Quickstart: Convert Group Policy into DSC
Applies To: Windows PowerShell 4.0, Windows PowerShell 5.0
You can generate a DSC configuration from a Group Policy or Azure Security Center baseline. The BaselineManagement module includes the following commands for accomplishing this task.
ConvertFrom-GPO- Converts Group Policies, stored as files. You can also specify a directory containing multiple policies that will be combined into one Configuration.
ConvertFrom-SCM- Converts Security Compliance Manager baselines, stored as
ConvertFrom-ASC- Converts Azure Security Center baselines, stored as
Merge-GPOs- Converts Group Policies applied to a target computer.
The cmdlets listed above convert a baseline into a DSC
.mof file. You can also choose to output a
Configuration script (
.ps1), that you can edit and recompile. The cmdlets detect compilation
errors for missing resources, or duplicate resource blocks. Resource blocks that would cause
compilation errors are commented out.
The following example converts a Microsoft Security Baseline
into a DSC configuration script (
Install-Module BaselineManagement Import-Module BaselineManagement ConvertFrom-GPO -Path '.\Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline\GPOs\' -OutputConfigurationScript
After running the commands, you see two files in the default "Output" directory created under your current path.
Get-ChildItem -Path .\Output
Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 7/9/2019 9:35 AM 227.37KB DSCFromGPO.ps1 -a---- 7/9/2019 9:35 AM 410.03KB localhost.mof
Each managed node will also need the following two modules:
BaselineManagement is a solution developed by the community to make DSC more discoverable for Support for community solutions come from the project maintainers and not from Microsoft. You can open a new issue for BaselineManagement on GitHub.