server stays in that state, automatically fixing anything that drifts out of compliance, like a forgotten setting or a missing update.
Commonly Confused With
Azure Policy is for defining rules that apply to Azure resources themselves, like 'Only allow Standard_D2s_v3 VM sizes' or 'require a specific tag on all resource groups'. DSC is for configuring the operating system and applications inside an existing VM. Policy does not run inside the VM; DSC does. Policy is for enforcement at the cloud management plane; DSC is for configuration of the guest OS.
To ensure every VM is tagged with a cost center, use Azure Policy. To ensure every VM has the IIS role installed, use DSC.
Update Management is a feature of Azure Automation that specifically handles patching of operating systems. It assesses missing updates and installs them on a schedule. DSC is broader and can manage many aspects of configuration beyond updates, such as software installation, registry settings, and firewall rules. Update Management is focused on one task; DSC is a general-purpose configuration engine.
To keep all VMs patched every Tuesday, use Update Management. To ensure that each VM has a specific version of a custom application installed, use DSC.
ARM templates are used to deploy and manage Azure infrastructure resources like VMs, networks, and storage at provisioning time. They can include extensions like the DSC extension, but they are not the configuration engine itself. ARM templates define what resources are created; DSC defines what the software inside those resources looks like after creation. They work together but are different concepts.
Use an ARM template to create a VM and attach a network interface. Use a DSC configuration to install the SQL Server on that VM and set its service account.
Must Know for Exams
The Desired State Configuration (DSC) is a topic that appears primarily in the Microsoft AZ-104 exam, which is the Azure Administrator Associate certification. It falls under the domain of managing Azure identities and governance, and more specifically under 'Manage Azure resources by using Azure Resource Manager templates' and 'Manage Azure VMs by using DSC'. The exam objectives explicitly mention using DSC to manage configuration of Azure VMs, including enabling DSC, creating configurations, and applying them to VMs.
In the exam, candidates should expect to see questions that test their understanding of DSC architecture, the role of the Local Configuration Manager, the difference between Push and Pull modes, and how DSC integrates with Azure Automation. You may be asked to choose the correct method to apply a DSC configuration to a set of Azure VMs, or to interpret a compliance report to identify nodes that have drifted from the desired state. You may also need to know how to configure an Azure Automation account to use DSC, including setting up a Pull server and onboarding VMs.
A typical question scenario might describe a company with 50 Azure VMs running Windows Server. The company needs to ensure that all VMs have the same security baseline, including specific firewall rules and user rights assignments. The solution must automatically correct any configuration drift without manual intervention. You will need to select the appropriate approach: configure Azure Automation DSC, create a DSC configuration, and assign it to the VMs. You may also need to decide whether to use configuration mode 'ApplyAndAutoCorrect' or 'ApplyOnly'.
Another question type might ask about the format of DSC configuration files. You may be asked which file type is generated when a DSC configuration is compiled (answer: MOF file). Or you may be asked about the protocol used for communication between the LCM and the Pull server (answer: HTTPS with x.509 certificates).
Beyond AZ-104, DSC is also relevant to the AZ-800 (Windows Server Hybrid Administrator) exam, which covers on-premises and hybrid management. However, for that exam it is more of a supporting concept. For the AZ-104, it is a primary topic. You should study the official Microsoft documentation on Azure Automation DSC, understand how to create a DSC configuration in PowerShell, and practice applying it to VMs using the Azure portal, CLI, or PowerShell cmdlets like 'Set-AzVMDscExtension'.
One important note: the exam may also test your ability to create a DSC configuration that uses custom resources. For example, you might need to write a configuration that ensures a specific third-party application is installed. You would need to understand how to import and reference custom DSC resources within the configuration script.
Overall, DSC is not the largest topic on the exam, but it appears often enough to be a recommended area of study. Mastery of DSC will also help you answer questions about compliance, automation, and infrastructure as code, which are increasingly important themes in all Azure certifications.
