New CentOS7 cannot access network

This post was originally published on this site

  1. I added a new hp blade dl460c gen8 blade to an existing C7000 chassis. The HP BladeSystem recognizes it without issue.
  2. I have installed ESXi 6.5 on the new blade without issue.
  3. Created a new CentOS7 VM using the vSphere Client GUI and I cannot access the network. I can ping myself but not the GW or outside world. I do see that that the existing blades access the network via a VLAN, but the gui doesn’t give me an option to attach to that VLAN.


Defending Against Illicit Cryptocurrency Mining Activity

This post was originally published on this site

Original release date: June 26, 2018

The popularity of cryptocurrency, a form of digital currency, is rising; Bitcoin, Litecoin, Monero, Ethereum, and Ripple are just a few types of the cryptocurrencies available. Though cryptocurrency is a common topic of conversation, many people lack a basic understanding of cryptocurrency and the risks associated with it. This lack of awareness is contributing to the rise of individuals and organizations falling victim to illicit cryptocurrency mining activity.

What is cryptocurrency?

Cryptocurrency is a digital currency used as a medium of exchange, similar to other currencies. However, unlike other currencies, cryptocurrency operates independently of a central bank and uses encryption techniques and blockchain technology to secure and verify transactions.

What is cryptomining?

Cryptocurrency mining, or cryptomining, is simply the way in which cryptocurrency is earned. Individuals mine cryptocurrency by using cryptomining software to solve complex mathematical problems involved in validating transactions. Each solved equation verifies a transaction and earns a reward paid out in the cryptocurrency. Solving cryptographic calculations to mine cryptocurrency requires a massive amount of processing power.

What is cryptojacking?

Cryptojacking occurs when malicious cyber actors exploit vulnerabilities—in webpages, software, and operating systems—to illicitly install cryptomining software on victim devices and systems. With the cryptomining software installed, the malicious cyber actors effectively hijack the processing power of the victim devices and systems to earn cryptocurrency. Additionally, malicious cyber actors may infect a website with cryptomining JavaScript code, which leverages a visitor’s processing power via their browser to mine cryptocurrency. Cryptojacking may result in the following consequences to victim devices, systems, and networks:

  • Degraded system and network performance because bandwidth and central processing unit (CPU) resources are monopolized by cryptomining activity;
  • Increased power consumption, system crashes, and potential physical damage from component failure due to the extreme temperatures caused by cryptomining;
  • Disruption of regular operations; and
  • Financial loss due to system downtime caused by component failure and the cost of restoring systems and files to full operation as well as the cost of the increased power consumption.

Cryptojacking involves maliciously installed programs that are persistent or non-persistent. Non-persistent cryptojacking usually occurs only while a user is visiting a particular webpage or has an internet browser open. Persistent cryptojacking continues to occur even after a user has stopped visiting the source that originally caused their system to perform mining activity.

Malicious actors distribute cryptojacking malware through weaponized mobile applications, botnets, and social media platforms by exploiting flaws in applications and servers, and by hijacking Wi-Fi hotspots.

What types of systems and devices are at risk for cryptojacking?

Any internet-connected device with a CPU is susceptible to cryptojacking. The following are commonly targeted devices:

  • Computer systems and network devices – including those connected to information technology and Industrial Control System networks;
  • Mobile devices – devices are subject to the same vulnerabilities as computers; and
  • Internet of Things devices – internet-enabled devices (e.g., printers, video cameras, and smart TVs).

How do you defend against cryptojacking?

The following cybersecurity best practices can help you protect your internet-connected systems and devices against cryptojacking:

  • Use and maintain antivirus software. Antivirus software recognizes and protects a computer against malware, allowing the owner or operator to detect and remove a potentially unwanted program before it can do any damage. (See Understanding Anti-Virus Software.)
  • Keep software and operating systems up-to-date. Install software updates so that attackers cannot take advantage of known problems or vulnerabilities. (See Understanding Patches.)
  • Use strong passwords. Select passwords that will be difficult for attackers to guess, and use different passwords for different programs and devices. It is best to use long, strong passphrases or passwords that consist of at least 16 characters. (See Choosing and Protecting Passwords.)
  • Change default usernames and passwords. Default usernames and passwords are readily available to malicious actors. Change default passwords, as soon as possible, to a sufficiently strong and unique password.
  • Check system privilege policies. Review user accounts and verify that users with administrative rights have a need for those privileges. Restrict general user accounts from performing administrative functions.
  • Apply application whitelisting. Consider using application whitelists to prevent unknown executables from launching autonomously.
  • Be wary of downloading files from websites. Avoid downloading files from untrusted websites. Look for an authentic website certificate when downloading files from a secure site. (See Understanding Web Site Certificates.)
  • Recognize normal CPU activity and monitor for abnormal activity. Network administrators should continuously monitor systems and educate their employees to recognize any above-normal sustained CPU activity on computer workstations, mobile devices, and network servers. Any noticeable degradation in processing speed requires investigation.
  • Disable unnecessary services. Review all running services and disable those that are unnecessary for operations. Disabling or blocking some services may create problems by obstructing access to files, data, or devices.
  • Uninstall unused software. Review installed software applications and remove those not needed for operations. Many retail computer systems with pre-loaded operating systems come with toolbars, games, and adware installed, all of which can use excessive disk space and memory. These unnecessary applications can provide avenues for attackers to exploit a system.
  • Validate input. Perform input validation on internet-facing web server and web applications to mitigate injection attacks. On web browsers, disable JavaScript execution. For Microsoft Internet Explorer, enable the cross-site scripting filter.
  • Install a firewall. Firewalls may be able to prevent some types of attack vectors by blocking malicious traffic before it can enter a computer system, and by restricting unnecessary outbound communications. Some device operating systems include a firewall. Enable and properly configure the firewall as specified in the device or system owner’s manual. (See Understanding Firewalls.)
  • Create and monitor blacklists. Monitor industry reports of websites that are hosting, distributing, and being used for, malware command and control. Block the internet protocol addresses of known malicious sites to prevent devices from being able to access them.

