MicrosoftDocs
diff --git a/‎README.md‎
Lines changed: 4 additions & 5 deletions b/‎README.md‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎dsc/TOC.md‎
Lines changed: 2 additions & 0 deletions b/‎dsc/TOC.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎dsc/authoringResourceClass.md‎
Lines changed: 1 addition & 1 deletion b/‎dsc/authoringResourceClass.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dsc/configDataCredentials.md‎
Lines changed: 183 additions & 0 deletions b/‎dsc/configDataCredentials.md‎
Lines changed: 183 additions & 0 deletions
diff --git a/‎dsc/debugResource.md‎
Lines changed: 79 additions & 0 deletions b/‎dsc/debugResource.md‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎dsc/images/enableDebug.png‎
-10.5 KB b/‎dsc/images/enableDebug.png‎
-10.5 KB
diff --git a/‎dsc/lnxGettingStarted.md‎
Lines changed: 1 addition & 1 deletion b/‎dsc/lnxGettingStarted.md‎
Lines changed: 1 addition & 1 deletion
@@ -1,12 +1,11 @@
 # PowerShell Documentation
 
-Welcome to the PowerShell-Docs repository, housing the official PowerShell documentation [available on MSDN](https://msdn.microsoft.com/powershell/dsc/overview). 
+Welcome to the PowerShell-Docs repository, housing the official Windows PowerShell documentation [available on MSDN](https://msdn.microsoft.com/powershell/dsc/overview). 
 
-> **Note**: right now, this repo is only intended for PowerShell Desired State Configuration (DSC) content. 
-In the future, it may be expanded to include a greater set of PowerShell documentation. 
+> **Note**: Currently, this repository is intended only for PowerShell [Desired State Configuration (DSC)](https://msdn.microsoft.com/en-us/powershell/dsc/overview) content and [Windows Management Framework (WMF) release notes](https://msdn.microsoft.com/en-us/powershell/wmf/releasenotes). In the future, the repo will be expanded to include a wider range of PowerShell documentation. 
 
 ## Contributing
 
-We will be actively merging contributions into this repository via pull request. 
-Please note that before contributing, you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your contributions.
+We actively merge contributions into this repository via [pull request](https://help.github.com/articles/using-pull-requests/). 
+Please note that before you submit a pull request you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your submissions.
 For more information on contributing, read our [contributions guide](CONTRIBUTING.md).
@@ -3,6 +3,7 @@
 # [Configurations](configurations.md)
 ## [Enacting configurations](enactingConfigurations.md)
 ## [Configuration data](configData.md)
+### [Credential options in configuration data](configDataCredentials.md)
 ## [Securing the configuration MOF file](secureMOF.md)
 ## [Partial Configurations](partialConfigs.md)
 # [Resources](resources.md)
@@ -24,6 +25,7 @@
 #### [MOF-based resource in C#](authoringResourceMofCS.md)
 ### [Class-based custom resouces](authoringResourceClass.md)
 ### [Composite resources](authoringResourceComposite.md)
+### [Debugging DSC resources](debugResource.md)
 
 # [Configuring the Local Configuration Manager (LCM)](metaConfig.md)
 ## [Configuring the LCM in PowerShell 4.0](metaConfig4.md)
 
@@ -16,7 +16,7 @@ To implement a DSC custom resource with a PowerShell class, create the following
 
 ```
 $env: psmodulepath (folder)
-    |- MyDscResources (folder)
+    |- MyDscResource (folder)
         |- MyDscResource.psm1 
            MyDscResource.psd1 
 ```
 
