Skip to main content

How to undo an Powershell Desired State Configuration (DSC)

I saw a post on this on (link) asking about how you could undo/remove a configuration. I understand the question and logic behind it. I would love for DSC to have this functionally, however this is not how it works today. Perhaps some day in the future, however I would not bet on it. If you read this post, it will make perfect sense.

The life of an Desired State Configuration (DSC)

An configuration item/resource in DSC has to states it lives and cares about. Ensure equals PRESENT or ABSENT. The current state of the item and/or node (the target of the configuration) before the configuration is applied is not "stored" anywhere. It is just how the node is configured before the configuration is committed on the node.

Furthermore any individual who has access to the node, may install/configure features that you are not aware of. That is of course if you do not create a configuration consisting of all possible combinations of a configuration state a node can have. Not very practical and very hard if not impossible. So if your configuration have an file resource that says Ensure = "Absent", DSC will delete this file if present like you instructed it to do. This represent a huge challenge in terms of undoing a configuration.

Scenario - Overwriting a configuration

Let´s create a scenario: You have just created a new server/node/virtual machine that will host oh say an web application. You have prepared a configuration for it or you have an existing configuration you want to apply. DSC will configure that node according to the configuration. All sweet and dandy. 

Some time goes by and the node is needed for something else. You prepare a new configuration and apply it. DSC will again make it so and happily obey you wishes to the letter. What happened to the previous configuration? Did it disappeared? Well, in a way. The configuration document (MOF-file) still exists in a file called previous.mof. Can you guess the filename of the applied configuration? Yes, current.mof. However the configuration you applied first is in effect provided the new one did not overwrite the same "features" in some way. This is in essence the good, the bad and the ugly about DSC.


So what are our options for undoing the last DSC?
  1. Wait for a solution by Microsoft/3rd party
  2. Create you own solution
If anyone have another option, I would really like to hear about it. 

Just a few words about option no 2. You can do it the hard way and you can create a bag of tricks to help you obtain an undo like solution. In a perfect world with perfect DSC resources (please disregard the SCRIPT resource since it does not have an ENSURE keyword), you could make an "inverse" configuration for all resources that have ENSURE = "Present". Of course as an Powershell Pro, you would script that and apply the perfect inverse of the running configuration and apply it before you apply a new configuration. It is not ideal, however a doable workaround. 

This will not solve the Ensure = "Absent" problem. You would need backups to be able to restore those items (files/folders/registry), unless your configuration also include an resource to backup the item before it is deleted.   

Another option would be to create a system to record a complete history of the DSC that has been applied to a node. Remember those files I talked about earlier (current.mof and previous.mof), they are the key to implement a history. It would probably be easier to implement this at the powershell configuration level (the powershell configuration not the MOF file). Before you run Start-DSCconfiguration, you copy the content of the configuration and save it to you DSC adminTooling catalog. Even better if you use content management and versioning too. I would say it is almost impossible not to have that in some context anyway. 

Clear current configuration

If you stumbled upon this post and just want to clear the current configuration (not undo it). That is very easy. Just remove the current.mof file in C:\Windows\system32\Configuration. Running Get-DSCconfiguration will then return nothing (in essence $Null in the world of Powershell). Please note that this will not reset the configuration of the node in any way. It just tricks DSC into thinking that it does not have a current configuration.


You can UNDO an DSC, however it depends on the configurations that have been applied and what resources you have used. It is easy to clear a current configuration even if it do not reset the state of the node.

Leave a comment or look me up on Twitter. Would love to hear you opinion. 


  1. I think the notion of "undoing" DSC is sort of anathema to it's purpose. It's really about setting the state of a server in DevOps kind of scenarios. If you look at it as a "traditional" config mgmt. solution, then it's the wrong solution. The typical lifecycle of a DSC target is...provision, take workload, destroy, provision, take workload, etc. So, undoing it is as simple as de-provisioning the VM.


Post a Comment

Popular posts from this blog

Developing PowerShell modules for REST APIs – Part1

Over the years I have developed different PowerShell modules for different web APIs. I thought it would be a good idea to write a 2 series post about how you could go about to do this. This will be a 2 part blog series where we will run through the entire process of building a module for a REST API. I will try my best to keep this as simple as possible and leave more advanced stuff for a follow up post if the interest is there.What you needDepending on your experience with source control and PowerShell in general, you might want to use GIT or some other software repro for the code. In addition we are going to create a test REST API using the splendid UniversalDashboard PowerShell module created by Adam Driscoll. It is available on the PowershellGallery. Other prerequisites are built-in to Powershell. I will assume that you will be following along using at least PowerShell version 5 or greater.
What is HTTP metods for REST API.The primary or most common HTTP verbs used are POST, GET, PU…

Serialize data with PowerShell

Currently I am working on a big new module. In this module, I need to persist data to disk and reprocess them at some point even if the module/PowerShell session was closed. I needed to serialize objects and save them to disk. It needed to be very efficient to be able to support a high volume of objects. Hence I decided to turn this serializer into a module called HashData.

Other Serializing methods

In PowerShell we have several possibilities to serialize objects. There are two cmdlets you can use which are built in:
Both are excellent options if you do not care about the size of the file. In my case I needed something lean and mean in terms of the size on disk for the serialized object. Lets do some tests to compare the different types:


You might be curious why I do not use the Export-CliXML cmdlet and just use the [System.Management.Automation.PSSerializer]::Serialize static method. The static method will generate the same xml, however we …

Developing PowerShell modules for REST APIs – Part2

This is part 2 of the REST API blogpost. In part1 we successfully setup two REST API endpoints using the UniversalDashboard PowerShell module. In this part we are going to create a simple module that support some CRUD operation against our API. As we are trying to keep things as simple as possible, we will not use any fancy framework (like Plaster) to build our module. We are also going to skip a very important step you should familiarize yourself with, Pester tests. Lets get to it.

The moduleWe will build a module called FilesAPI. The module folder will look like this:

In the functions folder I have already added the 2 helper functions from part 1, Get-AuthorizationHeader and ConvertTo-Base64. The other folders are just placeholders for important stuff like classes, private functions that you do not want to make available for the module consumer and tests for Pester tests. For such a small module that we are going to create, one could argue that it is much easier to just add the functi…