Author: NCCIC

This product is provided subject to this Notification and this Privacy & Use policy.

Securing Network Infrastructure Devices

This post was originally published on this site

Original release date: June 21, 2018

Network infrastructure devices are ideal targets for malicious cyber actors. Most or all organizational and customer traffic must traverse these critical devices.

  • An attacker with presence on an organization’s gateway router can monitor, modify, and deny traffic to and from the organization.
  • An attacker with presence on an organization’s internal routing and switching infrastructure can monitor, modify, and deny traffic to and from key hosts inside the network and leverage trust relationships to conduct lateral movement to other hosts.

Organizations and individuals that use legacy, unencrypted protocols to manage hosts and services, make successful credential harvesting easy for these malicious cyber actors. Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.

What are network infrastructure devices?

Network infrastructure devices are the components of a network that transport communications needed for data, applications, services, and multi-media. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks.

What security threats are associated with network infrastructure devices?

Network infrastructure devices are often easy targets for attackers. Once installed, many network devices are not maintained at the same security level as general-purpose desktops and servers. The following factors can also contribute to the vulnerability of network devices:

  • Few network devices—especially small office/home office and residential-class routers—run antivirus, integrity-maintenance, and other security tools that help protect general-purpose hosts.
  • Manufacturers build and distribute these network devices with exploitable services, which are enabled for ease of installation, operation, and maintenance.
  • Owners and operators of network devices often don’t change vendor default settings, harden them for operations, or perform regular patching.
  • Internet service providers may not replace equipment on a customer’s property once the equipment is no longer supported by the manufacturer or vendor.
  • Owners and operators often overlook network devices when they investigate, look for intruders, and restore general-purpose hosts after cyber intrusions.

How can you improve the security of network infrastructure devices?

NCCIC encourages users and network administrators to implement the following recommendations to better secure their network infrastructure:

  • Segment and segregate networks and functions.
  • Limit unnecessary lateral communications.
  • Harden network devices.
  • Secure access to infrastructure devices.
  • Perform Out-of-Band network management.
  • Validate integrity of hardware and software.

Segment and Segregate Networks and Functions

Security architects must consider the overall infrastructure layout, including segmentation and segregation. Proper network segmentation is an effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders in the event that they have gained a foothold somewhere inside the network.

Physical Separation of Sensitive Information

Traditional network devices, such as routers, can separate local area network (LAN) segments. Organizations can place routers between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. Organizations can use these boundaries to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.


  • Implement principles of least privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.

Virtual Separation of Sensitive Information

As technologies change, new strategies are developed to improve information technology efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. Virtual segmentation uses the same design principles as physical segmentation but requires no additional hardware. Existing technologies can be used to prevent an intruder from breaching other internal network segments.


  • Use private virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use virtual routing and forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use virtual private networks (VPNs) to securely extend a host/network by tunneling through public or private networks.

Limit Unnecessary Lateral Communications

Allowing unfiltered peer-to-peer communications, including workstation-to-workstation, creates serious vulnerabilities and can allow a network intruder’s access to spread easily to multiple systems. Once an intruder establishes an effective beachhead within the network, unfiltered lateral communications allow the intruder to create backdoors throughout the network. Backdoors help the intruder maintain persistence within the network and hinder defenders’ efforts to contain and eradicate the intruder.


  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or internet protocol (IP) address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to and from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation, allowing network administrators to isolate critical devices onto network segments.

Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of guidance to administrators—including benchmarks and best practices—on how to harden network devices. Administrators should implement the following recommendations in conjunction with laws, regulations, site security policies, standards, and industry best practices.


  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, File Transfer Protocol [FTP]).
  • Disable unnecessary services (e.g., discovery protocols, source routing, Hypertext Transfer Protocol, Simple Network Management Protocol [SNMP], Bootstrap Protocol).
  • Use SNMPv3 (or subsequent version), but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and virtual terminal lines.
  • Implement robust password policies, and use the strongest password encryption available.
  • Protect routers and switches by controlling access lists for remote administration.
  • Restrict physical access to routers and switches.
  • Back up configurations and store them offline. Use the latest version of the network device operating system and keep it updated with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption or access controls when sending, storing, and backing up files.