@@ -0,0 +1,183 @@
+# Credentials Options in Configuration Data
+>Applies To: Windows PowerShell 5.0
+
+## Plain Text Passwords and Domain Users
+
+DSC configurations containing a credential without encryption will generate an error messages about plain text passwords.
+Also, DSC will generate a warning when using domain credentials.
+These error and warning messages can be silenced using the DSC configuration data keywords:
+* **PsDscAllowPlainTextPassword**
+* **PsDscAllowDomainUser**
+
+## Handling Credentials in DSC
+
+DSC configuration resources run as `Local System` by default.
+However, some resources require a credential, like when the `Package` resource needs to install software under a specific user account.
+
+Earlier resources used a hard-coded `Credential` property name to handle this.
+WMF 5.0 added an automatic `PsDscRunAsCredential` property for all resources.
+Newer resources and custom resources can use this automatic property instead of creating their own property for credentials.
+
+*Note that some resources are designed to use multiple credentials for a specific reason, and they will have their own credential properties.*
+
+To identify the available credential properties on a resource use either `Get-DscResource -Name ResourceName -Syntax` or the Intellisense in the ISE (`CTRL+SPACE`).
+
+```PowerShell
+PS C:\> Get-DscResource -Name Group -Syntax
+Group [String] #ResourceName
+{
+    GroupName = [string]
+    [Credential = [PSCredential]]
+    [DependsOn = [string[]]]
+    [Description = [string]]
+    [Ensure = [string]{ Absent | Present }]
+    [Members = [string[]]]
+    [MembersToExclude = [string[]]]
+    [MembersToInclude = [string[]]]
+    [PsDscRunAsCredential = [PSCredential]]
+}
+```
+
+This example uses a [Group](https://msdn.microsoft.com/en-us/powershell/dsc/groupresource) resource from the `PSDesiredStateConfiguration` built-in DSC resource module.
+It can create local groups and add or remove members.
+It accepts both the `Credential` property and the automatic `PsDscRunAsCredential` property.
+However, it is coded to only use the `Credential` property.
+Read more about `PsDscRunAsCredential` in the [WMF Release Notes](https://msdn.microsoft.com/en-us/powershell/wmf/dsc_runas).
+
+## Example: The Group resource Credential property
+
+DSC runs under `Local System`, so it already has permissions to modify local users and groups.
+If the member to be added is a local account, then no credential is required.
+If the `Group` resource adds a domain account to the local group, then a credential is required.
+
+Anonymous queries to Active Directory are not allowed.
+The `Credential` property of the `Group` resource is the domain account used to query Active Directory.
+For most purposes this can be a generic user account, because by default users can *read* most of the objects in Active Directory.
+
+## Example Configuration
+
+The following example code uses DSC to populate a local group with a domain user:
+
+```PowerShell
+Configuration DomainCredentialExample
+{
+param(
+    [PSCredential]$DomainCredential
+)
+    Import-DscResource -ModuleName PSDesiredStateConfiguration
+
+    node localhost
+    {
+        Group DomainUserToLocalGroup
+        {
+            GroupName        = 'ApplicationAdmins'
+            MembersToInclude = 'contoso\alice'
+            Credential       = $DomainCredential
+        }
+    }
+}
+
+$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
+DomainCredentialExample -DomainCredential $cred
+```
+
+This code generates both an error and warning message:
+
+```
+ConvertTo-MOFInstance : System.InvalidOperationException error processing
+property 'Credential' OF TYPE 'Group': Converting and storing encrypted
+passwords as plain text is not recommended. For more information on securing
+credentials in MOF file, please refer to MSDN blog:
+http://go.microsoft.com/fwlink/?LinkId=393729
+
+At line:11 char:9
++   Group
+At line:297 char:16
++     $aliasId = ConvertTo-MOFInstance $keywordName $canonicalizedValue
++                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
+    + FullyQualifiedErrorId : FailToProcessProperty,ConvertTo-MOFInstance
+
+WARNING: It is not recommended to use domain credential for node 'localhost'.
+In order to suppress the warning, you can add a property named
+'PSDscAllowDomainUser' with a value of $true to your DSC configuration data
+for node 'localhost'.
+```
+
+This example has two issues:
+1.  An error explains that plain text passwords are not recommended
+2.  A warning advises against using a domain credential
+
+## PsDscAllowPlainTextPassword
+
+The first error message has a URL with documentation.
+This link explains how to encrypt passwords using a [ConfigurationData](https://msdn.microsoft.com/en-us/powershell/dsc/configdata) structure and a certificate.
+For more information on certificates and DSC [read this post](http://aka.ms/certs4dsc).
+
+To force a plain text password, the `PsDscAllowPlainTextPassword` keyword is required in the configuration data section as follows:
+
+```PowerShell
+Configuration DomainCredentialExample
+{
+param(
+    [PSCredential]$DomainCredential
+)
+    Import-DscResource -ModuleName PSDesiredStateConfiguration
+
+    node localhost
+    {
+        Group DomainUserToLocalGroup
+        {
+            GroupName        = 'ApplicationAdmins'
+            MembersToInclude = 'contoso\alice'
+            Credential       = $DomainCredential
+        }
+    }
+}
+
+$cd = @{
+    AllNodes = @(
+        @{
+            NodeName = 'localhost'
+            PSDscAllowPlainTextPassword = $true
+        }
+    )
+}
+
+$cred = Get-Credential -UserName contoso\genericuser -Message "Password please"
+DomainCredentialExample -DomainCredential $cred -ConfigurationData $cd
+```
+
+*Note that `NodeName` cannot equal asterisk. It must be a specific node name.*
+
+**Microsoft advises to avoid plain text passwords due to the significant security risk.**