Simple Meaning
Desired State Configuration, or DSC, is like having a self-maintaining house. Imagine you write down a list of exactly how you want your house to be every day: the thermostat at 72 degrees, all lights off by 10 PM, the front door locked, and the coffee maker programmed for 7 AM. You hand this list to a smart home assistant. Now, instead of you checking every hour, the assistant watches the house constantly. If a window is left open, it closes it. If a light is on past curfew, it turns it off. If the temperature drops, it adjusts the heater.
In the IT world, a server is like that house. You have many settings you need to be just right: which software is installed, which firewall rules are active, what user accounts exist, and how services are configured. Without DSC, an administrator has to log into each server, check these things manually, and fix any issues by hand. That works for one or two servers, but companies often have hundreds or thousands. Doing this manually is slow, error-prone, and exhausting.
DSC lets you write a single document, called a configuration, that describes the perfect state of your server. You then apply this configuration to the server, and the DSC engine takes over. It checks the server’s current state against the desired state. If anything is wrong, it automatically makes changes to bring the server back to the desired state. And it keeps checking, day and night. If a user accidentally disables a security setting, DSC re-enables it. If a required service crashes, DSC restarts it. The server stays exactly how you want it, without you needing to watch it every second.
This approach is called declarative configuration, because you only declare what the end result should be, not how to get there. You do not write step-by-step instructions like 'install this, then edit that file, then restart the service'. Instead, you say 'this service should be running, this file should exist, this registry key should have this value'. DSC figures out the steps needed to make it happen. This is much simpler to write and much more reliable, because DSC can handle dependencies, order of operations, and error recovery on its own.
Another key idea is that DSC is meant to be idempotent. That means you can run the same configuration over and over, and the result is always the same. The first time it might install software and change settings. The hundredth time, if everything is already correct, it just confirms that and does nothing. This makes automation safe and predictable.
DSC is often used in large data centers and cloud environments like Microsoft Azure. It helps teams manage consistency across hundreds of virtual machines, enforce security baselines, and roll out new software without manual intervention. For anyone studying for IT certifications, especially Azure-related ones like the AZ-104, DSC is a fundamental tool for managing compute resources at scale.
Full Technical Definition
Desired State Configuration (DSC) is a management platform built into Windows PowerShell and also available on Linux through the Open Management Infrastructure (OMI) server. It provides a set of PowerShell language extensions, cmdlets, and a local configuration manager (LCM) that enable administrators to define, deploy, and enforce the desired state of a system using declarative syntax. DSC is a key component in the Infrastructure as Code (IaC) paradigm, allowing IT teams to manage configuration drift and automate environment provisioning at scale. It was first introduced in Windows Management Framework 4.0 for Windows Server 2012 R2 and PowerShell 4.0, and it is fully supported on all modern Windows Server versions as well as Windows 10 and 11.
At the core of DSC is the Local Configuration Manager (LCM), a service that runs on each managed node. The LCM is responsible for applying configurations, reporting status, and enforcing compliance. It operates in two modes: Push mode, where the configuration is manually sent to the node using the Start-DscConfiguration cmdlet, and Pull mode, where the node regularly checks a central Pull server, downloads the latest configuration, and applies it automatically. In Pull mode, the LCM can be configured with a frequency for consistency checks, enabling self-healing and continuous compliance.
DSC configurations are written as PowerShell script files (.ps1) that use the Configuration keyword. Inside the configuration block, resources are declared using a syntax that specifies the resource type, name, and properties. DSC includes a wide set of built-in resources for managing files, registry settings, services, processes, Windows features, environment variables, packages, and more. Custom resources can be written in PowerShell, compiled as a module, or developed in C#. The configuration script is compiled into a Managed Object Format (MOF) file, which is the standard format used by the Windows Management Instrumentation (WMI) and DMTF standards. The MOF file is then consumed by the LCM to apply the desired state.