Secure Access to Infrastructure Devices

Administrative privileges can be granted to allow users access to resources that are not widely available. Limiting administrative privileges for infrastructure devices is crucial to security because intruders can exploit administrative privileges that are improperly authorized, granted widely, or not closely audited. Adversaries can use these compromised privileges to traverse a network, expand access, and take full control of the infrastructure backbone. Organizations can mitigate unauthorized infrastructure access by implementing secure access policies and procedures.


  • Implement multi-factor authentication (MFA). Authentication is a process used to validate a user’s identity. Attackers commonly exploit weak authentication processes. MFA uses at least two identity components to authenticate a user’s identity. Identity components include
    • something the user knows (e.g., password),
    • an object the user has possession of (e.g., token), and
    • a trait unique to the user (e.g., fingerprint).
  • Manage privileged access. Use a server that provides authentication, authorization, and accounting (AAA) services to store access information for network device management. An AAA server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. If possible, implement a hard-token authentication server in addition to using the AAA server. Using MFA makes it more difficult for intruders to steal and reuse credentials to gain access to network devices.
  • Manage administrative credentials. Take these actions if your system cannot meet the MFA best practice:
    • Change default passwords.
    • Recommend passwords to be at least 8 characters long, and allow passwords as long as 64 characters (or greater), in accordance with the National Institute of Standards and Technology’s SP 800-63B Digital Identity Guidelines and Canada’s User Authentication Guidance for Information Technology Systems ITSP.30.031 V3.
    • Check passwords against blacklists of unacceptable values, such as commonly used, expected, or compromised passwords.
    • Ensure all stored passwords are salted and hashed.
    • Keep passwords stored for emergency access in a protected off-network location, such as a safe.

Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated communication paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can perform corrective actions without allowing the adversary (even one who has already compromised a portion of the network) to observe these changes.

OoB management can be implemented physically, virtually, or through a hybrid of the two. Although additional physical network infrastructure additional infrastructure can be very expensive to implement and maintain, it is the most secure option for network managers to adopt. Virtual implementation is less costly but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.


  • Segregate standard network traffic from management traffic.
  • Ensure that management traffic on devices comes only from OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated, fully patched host over a secure channel, preferably on OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs. Implement access controls that only permit required administrative or management services (e.g., SNMP, Network Time Protocol, Secure Shell, FTP, Trivial File Transfer Protocol, RDP, SMB).

Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often counterfeit, secondary, or grey market devices. Numerous media reports have described the introduction of grey market hardware and software into the marketplace. Illegitimate hardware and software present a serious risk to users’ information and the overall integrity of the network environment. Grey market products can introduce risks to the network because they have not been thoroughly tested to meet quality standards. Purchasing products from the secondary market carries the risk of acquiring counterfeit, stolen, or second-hand devices because of supply chain breaches. Furthermore, breaches in the supply chain provide an opportunity for malicious software and hardware to be installed on the equipment. Compromised hardware and software can affect network performance and compromise the confidentiality, integrity, or availability of network assets. Finally, unauthorized or malicious software can be loaded onto a device after it is in operational use, so organizations should regularly check the integrity of software.


  • Maintain strict control of the supply chain and purchase only from authorized resellers.
  • Require resellers to enforce integrity checks of the supply chain to validate hardware and software authenticity.
  • Upon installation, inspect all devices for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification, and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices—verifying network configurations of devices—on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

Author: NCCIC Publications

This product is provided subject to this Notification and this Privacy & Use policy.

Issues delivering USB Device from the Internal USB port of a Dell Poweredge R430 server, to an ESXi 6.5 Update 2 Guest Debian VM

This post was originally published on this site

Hy everyone.


Hope I’m in the right place to be asking this question, if not, please be kind enough to redirect me.


So, in a setup where we have a USB device connected to the Internal USB port of a Dell Poweredge R430 server and want to deliver it to an ESXi 6.5 Guest Debian VM (we know this is not best practices but please try to disregard the reasons, it’s where we’re at), we’re having an issue where in some situations, if the device is disassociated from a VM and we reboot the server we then start getting “USB Enumeration failed” errors or other USB related errors if we attempt to add the USB device to a VM, this happens until we are completely unable to find the device as available to be added to the VM, like greyed out in the interface. For what we gather to be able to find the device again we have to remove it physically, inserting it again and boot the server.


Really weird situation. Anyone has any ideas? We’re out. We tried with USB Passthrough options, disabled vmkusb drivers and we could not find much else to try.




PowerShell Script Analyzer 1.17.1 Released!

This post was originally published on this site

Summary: A new version of PSScriptAnalyzer is now available with many new features, rules, fixes and improvements.

You might remember me from my previous cross-platform remoting blog post, but just to introduce myself: I am Christoph Bergmeister, a full stack .Net developer in the London area and since the start of this year I am now also an official PSScriptAnalyzer maintainer although I do not work at Microsoft.
On GitHub, you can find me as @bergmeister.

