How to reboot after changes are applied?

[juho-hanhimaki]

This might be basic stuff, but I am new to this whole DSC thing so hopefully someone can point me to right direction.

It seems changes to SChannel settings don't get applied unless system is rebooted. Is there a way to make the system reboot after changes to SChannel settings are made or is it something that is not possible with this module?

[ykuijs]

Hi @juho-hanhimaki why do you think these changes aren't applied unless the system is rebooted? Do you have examples? If so, a DSC resource can force a reboot if this is required. So we can simply update the resource.

[juho-hanhimaki]

I was trying to set cipher suites order and for those to be applied a reboot should be required. I have observed this many times on server, not just with this dsc module but in general when editing the registry key.

I am not expert on SChannel so I really don't know whether all other settings require a reboot as well to be applied.

Most scripts I have seen just reboot after the whole configuration (with multiple changes) has been applied: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12

Then there are scripts that track changes of each individual settings and reboot after if any setting was changed: https://github.com/NWebsec/NWebsec.AzureStartupTasks/blob/master/NWebsec.AzureStartupTasks/content/NWebsec.AzureStartupTasks/scripts/TLS_hardening.ps1

[ykuijs]

A resource can initiate a reboot when it has updated settings. This does mean that that multiple reboots will be performed when multiple resources are applied.

Will update the resources for initiate a reboot

[bdanse]

Maybe an idea to add a sort of reboot flag to all resources if Set-TargetResource is executed. And an additional attribute to SChannelSettings to manage reboots the module. This way it is less 'noisy' with regards to reboots in the initial run. Based on the flag $global:DSCMachineStatus can be set and the flag can be reset.

Downside is you would always need to declare SChannelSettings as last resource within you configuration.

[ykuijs]

Another downside of adding this to the SChannelSettings is that this is only triggered when that resource isn't in the desired state.

I have now added an extra parameter to each resource RebootWhenRequired (defaults to False), with which you can specify if you want the resource to reboot the machine when settings are updated. PR will follow shortly.