DSC supports partial configurations, allowing different parts of a system to be managed independently. For example, one team can manage the operating system baseline while another team manages the application layer. DSC also supports cross-node dependencies, such as ensuring that a database server is configured before a web server that depends on it. This is achieved through the WaitForAll and WaitForAny resources.
In addition to the core engine, DSC integrates with Azure Automation in the cloud. Azure Automation DSC provides a hosted Pull server, a graphical configuration editor, and reporting tools that aggregate compliance data from all managed nodes. This is especially relevant for the AZ-104 exam, which covers management of Azure resources using DSC. Azure Automation DSC also supports onboarding of both Azure VMs and on-premises machines, making it a hybrid solution.
From a protocol perspective, DSC uses the OMI-based CIM (Common Information Model) protocol for cross-platform management. On Windows, it natively uses WMI. Communications between the LCM and Pull server can be secured via HTTPS and x.509 certificates. DSC uses the RefreshMode property in the LCM meta-configuration to define the method for receiving configurations. The ConfigurationMode controls how the LCM reacts to drift: ApplyOnly, ApplyAndMonitor, or ApplyAndAutoCorrect.
In practice, DSC is used to enforce security baselines, install roles and features, manage IIS bindings, configure network settings, and ensure compliance with corporate or regulatory standards. It is a core skill for Azure administrators and DevOps engineers, and understanding its architecture is essential for passing the AZ-104 exam and managing compute resources in enterprise environments.
Real-Life Example
Think about a large chain of fast-food restaurants. Every single restaurant in the chain needs to be identical. They must all have the same menu board, the same cleanliness standards, the same cooking times, the same lighting in the parking lot, and the same staff uniforms. If one restaurant has a different menu or a broken fryer that nobody fixed, customers get confused, and the brand reputation suffers.
Now, imagine the head office sends a quality inspector to every restaurant once a month. The inspector walks around with a clipboard, checks everything against a master checklist, and writes down what is wrong. Then they send the report back to the regional manager, who calls each restaurant and asks them to fix things. This takes weeks. Meanwhile, the broken fryer stays broken, the lights stay dim, and customers leave bad reviews.
This is how IT used to work with servers. Administrators would log in, check settings, and fix issues manually only when they found them. It was slow, reactive, and inconsistent.
Now, imagine that instead of a human inspector, each restaurant has a small robot manager built into the building. Before the restaurant opens, the robot runs through a complete checklist. Is the fryer temperature set to 350 degrees? Yes, good. Is the menu board showing the correct items? Yes. Are the light bulbs above the counters working? No, one is burned out. The robot immediately sends a signal to the maintenance supply room, which sends a replacement. The robot also logs the fix. Tomorrow, the robot checks again. It never stops checking.
This is DSC. The robot manager is the Local Configuration Manager (LCM) running on every server. The master checklist is the DSC configuration. The LCM runs constantly, checking every setting against the desired state. If a setting drifts, it corrects it immediately. No waiting for a human to notice. No phone calls. No inconsistent results. Every server stays exactly identical, exactly as defined in the configuration.
If the corporate office decides to change the menu, they simply update the master configuration. All the robots across all restaurants get the new checklist, and they each update their own restaurant. By the next morning, every restaurant is compliant with the new menu, without any human visiting each location.
This is the power of DSC: automation, consistency, and self-healing at scale.
Why This Term Matters
In any modern IT environment, consistency is a critical requirement. Whether you are managing ten servers in a small business or ten thousand virtual machines in Azure, having a way to guarantee that every machine is configured exactly the same way is essential for security, reliability, and operational efficiency. Desired State Configuration provides that guarantee.
Without DSC, configuration drift becomes a major problem. Servers that were set up identically six months ago slowly diverge. One administrator installs a tool manually on one server. A developer changes a registry key for a test. An automatic update applies to some servers but not others. Over time, you end up with a unique snowflake environment where no two servers are exactly alike. This makes troubleshooting a nightmare because an issue that appears on one server may not appear on another. It also means a security patch may be missing on a critical server without anyone noticing.