After half a year, a new version of PSScriptAnalyzer (also known as PSSA) has been published and is now available on the PSGallery.
Some of you might have been wondering what has happened.
First, the former maintainer has switched projects, therefore it took some time for finding and arranging a hand over.
PSScriptAnalyzer is now mainly being maintained by @JamesWTruher from the Microsoft side and myself as a community maintainer.
After having already contributed to the PowerShell Core project, I started doing development on PSScriptAnalyzer last autumn and since then have added a lot of new features.

New Parameters

Invoke-ScriptAnalyzer now has 3 new switch parameters:

  • -Fix (only on the -Path parameter set)
  • -ReportSummary
  • -EnableExit

The -Fix switch was the first and probably most challenging feature that I added.
Similar to how one can already get fixes for a subset of warnings (e.g. for AvoidUsingCmdletAlias) in VSCode, this feature allows to auto-fix the analysed files, which can be useful to tidy up a big code base.
When using this switch, one must still inspect the result and possibly make adaptions.
The AvoidUsingConvertToSecureStringWithPlainText rule for example will change a String to a SecureString, which means that you must create or get it in the first place.
A small warning should be given about encoding: Due to the way how the engine works, it was not possible to always conserve the encoding, therefore before checking in the changes, it is also recommended to check for a change in that in case scripts are sensitive to that.

The -ReportSummary switch was implemented first by the community member @StingyJack, thanks for that.
The idea is to see a summary, like Pester but since it writes to host, we decided to not enable it by default but rather have a switch for it to start with.
It got refined a bit later to use the same colouring for warnings/errors as currently configured in the PowerShell host.

The -EnableExit was an idea being proposed by the community member @BatmanAMA as well and the idea is to have a simpler, faster to write CI integration.
The switch will return an exit code equivalent to the number of rule violations to signal success/failure to the CI system.
Of course, it is still best practice to have a Pester test (for each file and/or rule) for it due Pester’s ability to produce result files that can be interpreted by CI systems for more detailed analysis.

New Rules


PowerShell has built-in variables, also known as automatic variables.
Some of them are read-only and PowerShell would throw an error at runtime.
Therefore, the rule warns against assignment of those variables.
Some of them, like e.g. $error are very easy to assign to by mistake, especially for new users who are not aware.
In the future more automatic variables will be added to the ‘naughty’ list but since some automatic variables can be assigned to (by design), the process of determining the ones to warn against is still in process and subject to future improvement.

PossibleIncorrectUsageOfRedirectionOperator and PossibleIncorrectUsageOfAssignmentOperator

I have written those rules mainly for myself because as a C# programmer, I have to switch between different languages quite often and it happened to me and my colleagues quite often that we forgot simple syntax and were using e.g. if ($a > $b) when in fact what we meant was if ($a -gt $b) and similar for the ambiguity of the assignment operator = that can easily be used by accident instead of the equality operator that was probably intended.
Since this only applies to if/elseif/while/do-while statements, I could limit the search scope for it.
To avoid false positives, a lot of intelligent logic went into it.
For example, the rule is clever enough to know that if ($a = Get-Something) is assignment by design as this is a common coding pattern and therefore excluded from this rule.
I received some interesting feedback from the community and because PSSA does not support suppression on a per line basis at the moment, the rule offers implicit suppression in CLANG style whereby wrapping the expression in extra parenthesis tells the rule that the assignment is by design.
Thanks for this idea, which came from the community by @imfrancisd


This rule was implemented by the well known community member @dlwyatt and really does what it says on the tin.
The idea behind this was especially to prevent problems that can be caused by whitespace after the backtick.
Personally, I have the following setting in my settings.json for VSCode file that trims trailing whitespace automatically upon saving the file.

    "": {
        "files.trimTrailingWhitespace": true


This rule is not new but a new feature has been added:
If one types a command like e.g. ‘verb’ and PowerShell cannot find it, it will try to add a ‘Get-‘ to the beginning of it and search again.
This feature was already present in PowerShell v1 by the way.
However, although ‘service’ might work on Windows, but on Linux ‘service’ is a native binary that PowerShell would call.
Therefore it is not only the implicit aliasing that makes it dangerous to omit ‘Get-‘, but also the ambiguity on different operating systems that can cause undesired behavior.
The rule is intelligent enough to check if the native binary is present on the given OS and therefore warns when using ‘service’ on Windows only.

Miscellaneous engine improvements and fixes

A lot of fixes for thrown exception, false positives, false negatives, etc. are part of this release as well.
Some are notable:

