NOTE: This page is no longer being updated. To install the latest version of DSC Resource Kit, please use the PowerShell Gallery. If you need to report issues or would like to contribute to development, check out our GitHub Repositories.


The xSafeHarbor module is a part of the Windows PowerShell Desired State Configuration (DSC) Resource Kit, which is a collection of DSC Resources produced by the PowerShell Team. This module contains the configurations that allows you to setup the SafeHarbor example.

All of the resources and configurations in the DSC Resource Kit are provided AS IS, and are not supported through any Microsoft standard support program or service. The ""x" in xSafeHarbor stands for experimental , which means that these configurations will be fix forward and monitored by the module owner(s).

Please leave comments, feature requests, and bug reports in the Q & A tab for this module.

If you would like to modify xSafeHarbor module, feel free. When modifying, please update the module name (instructions below). As specified in the license, you may copy or modify this resource as long as they are used on the Windows Platform.

For more information about Windows PowerShell Desired State Configuration, check out the blog posts on the PowerShell Blog (this is a good starting point). There are also great community resources, such as , or PowerShell Magazine . For more information on the DSC Resource Kit, check out this blog post.


To install xSafeHarbor module

To confirm installation:






This module requires the Windows Management Framework (WMF) 5.0 Experimental Release July 2014, which contains functionality that has been updated from WMF 4.0. TheWMF 5.0 Experimental Release July 2014 is available for installation on Windows 8.1 and Windows Server 2012 R2. More information about the content of the WMF 5.0 Experimental Release July 2014 is available in its dedicated release notes, included in the download links below.

Notice: WMF 5.0 Experimental Release July 2014 is delivered as an MSU installation package via the links below. Installing this will update the PowerShell, WMI, and WinRM components of your Windows installation. change the state of your machine, as opposed to the scripts in Resource Kit. If you choose “Open” from either the x64 or x86 direct download links, the package will be downloaded, and the install will update your system with these new components.

Disclaimer: There is some scenarios in WMF 5.0 Experimental July 2014 with incomplete or missing functionality. This is also included in the dedicated release notes, which are included in the download links below.

Direct Download Links:


The xSafeHarbor module contains the Assert-SafeHarborScenario.ps1 script file. This script allows you to exercise the SafeHarbor example by setting up a secure environment to run a particular application or service inside of an assume-breached network. This substantially reduces the attack surface of the application or service by configuring a highly customized, application specific environment, by limiting user access and by having "Just Enough" administrative control with full auditing.


Assert-SafeHarborScenario has following parameters:

  • DHCPServer\Administrator
  • Corporate\Administrator
  • Corporate\User1
  • Corporate\Papa
  • Corporate\DeptHead
  • Safeharbor\Administrator
  • Safeharbor\Mata

To learn more details of this example, please see this blog .

Renaming Requirements

When making changes to these resources, we suggest the following practice:

  1. Update the following names by replacing MSFT with your company/community name and replacing the "x" with "c" (short for "Community") or another prefix of your choice:
    • Module name (ex: xSafeHarbor becomes cSafeHarbor)
  2. Update module and metadata information in the module manifest
  3. Update any configuration that use these resources

We reserve resource and module names without prefixes ("x" or "c") for future use (e.g. "MSFT_WordPressSite" or "WordPressSite"). If the next version of Windows Server ships with a "WordPressSite" resource, we don't want to break any configurations that use any community modifications. Please keep a prefix such as "c" on all community modifications.


Example: Setup SafeHarbor example on a Hyper-V host


$baseVhdFilePath = ‘C:\BaseVhd\serverdatacenter_en-us.vhd 
.\Assert-SafeHarborScenario.ps1 -BaseVhdFilePath $baseVhdFilePath -Validate –PauseBetweenStages