DSC eliminates drift by design. Because the LCM continuously enforces the desired state, any change that deviates from the configuration is automatically reverted. This means that the server always returns to the known, approved, and documented configuration. For security teams, this is invaluable. You can define a security baseline once and know that every server maintains it forever.
DSC enables large-scale deployment. Instead of manually setting up a new server, which can take hours, you can apply a DSC configuration in minutes. The configuration installs the necessary roles, sets up networking, configures firewalls, and even deploys applications. This makes scaling up for high demand or recovery from disaster much faster.
For Azure administrators, DSC integrates directly with Azure Automation, allowing you to manage not only Azure VMs but also hybrid machines running on premises or in other clouds. This provides a single pane of glass for configuration management across the entire environment. It also provides compliance reporting, so you can see exactly which machines are compliant and which have drifted.
For certification exams like the AZ-104, understanding DSC is important because it is part of the Azure Compute objective. You will need to know how to create and apply DSC configurations, how to onboard machines to Azure Automation DSC, and how to interpret compliance reports. It is a concept that overlaps with configuration management tools like Ansible, but with a tighter integration into the Windows and Azure ecosystem.
How It Appears in Exam Questions
On the AZ-104 exam, questions about Desired State Configuration can appear in several different patterns. The most common question type is the scenario-based multiple-choice question. You will be given a business requirement and asked to choose the correct solution that uses DSC. For example, 'A company has 100 Azure VMs that must all have the same Windows features enabled. An administrator must ensure that any VM that drifts from the baseline is automatically corrected. What should you do?' The correct answer would involve enabling Azure Automation DSC, creating a configuration, and setting the ConfigurationMode to ApplyAndAutoCorrect.
Another pattern is the configuration choice question. You may be shown a partial DSC configuration script and asked to identify what it does or which resource code is missing. For example, you might see a configuration that uses the 'Service' resource but has an incomplete syntax. The question would ask you to select the correct property to ensure the service starts automatically.
Troubleshooting-style questions also appear. For instance, 'After applying a DSC configuration to a VM, the desired state is not being enforced. The report shows the node status as non-compliant but the LCM does not apply corrections. What is the most likely cause?' The answer would focus on the ConfigurationMode being set to 'ApplyOnly' instead of 'ApplyAndAutoCorrect', or that the LCM refresh interval is set too low.
There are also comparison questions where you must choose between DSc and other Azure automation tools. For example, 'You need to apply a configuration to a VM that requires rebooting if a specific software is installed. Which tool is best suited?' The answer would involve DSC because it can handle reboots and dependencies, whereas something like a simple Runbook might not handle reboots gracefully.
Finally, you may see questions about onboarding a VM to Azure Automation DSC. For example, 'You have an Azure VM running Windows Server 2022. You need to manage its configuration using Azure Automation DSC. What must you do first?' The answer may involve registering the VM with the Azure Automation account using the Set-AzVMDscExtension cmdlet or enabling DSC in the Azure portal.
Understanding the exact syntax of DSC configuration files is less emphasized on the exam than understanding the high-level workflow and integration with Azure. However, you should be familiar with the fact that DSC configurations are written in PowerShell and compiled into MOF files, and that the LCM runs on the VM to apply them. You do not need to memorize every DSC resource property, but you should know the common ones like File, Registry, Service, WindowsFeature, and Script.
Pay attention to distractor answers that suggest using Azure Policy instead of DSC. Azure Policy is for auditing and enforcing compliance of Azure resources at the management plane level (e.g., which VM SKUs are allowed), whereas DSC is for configuring the operating system inside the VM. Mixing these up is a common trap on the exam.
Practise Desired State Configuration Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called 'ProServe Solutions' has 30 Azure VMs running Windows Server 2022 that are used as web servers. The IT team needs to ensure that every web server has the same configuration: the IIS web server role must be installed, port 443 must be open on the Windows Firewall, the default web site must point to a shared folder on a file server, and the Windows Update service must be set to automatic. The team is tired of logging into each VM to check these settings after every patch Tuesday, because some VMs always drift out of compliance.