  • The PowerShell extension of VSCode uses PowerShellEditorServices, which in turn calls into PSScriptAnalyzer for displaying the warnings using squiggles and also uses its formatting capabilities (shortcut: Ctrl+K+F on the selection).
    There was one bug whereby if a comment was at the end of e.g. an if statement and the statement got changed to have the brace on the same line, the formatter placed the comment before the brace, which resulted in invalid syntax.
    This is fixed now.
    The PSUseConsistentWhiteSpace was also tweaked to take unary operators into account to have formatting that naturally looks better to humans rather than having a strict rule.
  • The engine is now being built using the .Net Core SDK version 2 and targets .Net Standard 2.0 for PowerShell Core builds.
    The used referenced for the PowerShell Parser also got updated to the latest version or the corresponding reference assemblies for Windows PowerShell, which highly improved the behaviour of PSScriptAnalyzer on PowerShell 3.
  • Various parsing issues existed with the -Settings parameter when it was not a string that was already resolved.
    This got fixed and should now work in any scenario.
  • PSSA has a UseCompatibleCmdlet rule and command data files are now present for all versions of Windows PowerShell and even OS specific for PowerShell Core 6.0.2.
    In effect the rule allows you to get warnings when calling cmdlets that are not present in the chosen PowerShell versions.
    More improvements to analyse type usage as well is planned.
  • The PSUseDeclaredVarsMoreThanAssignments rule has been a pet peeve for many in the past due to its many false positves.
    The rule received a few improvements.
    Some of its limitations (it is e.g. not aware of the scriptblock scope) are still present but overall, there should be less false positives.
  • Lots of internal build and packaging improvements were made and PSScriptAnalyzer pushed the envelope as far as using AppVeyor’s Ubuntu builds, which are currently in private Beta.
    Many thanks to @IlyaFinkelshteyn for allowing us to use it and the great support.
    We are now testing against PowerShell 4, 5.1 and 6.0 (Windows and Ubuntu) in CI.
  • Many community members added documentation fixes, thank you all for that!
  • Parser errors are now returned as diagnostic messages
  • Using ScriptAnalyzer with PowerShell Core requires at least version 6.0.2

Enjoy the new release and let us know how you find it.
PSScriptAnalyzer is also open to PRs if you want to add features or fix something.
Let me know if there are other PSScriptAnalyzer topics that you would like me to write about, such as e.g. custom rules or PSScriptAnalyzer setting files and VSCode integration.

Christopher Bergmeister
PSScriptAnalyzer Maintainer

DSC Resource Kit Release June 2018

This post was originally published on this site

We just released the DSC Resource Kit!

This is our biggest release yet!
It takes the records for the most merged pull requests in a release and the most modules we have ever released at once from GitHub!

This release includes updates to 27 DSC resource modules. In the past 6 weeks, 165 pull requests have been merged and 115 issues have been closed, all thanks to our amazing community!

The modules updated in this release are:

  • ActiveDirectoryCSDsc
  • AuditPolicyDsc
  • CertificateDsc
  • ComputerManagementDsc
  • DFSDsc
  • NetworkingDsc (previously xNetworking)
  • SecurityPolicyDsc
  • SharePointDsc
  • SqlServerDsc
  • xActiveDirectory
  • xBitlocker
  • xDatabase
  • xDhcpServer
  • xDismFeature
  • xDnsServer
  • xDscDiagnostics
  • xDSCResourceDesigner
  • xExchange
  • xHyper-V
  • xPowerShellExecutionPolicy
  • xPSDesiredStateConfiguration
  • xRemoteDesktopSessionHost
  • xSCSMA
  • xSystemSecurity
  • xTimeZone (deprecated since now included in ComputerManagementDsc)
  • xWebAdministration
  • xWinEventLog

For a detailed list of the resource modules and fixes in this release, see the Included in this Release section below.

Our last community call for the DSC Resource Kit was on June 6. A recording of our updates is available on YouTube here. Join us for the next call at 12PM (Pacific time) on July 18 to ask questions and give feedback about your experience with the DSC Resource Kit.

We strongly encourage you to update to the newest version of all modules using the PowerShell Gallery, and don’t forget to give us your feedback in the comments below, on GitHub, or on Twitter (@PowerShell_Team)!

Please see our documentation here for information on the support of these resource modules.

Included in this Release

You can see a detailed summary of all changes included in this release in the table below. For past release notes, go to the or file on the GitHub repository page for a specific module (see the How to Find DSC Resource Modules on GitHub section below for details on finding the GitHub page for a specific module).

