从 Azure ARM 模板 DSC 扩展，模块无法导入，因为在此系统上禁用了正在运行的脚本

Question

我正在尝试从 ARM 模板在 Azure 中创建 Windows 10 VM，并使用 DSC 扩展对其进行配置以更改临时驱动器的盘符。

我发现模块 cMoveAzureTempDrive 可以轻松完成。 但是，当我在 Azure 中部署模板时，我收到一条错误消息，提示无法加载模块，因为系统上禁用了正在运行的脚本：

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"VMExtensionProvisioningError","message":"VM has reported a failure when processing extension 'Install'. Error message: \"DSC Configuration 'Install' completed with error(s). Following are the first few: Importing module cMoveAzureTempDrive failed with error - File C:\\Program Files\\WindowsPowerShell\\Modules\\cMoveAzureTempDrive\\cMoveAzureTempDrive.psm1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot "}]}

我知道我可以通过自定义脚本扩展启用脚本执行，但对我来说，如果不这样做就无法使用 DSC 模块，这似乎不是最佳选择。我对所有外部模块都有同样的问题。

您有能够使用 DSC 模块的解决方案吗？

这是我在 ARM 模板中的 DSC 扩展：

{
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "apiVersion": "2020-06-01",
    "name": "[concat(parameters('vmName'),'/', 'Install')]",
    "location": "[parameters('location')]",
    "tags": "[parameters('resourceTags')]",
    "dependsOn": [
        "[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'))]"
    ],
    "properties": {
        "publisher": "Microsoft.Powershell",
        "type": "DSC",
        "typeHandlerVersion": "2.9",
        "autoUpgradeMinorVersion":true,
        "settings": {
            "wmfVersion": "latest",
            "configuration": {
                "url": "[variables('DSCLocationURI')]",
                "script": "Install.ps1",
                "function": "Install"
            },
            "configurationArguments": {
            }
        },
        "protectedSettings": {
            "configurationUrlSasToken": "[parameters('storageAccountSASToken')]"
        }
    }
}

这是我的 DSC 代码：

{
   
    Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
    Import-DscResource -ModuleName 'cAzureStorage'
    Import-DscResource -ModuleName 'cMoveAzureTempDrive'

    Node localhost
    {
        LocalConfigurationManager
        {
            ActionAfterReboot = 'ContinueConfiguration'
            RebootNodeIfNeeded = $true
        }

        cMoveAzureTempDrive cMoveAzureTempDrive
        {
            TempDriveLetter = 'T'
            Name = "MachineName"
        }
    }
}

Answer 1

此错误似乎来自 Win10 默认执行策略受限，因此 DSC 被拒绝运行。 如果您将客户端上的 Executionpolicy 从 Restricted 更改为 Remotesigned，问题就会消失。

您还可以更改 DSC 脚本中的 ExecutionPolicy。有脚本示例：

Configuration Security_Baseline_Windows_Client
{
  Import-DSCResource -ModuleName 'SecurityPolicyDSC'            # SecurityPolicyDSC is a Powershell Module for Security Settings  

  Import-DSCResource -ModuleName 'AuditPolicyDsc'               # AuditPolicyDsc is a Powershell Module for Advanced Audit Settings 

  Import-DscResource -ModuleName 'NetworkingDsc'                # NetworkingDsc is a Powershell Module for Firewall Settings 

  Import-DscResource -ModuleName 'PSDesiredStateConfiguration'  # PSDesiredStateConfiguration is a module that contains cmdlets that designed to work with DSC Resources.
  Node localhost
  {
    Script ExecutionPolicy
    {
        SetScript = {
            Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
        }
        TestScript = { $false }
        GetScript  = { @{} }
    }

此设置会导致 Powershell 扩展失败。 但是，MS 安全基线建议保留此设置。