The team decides to use Azure Automation DSC to enforce the desired state. First, they create an Azure Automation account and enable the DSC feature. Then, a DevOps engineer writes a DSC configuration script called 'WebServerConfig.ps1'. The configuration declares the following resources: the WindowsFeature resource for the Web-Server role, the WindowsFeature resource for the Web-WebServer feature, the Firewall resource to allow TCP port 443, the File resource to ensure the default website path exists, the Registry resource to set the IIS home directory, and the Service resource to set the Windows Update service to start automatically.
Next, the engineer compiles the configuration in Azure Automation, which produces a MOF file for each node. The team then configures the LCM on each VM by applying the DSC extension using the Set-AzVMDscExtension cmdlet, specifying the Automation account name and the configuration name. They set the ConfigurationMode to 'ApplyAndAutoCorrect' and the RefreshFrequencyMins to 30.
Once the configuration is applied, the LCM on each VM immediately checks its state. If any VM has a missing IIS role or a wrong firewall rule, the LCM installs the role or adjusts the rule. The team also sets up reporting so they can view compliance from the Azure portal. Now, after every patch Tuesday, the VMs automatically self-heal. If a patch disables the IIS service, the LCM restarts it. If a temporary admin changes a firewall rule, the LCM reverts it within 30 minutes. The team no longer needs to manually check the servers, and they have full visibility into compliance.
This scenario shows how DSC solves the real-world problem of configuration drift at scale. The team saved hours of manual work and improved the reliability and security of their web server fleet.
Common Mistakes
Confusing Desired State Configuration with Azure Policy.
Azure Policy is used to enforce compliance rules on Azure resources at the subscription or resource group level, such as restricting VM sizes or enforcing tagging. DSC, on the other hand, configures the operating system inside the VM. They serve different purposes and are not interchangeable.
Use Azure Policy for resource-level governance. Use DSC to manage the configuration of the OS and applications running on the VM.
Thinking that DSC only works in Push mode.
Many learners assume that DSC configurations can only be pushed to nodes manually. In reality, DSC supports Pull mode, where nodes automatically check a Pull server (like Azure Automation) for their configuration and apply it at scheduled intervals. Pull mode enables self-healing and is more scalable for large environments.
For enterprise deployments with many VMs, configure the LCM to use Pull mode. This allows automatic compliance enforcement without manual intervention.
Believing that DSC only applies to Windows systems.
While DSC originated in Windows, Microsoft has made it available for Linux as well through the Open Management Infrastructure (OMI) server. Linux DSC resources are available for managing files, services, packages, and groups. However, the AZ-104 exam focuses on Windows VMs, so many learners overlook the cross-platform capability.
Be aware that DSC can manage both Windows and Linux machines. For the exam, focus on Windows, but remember the broader capability.
Assuming that DSC configurations are applied instantly and forever.
DSC is not a one-time setup. The LCM checks for compliance periodically based on the RefreshFrequencyMins setting. If you set ConfigurationMode to ApplyOnly, drift will not be corrected. If you set it to ApplyAndAutoCorrect, drift is corrected but only after the next consistency check. Immediate correction is not guaranteed.
Always configure a short RefreshFrequencyMins (e.g., 15 minutes) for environments that need quick drift correction. Use ApplyAndAutoCorrect mode for self-healing.
Writing configuration scripts that are not idempotent.
Some beginners write DSC scripts that assume a certain starting state. For example, they might write a Script resource that appends a line to a file each time it runs. This would cause the line to be added repeatedly, creating duplicate entries. DSC resources should be designed so that running them multiple times always produces the same result.
Use built-in DSC resources (like File, Registry, Service) which are inherently idempotent. If you use a Script resource, write it with idempotency in mind by checking the current state before making changes.