Module Name Version Release Notes
  • Changed Assert-VerifiableMocks to be Assert-VerifiableMock to meet Pester standards.
  • Updated license year in LICENSE.MD and module manifest to 2018.
  • Removed requirement for Pester maximum version 4.0.8.
  • Added new resource EnrollmentPolicyWebService – see issue 43.
  • BREAKING CHANGE: New Key for AdcsCertificationAuthority, IsSingleInstance – see issue 47.
  • Added:
    • MSFT_xADCSOnlineResponder resource to install the Online Responder service.
  • Corrected filename of MSFT_AdcsCertificationAuthority integration test file.
  • Moved auditpol call in the helper module to an external process to better control output
  • auditpol output is now converted to CSV to remove the need to parse the text output
  • All resources have been updated to use the new helper module functionality
  • Added the Ensure parameter default value of Present to the AuditPolicySubcategory resource Test-TargetResource function
  • PfxImport:
    • Changed so that PFX will be reimported if private key is not installed – fixes Issue 129.
    • Corrected to meet style guidelines.
    • Corrected path parameter description – fixes Issue 125.
    • Refactored to remove code duplication by creating Get-CertificateStorePath.
    • Improved unit tests to meet standards and provide better coverage.
    • Improved integration tests to meet standards and provide better coverage.
  • CertificateDsc.Common:
    • Corrected to meet style guidelines.
    • Added function Get-CertificateStorePath for generating Certificate Store path.
    • Remove false verbose message from Test-Thumbprint – fixes Issue 127.
  • CertReq:
    • Added detection for FIPS mode in Test-Thumbprint – fixes Issue 107.
  • TimeZone:
  • Moved Test-Command from ComputerManagementDsc.ResourceHelper to ComputerManagementDsc.Common module to match what TimeZone requires. It was not exported in ComputerManagementDsc.ResourceHelper and not used.
  • Added Hub and Spoke replication group example – fixes Issue 62.
  • Enabled PSSA rule violations to fail build – fixes Issue 320.
  • Allow null values in resource group members or folders – fixes Issue 27.
  • Added a with the same content as in the – fixes Issue 67.
(previously xNetworking)
  • New Example 2-ConfigureSuffixSearchList.ps1 for multiple SuffixSearchList entries for resource DnsClientGlobalSetting.
    • Renamed xNetworking to NetworkingDsc – fixes Issue 119.
    • Changed all MSFT_xResourceName to MSFT_ResourceName.
    • Updated DSCResources, Examples, Modules and Tests with new naming.
    • Updated Year to 2018 in License and Manifest.
    • Updated from xNetworking to NetworkingDsc.
  • MSFT_IPAddress:
    • Updated to allow setting multiple IP Addresses when one is already set – Fixes Issue 323
  • Corrected CHANGELOG.MD to report that issue with InterfaceAlias matching on Adapter description rather than Adapter Name was released in rather than – See Issue 315.
  • MSFT_WaitForNetworkTeam:
    • Added a new resource to set the wait for a network team to become “Up”.
  • MSFT_NetworkTeam:
    • Improved detection of environmemt for running network team integration tests.
  • MSFT_NetworkTeamInterface:
    • Improved detection of environmemt for running network team integration tests.
  • Added a with the same content as in the – fixes Issue 337.
  • Updated documentation.
    • Add example of applying Kerberos policies
    • Added hyper links to readme
  • Refactored the SID translation process to not throw a terminating error when called from Test-TargetResource
  • Updated verbose message during the SID transliation process to identiy the policy where an orphaned SID exists
      • Changes to SharePointDsc
        • Added a Branches section to the with Codecov and build badges for both master and dev branch.
      • All Resources
        • Added information about the Resource Type in each files.
      • SPFarm
        • Fixed issue where the resource throws an exception if the farm already exists and the server has been joined using the FQDN (issue 795)
      • SPTimerJobState
        • Fixed issue where the Set method for timerjobs deployed to multiple web applications failed.
      • SPTrustedIdentityTokenIssuerProviderRealms
        • Added the resource.
      • SPUserProfileServiceApp
        • Now supported specifying the host Managed path, and properly sets the host.
        • Changed error for running with Farm Account into being a warning
      • SPUserProfileSyncConnection
        • Added support for filtering disabled users
        • Fixed issue where UseSSL was set to true resulted in an error
        • Fixed issue where the connection was recreated when the name contained a dot (SP2016)
  • Changes to SqlServerDsc
    • Moved decoration for integration test to resolve a breaking change in DscResource.Tests.
    • Activated the GitHub App Stale on the GitHub repository.
    • Added a with the same content as in the issue 939.
    • New resources:
    • Fix for issue 779 Paul Kelly (@prkelly)
  • Changes to xActiveDirectory
    • Activated the GitHub App Stale on the GitHub repository.
    • The resources are now in alphabetical order in the (issue 194).
    • Adding a Branches section to the with Codecov badges for both master and dev branch (issue 192).
    • xADGroup no longer resets GroupScope and Category to default values (issue 183).
    • The helper function script file MSFT_xADCommon.ps1 was renamed to MSFT_xADCommon.psm1 to be a module script file instead. This makes it possible to report code coverage for the helper functions (issue 201).
  • Converted appveyor.yml to install Pester from PSGallery instead of from Chocolatey.
  • Added Codecov support.
  • Updated appveyor.yml to use the one in template.
  • Added folders for future unit and integration tests.
  • Added Visual Studio Code formatting settings.
  • Added .gitignore file.
  • Added markdown lint rules.
  • Fixed encoding on
  • Added PowerShellVersion = "4.0", and updated copyright information, in the module manifest.
  • Fixed issue which caused Test to incorrectly succeed on fully decrypted volumes when correct Key Protectors were present (issue 13)
  • Fixed issue which caused xBLAutoBitlocker to incorrectly detect Fixed vs Removable volumes. (issue 11)
  • Fixed issue which made xBLAutoBitlocker unable to encrypt volumes with drive letters assigned. (issue 10)
  • Fixed an issue in CheckForPreReqs function where on Server Core the installation of the non existing Windows Feature “RSAT-Feature-Tools-BitLocker-RemoteAdminTool” was erroneously checked. (issue 8)
  • Added support for SQL Server 2017
  • xDBPackage now uses the shared function to identify the paths for the different SQL server versions
  • Changes to xDhcpServer
    • Updated year in LICENSE file.
    • Updated year in module manifest.
    • Added Codecov and status badges to
    • Update appveyor.yml to use the default template.
