从 Azure ARM 模板 DSC 扩展,模块无法导入,因为在此系统上禁用了正在运行的脚本
Posted
技术标签:
【中文标题】从 Azure ARM 模板 DSC 扩展,模块无法导入,因为在此系统上禁用了正在运行的脚本【英文标题】:From an Azure ARM template DSC extension, a module fails to import because running scripts is disabled on this system 【发布时间】:2021-04-16 13:37:25 【问题描述】:我正在尝试从 ARM 模板在 Azure 中创建 Windows 10 VM,并使用 DSC 扩展对其进行配置以更改临时驱动器的盘符。
我发现模块 cMoveAzureTempDrive 可以轻松完成。 但是,当我在 Azure 中部署模板时,我收到一条错误消息,提示无法加载模块,因为系统上禁用了正在运行的脚本:
"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":["code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'Install'. Error message: \"DSC Configuration 'Install' completed with error(s). Following are the first few: Importing module cMoveAzureTempDrive failed with error - File C:\\Program Files\\WindowsPowerShell\\Modules\\cMoveAzureTempDrive\\cMoveAzureTempDrive.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot "]
我知道我可以通过自定义脚本扩展启用脚本执行,但对我来说,如果不这样做就无法使用 DSC 模块,这似乎不是最佳选择。我对所有外部模块都有同样的问题。
您有能够使用 DSC 模块的解决方案吗?
这是我在 ARM 模板中的 DSC 扩展:
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2020-06-01",
"name": "[concat(parameters('vmName'),'/', 'Install')]",
"location": "[parameters('location')]",
"tags": "[parameters('resourceTags')]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'))]"
],
"properties":
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.9",
"autoUpgradeMinorVersion":true,
"settings":
"wmfVersion": "latest",
"configuration":
"url": "[variables('DSCLocationURI')]",
"script": "Install.ps1",
"function": "Install"
,
"configurationArguments":
,
"protectedSettings":
"configurationUrlSasToken": "[parameters('storageAccountSASToken')]"
这是我的 DSC 代码:
Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
Import-DscResource -ModuleName 'cAzureStorage'
Import-DscResource -ModuleName 'cMoveAzureTempDrive'
Node localhost
LocalConfigurationManager
ActionAfterReboot = 'ContinueConfiguration'
RebootNodeIfNeeded = $true
cMoveAzureTempDrive cMoveAzureTempDrive
TempDriveLetter = 'T'
Name = "MachineName"
【问题讨论】:
【参考方案1】:此错误似乎来自 Win10 默认执行策略受限,因此 DSC 被拒绝运行。 如果您将客户端上的 Executionpolicy 从 Restricted 更改为 Remotesigned,问题就会消失。
您还可以更改 DSC 脚本中的 ExecutionPolicy。有脚本示例:
Configuration Security_Baseline_Windows_Client
Import-DSCResource -ModuleName 'SecurityPolicyDSC' # SecurityPolicyDSC is a Powershell Module for Security Settings
Import-DSCResource -ModuleName 'AuditPolicyDsc' # AuditPolicyDsc is a Powershell Module for Advanced Audit Settings
Import-DscResource -ModuleName 'NetworkingDsc' # NetworkingDsc is a Powershell Module for Firewall Settings
Import-DscResource -ModuleName 'PSDesiredStateConfiguration' # PSDesiredStateConfiguration is a module that contains cmdlets that designed to work with DSC Resources.
Node localhost
Script ExecutionPolicy
SetScript =
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
TestScript = $false
GetScript = @
此设置会导致 Powershell 扩展失败。 但是,MS 安全基线建议保留此设置。
【讨论】:
以上是关于从 Azure ARM 模板 DSC 扩展,模块无法导入,因为在此系统上禁用了正在运行的脚本的主要内容,如果未能解决你的问题,请参考以下文章