Skip to main content

How to undo an Powershell Desired State Configuration (DSC)

I saw a post on this on (link) asking about how you could undo/remove a configuration. I understand the question and logic behind it. I would love for DSC to have this functionally, however this is not how it works today. Perhaps some day in the future, however I would not bet on it. If you read this post, it will make perfect sense.

The life of an Desired State Configuration (DSC)

An configuration item/resource in DSC has to states it lives and cares about. Ensure equals PRESENT or ABSENT. The current state of the item and/or node (the target of the configuration) before the configuration is applied is not "stored" anywhere. It is just how the node is configured before the configuration is committed on the node.

Furthermore any individual who has access to the node, may install/configure features that you are not aware of. That is of course if you do not create a configuration consisting of all possible combinations of a configuration state a node can have. Not very practical and very hard if not impossible. So if your configuration have an file resource that says Ensure = "Absent", DSC will delete this file if present like you instructed it to do. This represent a huge challenge in terms of undoing a configuration.

Scenario - Overwriting a configuration

Let´s create a scenario: You have just created a new server/node/virtual machine that will host oh say an web application. You have prepared a configuration for it or you have an existing configuration you want to apply. DSC will configure that node according to the configuration. All sweet and dandy. 

Some time goes by and the node is needed for something else. You prepare a new configuration and apply it. DSC will again make it so and happily obey you wishes to the letter. What happened to the previous configuration? Did it disappeared? Well, in a way. The configuration document (MOF-file) still exists in a file called previous.mof. Can you guess the filename of the applied configuration? Yes, current.mof. However the configuration you applied first is in effect provided the new one did not overwrite the same "features" in some way. This is in essence the good, the bad and the ugly about DSC.


So what are our options for undoing the last DSC?
  1. Wait for a solution by Microsoft/3rd party
  2. Create you own solution
If anyone have another option, I would really like to hear about it. 

Just a few words about option no 2. You can do it the hard way and you can create a bag of tricks to help you obtain an undo like solution. In a perfect world with perfect DSC resources (please disregard the SCRIPT resource since it does not have an ENSURE keyword), you could make an "inverse" configuration for all resources that have ENSURE = "Present". Of course as an Powershell Pro, you would script that and apply the perfect inverse of the running configuration and apply it before you apply a new configuration. It is not ideal, however a doable workaround. 

This will not solve the Ensure = "Absent" problem. You would need backups to be able to restore those items (files/folders/registry), unless your configuration also include an resource to backup the item before it is deleted.   

Another option would be to create a system to record a complete history of the DSC that has been applied to a node. Remember those files I talked about earlier (current.mof and previous.mof), they are the key to implement a history. It would probably be easier to implement this at the powershell configuration level (the powershell configuration not the MOF file). Before you run Start-DSCconfiguration, you copy the content of the configuration and save it to you DSC adminTooling catalog. Even better if you use content management and versioning too. I would say it is almost impossible not to have that in some context anyway. 

Clear current configuration

If you stumbled upon this post and just want to clear the current configuration (not undo it). That is very easy. Just remove the current.mof file in C:\Windows\system32\Configuration. Running Get-DSCconfiguration will then return nothing (in essence $Null in the world of Powershell). Please note that this will not reset the configuration of the node in any way. It just tricks DSC into thinking that it does not have a current configuration.


You can UNDO an DSC, however it depends on the configurations that have been applied and what resources you have used. It is easy to clear a current configuration even if it do not reset the state of the node.

Leave a comment or look me up on Twitter. Would love to hear you opinion. 


  1. I think the notion of "undoing" DSC is sort of anathema to it's purpose. It's really about setting the state of a server in DevOps kind of scenarios. If you look at it as a "traditional" config mgmt. solution, then it's the wrong solution. The typical lifecycle of a DSC target is...provision, take workload, destroy, provision, take workload, etc. So, undoing it is as simple as de-provisioning the VM.


Post a Comment

Popular posts from this blog

Monitoring Orchestrator runbook events from Operations Manager

Today I will follow up on my colleague’s post Mr ITblog (Knut Huglen) about monitoring Orchestrator Runbook events.  He has build a nice double up SNMP loopback feature that does self monitoring in Orchestrator resulting in entries written to a special Windows Eventlog. Now we need to raise alerts in SCOM when one of his runbooks fails or sends a platform event, who knows there could be trouble lurking in his paradise.

We are not going to do anything fancy, however these are the steps we will be focusing on today:
Create a Management Pack for our customizations Create rules that collects the events from the orchestrator serverOff we go then and fire up the SCOM console and a powershell window. First we create a MP, I am going to use powershell to do this, however you may use the SCOM console as well (Administration – ManagementPacks – Action: Create Management Pack):

Import the Management Pack into SCOM and move on to the Authoring section in the SCOM console. Create a new rule:

Give the…

Build your local powershell module repository - ProGet

So Windows Powershell Blog released a blog a couple of days ago (link). Not too long after, a discussion emerged about it being to complicated to setup. Even though the required software is open source (nugetgalleryserver), it looks like you need to have Visual Studio Installed to compile it. I looked into doing it without visual stuidio, however I have been unable to come up with a solution. I even tweeted about it since I am not an developer. Maybe someone how is familiar with “msbuild” could do a post on how to do it without VS.

Anyhow one of my twitter-friends (@sstranger) came to the rescue and pointed me in the direction of ProGet, hence the title of this post. ProGet comes in 2 different licensing modes
Free (reduced functionality)Enterprise (paid version with extra features)The good news is that the free version supports hosting a local PowershellGet repository which was my intention anyway. So off we go and create a Configration that can install ProGet for us. This is the conf…

Powershell – Log like you mean it

How do you do logging in powershell? Why should you do logging? What should you log? Where do you put your log? How do you remove your log? How do you search your log? All important questions and how you answer then depends upon what your background is like and the preferences you have. This will be a 2 part blog post and this is part 1.

Why should you log?

Well it is not mandatory, however I have 2 reasons:
Help with debugging a script/module/functionSelf documenting script/module/function
Firstly; Do you know any program that does not contain any bugs? Working with IT for the last 2 decades, I cannot name one. When you create scripts/modules/functions, you will create bugs, that is where they live and try to make your life a living mess.

Secondly: Adding a little extra information to your logging will make them self documenting. Do you like writing documentation? Well I normally am not fond of it and use logging while debugging to get two birds with one stone.

What should you log?