  • Added xDhcpServerOptionDefinition
  • Added unit test
  • Fixed issue that Test-TargetResource always fails on non-English OS 11
  • Changes to xDnsServer
    • Updated appveyor.yml to use the default template and add CodeCov support (issue 73).
    • Adding a Branches section to the with Codecov badges for both master and dev branch (issue 73).
    • Updated description of resource module in
  • Added resource xDnsServerZoneAging. Claudio Spizzi (@claudiospizzi)
  • Changes to xDnsServerPrimaryZone
  • Changes to xDnsRecord
  • Fixed help formatting.
  • Added support for Codecov.
  • Fix Test-xDscSchema failing to call Remove-WmiObject on PowerShell Core. The cmdlet Remove-WmiObject was removed from the code, instead the temporary CIM class is now removed by using mofcomp.exe and the preprocessor command pragma deleteclass (issue 67).
  • Added file
  • Added .markdownlint.json file
  • Updated and files to respect MD009, MD0013 and MD032 rules
  • Added .MetaTestOptIn.json file
  • Updated appveyor.yml file
  • Added .codecov.yml file
  • Renamed Test folder to Tests
  • Updated Add codecov badges
  • Fixed PSSA required rules in:
    • xExchClientAccessServer.psm1
    • xExchInstall.psm1
    • xExchMaintenanceMode.psm1
    • TransportMaintenance.psm1
    • xExchTransportService.psm1
  • Fixed Validate Example files in:
    • ConfigureAutoMountPoints-FromCalculator.ps1
    • ConfigureAutoMountPoints-Manual.ps1
    • ConfigureDatabases-FromCalculator.ps1
    • InternetFacingSite.ps1
    • RegionalNamespaces.ps1
    • SingleNamespace.ps1
    • ConfigureVirtualDirectories.ps1
    • CreateAndConfigureDAG.ps1
    • EndToEndExample 1 to 10 files
    • JetstressAutomation
    • MaintenanceMode
    • PostInstallationConfiguration.ps1
    • InstallExchange.ps1
    • QuickStartTemplate.ps1
    • WaitForADPrep.ps1
  • Remove default value for Switch Parameter in TransportMaintenance.psm1 for functions:
    • Clear-DiscardEvent
    • LogIfRemain
    • Wait-EmptyEntriesCompletion
    • Update-EntriesTracker
    • Remove-CompletedEntriesFromHashtable
  • Fixed PSSA custom rules in:
    • xExchActiveSyncVirtualDirectory.psm1
    • xExchAntiMalwareScanning.psm1
    • xExchAutodiscoverVirtualDirectory.psm1
    • xExchAutoMountPoint.psm1
    • xExchClientAccessServer.psm1
    • xExchDatabaseAvailabilityGroup.psm1
    • xExchDatabaseAvailabilityGroupMember.psm1
    • xExchDatabaseAvailabilityGroupNetwork.psm1
    • xExchEcpVirtualDirectory.psm1
    • xExchEventLogLevel.psm1
    • xExchExchangeCertificate.psm1
    • xExchExchangeServer.psm1
    • xExchImapSettings.psm1
    • xExchInstall.psm1
    • xExchJetstress.psm1
    • xExchJetstressCleanup.psm1
    • xExchMailboxDatabase.psm1
    • xExchMailboxDatabaseCopy.psm1
    • xExchMailboxServer.psm1
    • xExchMailboxTransportService.psm1
    • xExchMaintenanceMode.psm1
    • xExchMapiVirtualDirectory.psm1
    • xExchOabVirtualDirectory.psm1
    • xExchOutlookAnywhere.psm1
    • xExchOwaVirtualDirectory.psm1
    • xExchPopSettings.psm1
    • xExchPowerShellVirtualDirectory.psm1
    • xExchReceiveConnector.psm1
    • xExchUMCallRouterSettings.psm1
    • xExchUMService.psm1
    • xExchWaitForADPrep.psm1
    • xExchWaitForDAG.psm1
    • xExchWaitForMailboxDatabase.psm1
    • xExchWebServicesVirtualDirectory.psm1
  • Updated xExchange.psd1
  • Added issue template file ( for “New Issue” and pull request template file ( for “New Pull Request”.
  • Fix issue Diagnostics.CodeAnalysis.SuppressMessageAttribute best practices
  • Renamed xExchangeCommon.psm1 to xExchangeHelper.psm1
  • Renamed the folder MISC (that contains the helper) to Modules
  • Added xExchangeHelper.psm1 in xExchange.psd1 (section NestedModules)
  • Removed all lines with Import-Module xExchangeCommon.psm1
  • Updated .MetaTestOptIn.json file with Custom Script Analyzer Rules
  • Added Integration, TestHelpers and Unit folder
  • Moved Data folder in Tests
  • Moved Integration tests to Integration folder
  • Moved Unit test to Unit folder
  • Renamed xEchange.Tests.Common.psm1 to xExchangeTestHelper.psm1
  • Renamed xEchangeCommon.Unit.Tests.ps1 to xExchangeCommon.Tests.ps1
  • Renamed function PrepTestDAG to Initialize-TestForDAG
  • Moved function Initialize-TestForDAG to xExchangeTestHelper.psm1
  • Fix error-level PS Script Analyzer rules for TransportMaintenance.psm1
  • Changes to xHyper-V
    • Removed alignPropertyValuePairs from the Visual Studio Code default style formatting settings (issue 110).
  • Changes to xPSDesiredStateConfiguration
  • Changes to xWindowsProcess
    • Integration tests for this resource should no longer fail randomly. A timing issue made the tests fail in certain scenarios (issue 420).
  • Changes to xDSCWebService
    • Added the option to use a certificate based on it”s subject and template name instead of it”s thumbprint. Resolves issue 205.
    • xDSCWebService: Fixed an issue where Test-WebConfigModulesSetting would return $true when web.config contains a module and the desired state was for it to be absent. Resolves issue 418.
  • Updated the main DSCPullServerSetup readme to read easier, then updates the PowerShell comment based help for each function to follow normal help standards. James Pogran (@jpogran)
  • xRemoteFile: Remove progress bar for file download. This resolves issues 165 and 383 Claudio Spizzi (@claudiospizzi)
  • xRDSessionCollectionConfiguration: Add support to configure UserProfileDisks on Windows Server 2016
  • Added MSI install logging for MSFT_xSCSMARunbookWorkerServerSetup and MSFT_xSCSMARunbookWorkerServerSetup
  • Added missing -Port parameter argument for New-SmaRunbookWorkerDeployment in MSFT_xSCSMARunbookWorkerServerSetup
  • Fixed MSFT_xSCSMARunbookWorkerServerSetup and MSFT_xSCSMAWebServiceServerSetup using incorrect executable for version checking
  • Remove System Center Technical Preview 5 support. Close issue 18
  • Close issue 19 (always install self-signed certificate)
  • BREAKING CHANGE: change SendCEIPReports parameter to SendTelemetryReports. Close issue 20
  • Added description for new parameters at
  • Fix return state of the current SendTelemetryReports
  • Fix syntax at source code
  • THIS MODULE HAS BEEN DEPRECATED. It will no longer be released. Please use the “TimeZone” resource in ComputerManagementDsc instead.
  • Fixed xTimeZone Examples link in
  • Changes to xWebAdministration
    • Moved file Codecov.yml that was added to the wrong path in previous release.
  • Updated xWebSite to include ability to manage custom logging fields. Reggie Gibson (@regedit32)
  • Updated xIISLogging to include ability to manage custom logging fields (issue 267). @ldillonel
  • BREAKING CHANGE: Updated xIisFeatureDelegation to be able to manage any configuration section. Reggie Gibson (@regedit32)
  • Converted appveyor.yml to install Pester from PSGallery instead of from Chocolatey.
  • Fix PSSA errors.

