-
Notifications
You must be signed in to change notification settings - Fork 128
WhatIsACompositeResource
To understand what a PowerShell DSC composite resource is, we first need to understand what a PowerShell DSC resource is.
A PowerShell DSC (Desired State Configuration) resource is a packaged set of PowerShell files and supporting components that enables DSC to manage a specific type of system configuration.
Each DSC resource is designed to work with a related group of objects or settings, providing a standardized way to declare how those settings should be configured and enforced.
For example, the Registry DSC resource (which ships with Windows PowerShell) allows DSC configurations to manage Windows Registry keys and values declaratively. Rather than writing custom scripts, you describe the desired registry state in a configuration file, and DSC ensures that state is applied and maintained. Each resource may have different parameters, for example when working with the Windows registry, you have Keys and Values, but when working with the DSC File resource, you have path's and filenames.
Here is an example of using the Registry DSC resource.
Configuration SetContosoRegistry
{
Import-DscResource -ModuleName PSDesiredStateConfiguration
Node 'localhost'
{
Registry EnableContosoFeature
{
Ensure = 'Present'
Key = 'HKLM:\Software\Contoso'
ValueName = 'EnableFeature'
ValueType = 'Dword'
ValueData = 1
}
}
}
In short, DSC resources:
- Represent a single area of configuration (registry, files, services, firewall rules, etc.)
- Provide a declarative interface for managing that configuration
- Are consumed by DSC configurations rather than executed directly
A DSC composite resource builds on this concept by combining multiple DSC resources into a single, reusable unit.
Instead of managing one type of setting, a composite resource wraps several DSC resources together to represent a higher‑level configuration scenario. This allows you to capture best practices and repeatable patterns in one place.
For example, a composite resource might:
- Install required Windows features
- Create folders and registry settings
- Configure services and security options
All of these steps can then be exposed as a single logical resource with a simplified set of parameters.
Composite resources are not implemented as PowerShell classes or MOF schemas. Instead, they are written as PowerShell DSC configurations and packaged inside a module so they behave like first‑class DSC resources.
Contoso has a baseline that ALL workstations contains. The baseline has the following:
- Ensures a folder exists (c:\Contoso)
- optionally create a file inside it
- Sets a registry value (hklm:\software\contoso\EnableFeature (DWORD))
Instead of having each and every PowerShell DSC configuration contain the three items above, we can encapsulate them into a composite resource. Once they are contained in a composite resource, we then use that single resource to do the work of the three items in this case.
- Create the proper folder structure
- Create the module manifest
- Create the composite resource schema
- Create the configuration file - call it to create the .mof file
- Run Start-DscConfiguration using the newly created .mof file from above
Create the following structure on the machine that will compile the configuration (typically the authoring host):
C:\Program Files\WindowsPowerShell\Modules\
└─ MyCompany.Baseline\
└─ 1.0.0.0\
│ MyCompany.Baseline.psd1
└─ DscResources\
└─ BaselineContoso\
└─ BaselineContoso.schema.psm1
Why this matters: DSC v2 discovers composite resources by looking for .schema.psm1 under DscResources<ResourceName> inside a module folder. The module must export the resource via its manifest.
Create this file at:
C:\Program Files\WindowsPowerShell\Modules\MyCompany.Baseline\1.0.0.0\MyCompany.Baseline.psd1
@{
# This module only contains composite resources; RootModule is empty.
RootModule = ''
ModuleVersion = '1.0.0.0'
GUID = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' # Use New-Guid to create a real one
Author = 'Your Team'
CompanyName = 'Your Company'
Copyright = '(c) Your Company. All rights reserved.'
PowerShellVersion = '5.1'
# Export the composite resource name(s)
DscResourcesToExport = @('BaselineContoso')
# Optional: RequiredModules if your composite uses community DSC modules
# RequiredModules = @('xSomething', 'PSDscResources')
}Create this file at:
C:\Program Files\WindowsPowerShell\Modules\MyCompany.Baseline\1.0.0.0\DscResources\BaselineContoso\BaselineContoso.schema.psm1
This is the interface the consumer of this composite resource will use. The consumer can pass in different values or use the defaults Once this composite resource is created, we can begin using it.
# This is a Composite Resource implemented as a Configuration.
# Do NOT put Import-DscResource here. The consuming configuration will handle imports.
configuration BaselineContoso
{
param(
[ValidateSet('Present','Absent')]
[string] $Ensure = 'Present',
[string] $InstallPath = 'C:\Contoso',
[uint32] $EnableFeatureValue = 1 # DWORD for registry value
)
# Folder baseline (removed recursively when Ensure='Absent')
File ContosoFolder
{
Ensure = $Ensure
Type = 'Directory'
DestinationPath = $InstallPath
Recurse = $true
}
# Optional config file to demonstrate file management
# This will be created/removed according to Ensure
File ContosoConfig
{
Ensure = $Ensure
DestinationPath = (Join-Path $InstallPath 'contoso.config')
Contents = "Feature=$EnableFeatureValue"
DependsOn = '[File]ContosoFolder'
}
# Registry value baseline
Registry EnableContosoFeature
{
Ensure = $Ensure
Key = 'HKLM:\Software\Contoso'
ValueName = 'EnableFeature'
ValueType = 'Dword'
ValueData = $EnableFeatureValue
}
}Notes:
This composite uses only built‑in resources (File, Registry) so there are no external dependencies.
