Thursday, 21 December 2017

Using encrypted credentials with DSC


So, to pass credentials to the target machine, you need to do a few things

How to configure DSC to encrypt credentials

In a nutshell, you basically need to deploy a certificate to the target machine and then the management machine encrypts the credentials using the public key of the target machine certificate. More detailed steps below:

  • Connect to each target computer
  • Generate a self-signed certificate
  • Copy the public key to the management computer
  • Configure the Local Configuration Manager with the correct certificate thumbprint for that machine
  • Create the Configuration Data hashtable for use by other configurations

Script to configure DSC credential encryption

If you know me, I can never really do the same thing twice and if it can be automated then it will be automated. So, this script does all the work for you - just run it from your management machine and point it at your target machine. Just note that it only works with Server 2016 or PowerShell v5.

How to run the script? First we copy and paste the above function into a PowerShell window then run this to save our configuration data into $ConfigurationData

$ConfigurationData = Set-DscLCMCertificate -ComputerName litex01 -Verbose


We can now confirm that your configuration data is correct:




Test out DSC credentials

To do this, we’ll save credentials into $Credential then create a configuration that requires credentials and test it out with our configuration data.


We can then check that our text file has been copied over:

Get-Item '\\litex01\c$\temp\testfile1.txt'


All done! Happy configuration management! You can see the full code at