Exam Trap — Don't Get Fooled
{"trap":"Choosing Azure Policy instead of DSC to enforce an operating system configuration within an Azure VM.","why_learners_choose_it":"Learners see 'enforce' and 'compliance' and remember that Azure Policy is used for compliance. They also know that Policy can audit configurations.
They mistakenly believe that Policy can reach inside a VM to configure guest OS settings.","how_to_avoid_it":"Remember that Azure Policy works at the Azure Resource Manager layer. It can see the VM resource, its size, its location, and its tags, but it cannot see inside the VM's operating system.
To configure OS settings like firewall rules, services, or installed features, you must use an in-guest agent like the DSC extension or the Log Analytics agent. When you see an exam question about configuring the OS of a VM, think DSC. When you see a question about resource compliance at the Azure subscription level, think Policy."
Step-by-Step Breakdown
Author a DSC Configuration
You write a PowerShell script that uses the Configuration keyword. Inside it, you declare the desired state of the system using DSC resources like File, Registry, Service, and WindowsFeature. This script describes the end state, not the steps to reach it.
Compile the Configuration into MOF Files
When you run the configuration script in PowerShell, it produces a Managed Object Format (MOF) file. The MOF file is a standardized representation that the Local Configuration Manager (LCM) can read. If your configuration targets multiple nodes (different computer names), multiple MOF files are generated.
Apply the MOF File to a Node
You apply the configuration to a target machine using the Start-DscConfiguration cmdlet (Push mode) or by placing the MOF file on a Pull server. In Azure Automation, you compile the configuration in the cloud and then assign it to nodes. The LCM on each node then downloads or receives the MOF file.
LCM Enforces the Desired State
The LCM reads the MOF file and compares the current state of each resource against the defined desired state. For each resource that is not compliant, the LCM invokes the resource's Set method to bring the system into compliance. The LCM also logs the results and reports status.
Continuous Monitoring and Auto-Correction
Depending on the ConfigurationMode, the LCM continues to check the system at the interval defined by RefreshFrequencyMins. If any resource drifts out of compliance, the LCM automatically reapplies the desired state. In ApplyAndAutoCorrect mode, drift is actively corrected. In ApplyOnly mode, drift is reported but not corrected.
Report Compliance
The LCM sends status reports to a reporting server (like Azure Automation or a local DSC Pull server). These reports include which resources are compliant, which are not, and any errors encountered. Admins can use these reports to monitor the health of their managed nodes.
Practical Mini-Lesson
To use DSC effectively in a production environment, you need to understand both its design principles and its operational nuances. DSC is not a 'set it and forget it' silver bullet, but when implemented correctly, it dramatically reduces manual toil and configuration drift.
First, always design your DSC configurations to be reusable. Instead of writing a separate configuration for each server, group servers into roles (e.g., web server, database server, domain controller). Use parameters in your configuration to handle differences like server names, IP addresses, or file paths. This keeps your code base lean and makes it easier to manage at scale.
Second, understand the importance of the LCM meta-configuration. This is a special configuration that controls how the LCM itself behaves. You set the RefreshMode (Push or Pull), ConfigurationMode (ApplyOnly, ApplyAndMonitor, or ApplyAndAutoCorrect), and RefreshFrequencyMins. For critical servers, you almost always want ApplyAndAutoCorrect with a short refresh interval, like 15 minutes. For non-critical development servers, ApplyOnly might be acceptable because you want to allow temporary manual changes for testing.
Third, be aware of the dependencies between resources. DSC does not automatically know the order in which to apply resources unless you tell it. You use the DependsOn property to define that, for example, the 'IIS Website' resource depends on the 'WindowsFeature Web-Server' resource. Without explicit dependencies, DSC may try to configure a website before IIS is installed, which will fail. Always plan your resource order carefully.
Fourth, DSC configurations are often stored in source control (like Git) and integrated into a CI/CD pipeline. When you update the configuration, you recompile and deploy it. In Azure Automation, this means creating a new compilation job. The updates are then pulled by the VMs on their next refresh cycle. This enables agile configuration management.