If you use community resources (e.g., xPSDesiredStateConfiguration), the consuming configuration must Import-DscResource for those modules as well.
Save as ApplyBaseline.ps1 anywhere (e.g., your working folder):
Configuration ApplyBaseline
{
# Import the built-in DSC module and YOUR composite module
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName 'MyCompany.Baseline'
Node 'localhost'
{
# Use the composite like any other DSC resource
BaselineContoso Baseline
{
Ensure = 'Present'
InstallPath = 'C:\Contoso'
EnableFeatureValue = 1
}
}
}
# Compile -> creates .\ApplyBaseline\localhost.mof
ApplyBaseline
# Apply
Start-DscConfiguration -Path .\ApplyBaseline -Wait -Verbose -Force
The script defines a DSC configuration named ApplyBaseline.
To generate the MOF file, the configuration name is invoked—much like calling a PowerShell function.
When the following line is executed:
ApplyBaselineWhen this line is executed, the configuration is compiled, which produces a MOF file (for example, localhost.mof). At this stage, no configuration has been applied to the system; the desired state has only been translated into a MOF document.
Applying the configuration is handled by:
Start-DscConfigurationThis cmdlet instructs the Local Configuration Manager (think PowerShell DSC agent, usually called LCM) to apply one or more MOF files. The -Path parameter points to a directory that can contain one or multiple MOF files, all of which will be consumed and applied by the LCM.
# Registry value
Get-ItemProperty -Path 'HKLM:\Software\Contoso' -Name 'EnableFeature'
# File(s) and folder
Get-ChildItem -Path 'C:\Contoso' -Force
# DSC compliance
Test-DscConfiguration -Detailed
Composite resources help you:
- Reduce duplication across DSC configurations
- Encapsulate complex logic behind a simple interface
- Standardize configuration patterns across teams and environments
- Make DSC configurations easier to read and maintain
They are especially useful in larger solutions—such as security baselines, application stacks, or compliance frameworks—where the same group of settings must be applied consistently.
- A DSC resource manages a specific type of configuration
- A DSC composite resource combines multiple DSC resources into a single reusable unit
- Composite resources are written using PowerShell DSC configurations
- They enable cleaner, more maintainable, and standardized DSC implementations
- PowerStig creates composite resources that you consume in your configuration files.
-
Stig Coverage (Products PowerSTIG supports)
- Stig Coverage Summary
- Adobe-AcrobatPro-2.1
- Adobe-AcrobatReader-1.6
- Adobe-AcrobatReader-2.1
- DotNetFramework-4-2.6
- DotNetFramework-4-2.7
- FireFox-All-6.6
- FireFox-All-6.7
- Google-Chrome-2.10
- Google-Chrome-2.11
- IISServer-10.0-3.5
- IISServer-10.0-3.6
- IISSite-10.0-2.13
- IISSite-10.0-2.14
- InternetExplorer-11-2.5
- InternetExplorer-11-2.6
- MS-Edge-2.3
- MS-Edge-2.4
- Office-365ProPlus-3.3
- Office-365ProPlus-3.4
- Office-Access2016-1.1
- Office-Access2016-2.1
- Office-Excel2016-1.2
- Office-Excel2016-2.2
- Office-OneNote2016-1.2
- Office-OneNote2016-2.1
- Office-Outlook2016-2.3
- Office-Outlook2016-2.4
- Office-PowerPoint2016-1.1
- Office-PowerPoint2016-2.1
- Office-Publisher2016-1.3
- Office-Publisher2016-2.1
- Office-Skype2016-1.1
- Office-Skype2016-2.1
- Office-System2016-2.4
- Office-System2016-2.5
- Office-Word2016-1.1
- Office-Word2016-2.1
- OracleLinux-8-2.3
- OracleLinux-8-2.4
- OracleLinux-9-1.1
- RHEL-7-3.14
- RHEL-7-3.15
- RHEL-9-2.3
- RHEL-9-2.7
- SqlServer-2016-Instance-3.5
- SqlServer-2016-Instance-3.6
- SqlServer-2022-Instance-1.2
- SqlServer-2022-Instance-1.3
- Ubuntu-18.04-2.14
- Ubuntu-18.04-2.15
- WindowsClient-10-3.5
- WindowsClient-10-3.6
- WindowsClient-11-2.5
- WindowsClient-11-2.6
- WindowsDefender-All-2.6
- WindowsDefender-All-2.7
- WindowsDnsServer-2012R2-2.5
- WindowsDnsServer-2012R2-2.7
- WindowsFirewall-All-2.1
- WindowsFirewall-All-2.2
- WindowsServer-2016-DC-2.10
- WindowsServer-2016-DC-2.9
- WindowsServer-2016-MS-2.10
- WindowsServer-2016-MS-2.9
- WindowsServer-2019-DC-3.6
- WindowsServer-2019-DC-3.7
- WindowsServer-2019-MS-3.6
- WindowsServer-2019-MS-3.7
- WindowsServer-2022-DC-2.6
- WindowsServer-2022-DC-2.7
- WindowsServer-2022-MS-2.6
- WindowsServer-2022-MS-2.7