How to Find Released DSC Resource Modules

To see a list of all released DSC Resource Kit modules, go to the PowerShell Gallery and display all modules tagged as DSCResourceKit. You can also enter a module’s name in the search box in the upper right corner of the PowerShell Gallery to find a specific module.

Of course, you can also always use PowerShellGet (available starting in WMF 5.0) to find modules with DSC Resources:

# To list all modules that tagged as DSCResourceKit
Find-Module -Tag DSCResourceKit 
# To list all DSC resources from all sources 

Please note only those modules released by the PowerShell Team are currently considered part of the ‘DSC Resource Kit’ regardless of the presence of the ‘DSC Resource Kit’ tag in the PowerShell Gallery.

To find a specific module, go directly to its URL on the PowerShell Gallery:< module name >
For example:

How to Install DSC Resource Modules From the PowerShell Gallery

We recommend that you use PowerShellGet to install DSC resource modules:

Install-Module -Name < module name >

For example:

Install-Module -Name xWebAdministration

To update all previously installed modules at once, open an elevated PowerShell prompt and use this command:


After installing modules, you can discover all DSC resources available to your local system with this command:


How to Find DSC Resource Modules on GitHub

All resource modules in the DSC Resource Kit are available open-source on GitHub.
You can see the most recent state of a resource module by visiting its GitHub page at:< module name >
For example, for the xCertificate module, go to:

All DSC modules are also listed as submodules of the DscResources repository in the xDscResources folder.

How to Contribute

You are more than welcome to contribute to the development of the DSC Resource Kit! There are several different ways you can help. You can create new DSC resources or modules, add test automation, improve documentation, fix existing issues, or open new ones.
See our contributing guide for more info on how to become a DSC Resource Kit contributor.

If you would like to help, please take a look at the list of open issues for the DscResources repository.
You can also check issues for specific resource modules by going to:< module name >/issues
For example:

Your help in developing the DSC Resource Kit is invaluable to us!

Questions, comments?

If you’re looking into using PowerShell DSC, have questions or issues with a current resource, or would like a new resource, let us know in the comments below, on Twitter (@PowerShell_Team), or by creating an issue on GitHub.

Katie Keim
Software Engineer
PowerShell DSC Team
@katiedsc (Twitter)
@kwirkykat (GitHub)