Fifth, troubleshooting DSC issues is a common part of an admin's job. If a configuration is not applying, the first step is to check the DSC event log on the VM. Look for errors in the Microsoft-Windows-DSC/Operational log. Common problems include misconfigured LCM settings, expired credentials (if the configuration uses domain accounts), or missing resources on the target machine. Also, the Get-DscConfiguration cmdlet shows the current applied state, and Test-DscConfiguration checks compliance without making changes.
Finally, consider security. DSC configurations often contain sensitive data like passwords or service account credentials. Use the DSC LocalConfigurationManager's CertificateID property to encrypt the MOF file at rest. In Azure Automation, this is handled automatically via the Azure Key Vault integration. Never store plaintext passwords in configuration files.
In practice, DSC is a powerful tool, but it requires a shift in mindset from ad-hoc management to a declarative, code-driven approach. For the AZ-104 exam, focus on the workflow, the integration with Azure Automation, and the ability to choose the right mode and settings for a given scenario.
Memory Tip
Think of DSC as a 'self-healing recipe' for your servers: Declare the State, Compile the MOF, (apply and) Correct drift automatically.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-104AZ-104 →PCAGoogle PCA →Related Glossary Terms
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Do I need to know how to write DSC configurations for the AZ-104 exam?
Yes, you should be able to understand the structure of a DSC configuration, recognize key resources like WindowsFeature and Service, and know how to assign configurations to Azure VMs through the DSC extension.
Can DSC be used for Linux servers?
Yes, DSC supports Linux via the Open Management Infrastructure (OMI) server and provides resources for services, files, packages, and users. However, the AZ-104 exam primarily focuses on Windows.
What is the difference between Push and Pull modes in DSC?
In Push mode, an administrator manually sends the configuration to each node. In Pull mode, nodes periodically check a central Pull server for the latest configuration and apply it automatically. Pull mode is more scalable and supports self-healing.
What happens if a DSC configuration fails to apply?
The LCM logs the failure in the DSC event log. The configuration is not applied, and the node remains in a non-compliant state. The administrator can troubleshoot using logs or by running Get-DscConfiguration and Test-DscConfiguration.
Is DSC the same as Azure Automation State Configuration?
Azure Automation State Configuration is a cloud-based service that hosts the DSC Pull server, provides a configuration management experience, and reports compliance data. DSC is the underlying PowerShell technology, and Azure Automation is one way to use it at scale.
Can I use DSC to install software that requires a reboot?
Yes, DSC supports reboots through the PendingReboot resource or by using the PSDscRunAsCredential and running a Script resource that handles reboots. However, you must configure the LCM to allow reboots by setting the RebootNodeIfNeeded property to true.
Summary
Desired State Configuration (DSC) is a powerful automation platform built into PowerShell that enables IT professionals to define and enforce the exact configuration state of their servers. Using a declarative approach, you write a script that describes the desired end state for settings like installed features, registry values, services, and firewall rules. The Local Configuration Manager on each server then continuously ensures that the server stays in that state, automatically correcting any drift. This eliminates the manual, error-prone process of checking and fixing servers one by one.
For Azure administrators, DSC integrates with Azure Automation, providing a centralized way to manage configurations across hundreds of VMs, whether they are in Azure or on premises. This makes DSC an essential tool for achieving consistency, security, and operational efficiency at scale. On the AZ-104 exam, DSC appears as a key concept under Azure Compute, and you must understand how to enable it, create configurations, and interpret compliance results. Common exam traps include confusing DSC with Azure Policy or Update Management, and understanding the difference between Push and Pull modes.
Mastering DSC not only helps you pass the exam but also gives you a practical skill used in real-world DevOps and infrastructure management. By treating server configuration as code, you can deploy, update, and maintain your environment with speed and reliability. Desired State Configuration is more than a feature-it is a fundamental shift toward automated, self-healing infrastructure that every modern IT professional should understand.