+
+## Domain Credentials
+
+Running the example configuration script again (with or without encryption), still generates the warning that using a domain account for a credential is not recommended.
+Using a local account eliminates potential exposure of domain credentials that can be used on other servers.
+
+**When using credentials with DSC resources, prefer a local account over a domain account when possible.**
+
+If there is a '\' or '@' in the `Username` property of the credential, then DSC will treat it as a domain account.
+An exception is made for "localhost", "127.0.0.1", and "::1" in the domain portion of the user name.
+
+## PSDscAllowDomainUser
+
+In the DSC `Group` resource example above, querying an Active Directory domain *requires* the use of a domain account.
+In this case add the `PSDscAllowDomainUser` property to the `ConfigurationData` block as follows:
+
+```PowerShell
+$cd = @{
+    AllNodes = @(
+        @{
+            NodeName = 'localhost'
+            PSDscAllowDomainUser = $true
+            # PSDscAllowPlainTextPassword = $true
+            CertificateFile = "C:\PublicKeys\server1.cer"
+        }
+    )
+}
+```
+
+Now the configuration script will generate the MOF file with no errors or warnings.
@@ -0,0 +1,79 @@
+# Debugging DSC resources
+
+> Applies To: Windows PowerShell 5.0
+
+In PowerShell 5.0, a new feature was introduced in Desired State Configuraiton (DSC) that allows you to debug a DSC resource as a configuration is being applied.
+
+## Enabling DSC debugging
+Before you can debug a resource, you have to enable debugging by calling the [Enable-DscDebug](https://technet.microsoft.com/en-us/library/mt517870.aspx) cmdlet. This cmdlet takes a mandatory parameter, **BreakAll**. You can verify that debugging has been enabled by looking at the result of a call to [Get-DscLocalConfigurationManager](https://technet.microsoft.com/en-us/library/dn407378.aspx). The following PowerShell output shows the result of enabling debugging:
+
+
+```powershell
+PS C:\DebugTest> $LCM = Get-DscLocalConfigurationManager
+
+PS C:\DebugTest> $LCM.DebugMode
+NONE
+
+PS C:\DebugTest> Enable-DscDebug -BreakAll
+
+PS C:\DebugTest> $LCM = Get-DscLocalConfigurationManager
+
+PS C:\DebugTest> $LCM.DebugMode
+ForceModuleImport
+ResourceScriptBreakAll
+
+PS C:\DebugTest>
+```
+
+
+## Starting a configuration with debug enabled
+To debug a DSC resource, you start a configuration that calls that resource. For this example, we'll look at a simple configuration that calls the [WindowsFeature](windowsfeatureResource.md) resource to ensure that the "WindowsPowerShellWebAccess" feature is installed:
+
+```powershell
+Configuration PSWebAccess
+    {
+    Import-DscResource -ModuleName 'PsDesiredStateConfiguration'
+    Node localhost
+        {
+        WindowsFeature PSWA
+            {
+            Name = 'WindowsPowerShellWebAccess'
+            Ensure = 'Present'
+            }
+        }
+    }
+PSWebAccess
+```
+After compiling the configuration, start it by calling [Start-DscConfiguration](https://technet.microsoft.com/en-us/library/dn521623.aspx). The configuration will stop when the
+Local Configuration Manager (LCM) calls into the first resoure in the configuration. If you use the `-Verbose` and `-Wait` parameters, the output displays the lines you need to enter
+to start debugging.
+
+```powershell
+PS C:\DebugTest> Start-DscConfiguration .\PSWebAccess -Wait -Verbose
+VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfiguration
+Manager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
+VERBOSE: An LCM method call arrived from computer TEST-SRV with user sid S-1-5-21-2127521184-1604012920-1887927527-108583.
+VERBOSE: An LCM method call arrived from computer TEST-SRV with user sid S-1-5-21-2127521184-1604012920-1887927527-108583.
+VERBOSE: [TEST-SRV]: LCM:  [ Start  Set      ]
+WARNING: [TEST-SRV]:                            [DSCEngine] Warning LCM is in Debug 'ResourceScriptBreakAll' mode.  Resource script processing will 
+be stopped to wait for PowerShell script debugger to attach.
+VERBOSE: [TEST-SRV]:                            [DSCEngine] Importing the module C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateCo
+nfiguration\DscResources\MSFT_RoleResource\MSFT_RoleResource.psm1 in force mode.
+VERBOSE: [TEST-SRV]: LCM:  [ Start  Resource ]  [[WindowsFeature]PSWA]
+VERBOSE: [TEST-SRV]: LCM:  [ Start  Test     ]  [[WindowsFeature]PSWA]
+VERBOSE: [TEST-SRV]:                            [[WindowsFeature]PSWA] Importing the module MSFT_RoleResource in force mode.
+WARNING: [TEST-SRV]:                            [[WindowsFeature]PSWA] Resource is waiting for PowerShell script debugger to attach.  Use the follow
+ing commands to begin debugging this resource script:
+Enter-PSSession -ComputerName TEST-SRV -Credential <credentials>
+Enter-PSHostProcess -Id 9000 -AppDomainName DscPsPluginWkr_AppDomain
+Debug-Runspace -Id 9
+```
+At this point, the LCM has called the resource, and come to the first break point. The last three lines in the output show you how to attach to the process and start debugging the resource script.
+
+## Debugging the resource script
+
+Start a new instance of the PowerShell ISE. In the console pane, enter the last three lines of output from the `Start-DscConifiguration` output as commands, replacing `<credentials>` with
+valid user credentials. Here is the resulting output.
+
+
+
@@ -168,4 +168,4 @@ The following log files are generated for DSC for Linux messages.
 |Log file|Directory|Description|
 |---|---|---|
 |omiserver.log|/opt/omi/var/log/|Messages relating to the operation of the OMI CIM server.|
-|dsc.log|/opt/omi/var/log/|Messages relating to the operation of the Local Configuration Manager (LCM) and DSC resource operations.|
+|dsc.log|/opt/omi/var/log/|Messages relating to the operation of the Local Configuration Manager (LCM) and DSC resource operations.|