How can I push a DSC configuration with encrypted MOF files without setting up certificates?

1
votes

I am trying to push a Desired State Configuration containing credentials to a remote server using Powershell 5.1. According to the DSC documentation, this should not be a problem, because "Beginning with PowerShell version 5.0, the entire MOF file is encrypted by default when it is applied to the node using the Start-DSCConfiguration cmdlet."

However, whenever I tried without using an encryption certificate, I always got the usual error message about plain text passwords in unencrypted MOF files (System.InvalidOperationException error processing property 'Credential' OF TYPE 'File': Converting and storing encrypted passwords as plain text is not recommended.).

Is this an error in the manual, or am I just doing it wrong? In other words: How can I push a DSC configuration with encrypted MOF files without setting up certificates?

1
powershellencryptiondsc
You were specifically using Start-DscConfiguration? Not using a pull server?briantist
@briantist Yes, I was not using a pull server. Howerver, I am new to DSC, so as noted above, I may be doing it wrong.Adrian Grigore
@briantist I finally figured out where I was wrong. See below.Adrian Grigore
Nice find, Adrian!briantist

1 Answers

2
votes

Automatic Encryption of push deployments is indeed working, but I misunderstood the error message and documentation and therefore also misinterpreted the result.

The MOF files on my development machine are never encrypted, not even after pushing them to the target server. I guess that's what the error message refers to.

However, the MOF files on the target server (e.g. when looking at C:\Windows\System32\Configuration\Windows\pending.MOF) are indeed encrypted.

In other words, if push is the only deployment method used and the push script deletes the MOF files on the dev machine right after pushing them to the server, then it seems ok use plain text passwords in MOF files. But I still need to allow them explicitly with the PSDscAllowPlainTextPassword parameter.