Please feel free to provide feedback or file bugs here.

BUG: GetMetaConfiguration should validate property values against allowed values of MSFT_DSCMetaConfiguration CIM Properties

Once a node meta configuration is enacted, it is easy for an administrator or process (with malicious intent) to modify the MetaConfig.mof file in C:\Windows\System32\Configuration directory. The GetMetaConfiguration method in MSFT_DscMetaConfiguration class does not validate the property values against the allowed values of the CIM properties.

Steps to reproduce this behavior:
- Enact a simple meta configuration and enact it.
- Open the MetaConfig.MOF file in your favorite editor and change the value of ConfigurationMode to some random text.
- Save the file and close it.
- Run Get-DscLocalConfigurationManager.
- You will see the random value assigned to ConfigurationMode in the output although it is not a valid value for the ConfigurationMode property.

You can see this in action at

1 vote
Sign in
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Ravikanth Chaganti shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
In Queue  ·  Mark Gray responded  · 


We have validated this issue and created two bugs for it.

1. We will validate the MOF when it is passed in as part of our API (i.e. Set-DscLocalConfigurationManager) and error if the values are not valid.
2. We will write a warning when Get-DscLocalConfigurationManager reads a MOF that has invalid values and at LCM startup. The resultant behavior will behave like it does today where invalid values will be read as the default value by the LCM.

Please let us know if this meets your expectations.



1 comment

Sign in
Password icon
Signed in as (Sign out)

Feedback and Knowledge Base