My Failed Attempt with PowerShell DSC + VMware !

The Idea: 

  1. Have a DSC Configuration for vSphere which get status of  vSwitch Security Policies like Forged transmit, Promiscuous mode and MAC address change.
  2. All 3 security settings must be set to Reject.
  3. DSC Configuration should set above 3 settings to Reject if it is not.
  4. And finally apply this configuration to all ESXi host in vCenter. 

In recent days I am learning PowerShell DSC. No doubt it is a great tool but need more DSC resources for various technologies. I am sure that PowerShell community will rise above all and work toward making DSC more powerful.

My initial idea was to create a vSphere Security Configuration for vSwitch Security policies using PowerShell DSC. However, It didn’t work out for me as expected. Initially i struggled with Script resource and variable scope in GetScript, TestScript and SetScript block. Basically I was not able to pass variable in Script Block. This issue is documented here. Thankfully with the help of my colleague Rohit Sharma, We were able to resolve variable scope issue. Bottom line of that issue is, we have to use $using to pass the data in script block(Get,Set and Test).

It was a great relief for me to resolve above issue but…. Problems didn’t stop here. GetScript Block returns hash table values. So, If you try to return any PowerShell Object, Variable or any other object then this script block will throw an error. Ultimately you have to return hash table.

Well, That was sorted out. GetScript and TestScript looked to be working fine but another problem occurs at SetScript block. This time we figured out that session which was connected with Connect-VIServer is no longer available in SetScript block, which means that it will not execute any PowerCLI commands and will throw an error


“You are not currently connected to any servers. Please connect first using a Connect cmdlet.”

Why is it throwing this error? I figured out that DSC Script resource has 3 script block; GetScript, TestScript and SetScript. These script block does not execute anything but pass its value to Get-TargetResource(), Test-TargetResource() and Set-targetResource as a parameter respectively. These functions uses Invoke-command cmdlet on remote computer or localhost. That was the reason for sing $using: for local scope variables and also reason for not passing connected VMware sessions to SetScript block.

Below is the Code for reference. Feel free to test this in POC/Test environment. 


As of now i am still struggling to fix these issues. Looks like DSC Script resource has some limitations.

What Next?

  1. Will Understand “How to create custom DSC Resources using PowerShell Classes and Object?”
  2. Will try to build a custom resource by my own.

Hopefully I will be able to resolve this issue and will come out with a DSC Configuration for vSwitch Security policy.




PowerShell DSC + VMware: Issue with Script Resource

Hi Folks,

I am writing a Powershell DSC Configuration Using Script Resource using GetScript,TestScript and SetScript functions.

Idea is to create a configuration for vSwitch Security Policy. I want my all ESX to have security policy as reject. However, Configuration block looks good here but it is trying to set these settings on windows box where i am executing this script. This is not setting up these config on ESX vSwitch. Below is the code




Here are the quick questions.

1.How can we set our node as ESX host?

2. Is there any other way to setup DSC Configuration for ESX hosts?