Releases: luigilink/SPSConfigKit
Releases · luigilink/SPSConfigKit
Release list
v1.7.0
SPSConfigKit - Release Notes
[1.7.0] - 2026-07-08
Added
- SQL Server connection encryption (TLS) (#27, #42)
CfgAppSqlcan now force TLS encryption of SQL Server connections, opt-in via
NonNodeData.SQL.ForceEncryption(secure-by-default in the sample). It imports the
pre-staged SQL certificate (CertificateName, defaultSQLServerCert) into
LocalMachine\MywithPfxImportand binds it to the instance with
SqlSecureConnection(ForceEncryption,ServiceAccount).CfgAppSpsimports the
SQL certificate's public.cerintoLocalMachine\Rooton every SharePoint node so
it trusts the SQL TLS chain, and drives theSPFarmDatabaseConnectionEncryption
fromNonNodeData.SQL.DatabaseConnectionEncryption.- The default level is
Optional(traffic is encrypted because the SQL tier forces it;
robust with the kit's SQL aliases and applies on both new and existing farms).
Mandatory/Strictadditionally validate the certificate chain and host name and
requireNonNodeData.SQL.DatabaseServerCertificateHostNameto be set to a name in the
SQL certificate SAN (the SQL alias never matches it). Note that
DatabaseConnectionEncryptionis honoured only when the configuration database is
first created / joined — SPFarm does not change it on an already-joined farm.
- SQL maintenance plan — Ola Hallengren Maintenance Solution (#31)
CfgAppSqlcan install the SQL Server Maintenance Solution
(backups, index maintenance, integrity checks), opt-in via
NonNodeData.SQL.InstallMaintenanceSolution.Initialize-SoftwarePackagesdownloads
MaintenanceSolution.sqlinto the SQL source folder, so it is staged to the node with
the rest of the SQL media (no runtime download on offline nodes). ASqlScript
resource runs it under the SQL sysadmin RunAs and is idempotent (skipped once the
CommandExecuteprocedure exists). The script is not bundled with the kit;
scripts/sql/README.mddocuments the feature, the tunableDECLAREparameters, and
credits Ola Hallengren. Job schedules are intentionally left to the SQL administrator.
Changelog
A full list of changes in each version can be found in the change log
v1.6.1
SPSConfigKit - Release Notes
[1.6.1] - 2026-07-08
Fixed
- CfgAppSql no longer sets an invalid
RestartServiceproperty on the SQL protocol
resources (#40)- The
SqlProtocol(MIDDLEWARE_SqlProtocolTcpEnabled) andSqlProtocolTcpIP
(MIDDLEWARE_SqlProtocolTcpIP) resources setRestartService = $true, which is not a
valid property in SqlServerDsc 17.5.1 — the DSC parser rejects it and MOF compilation
fails. Both resources exposeSuppressRestart(default$false) andRestartTimeout
instead. The property is removed; the defaultSuppressRestart = $falsealready
restarts the service when a protocol change requires it, so TCP/IP enablement still
takes effect.
- The
Changelog
A full list of changes in each version can be found in the change log
v1.6.0
SPSConfigKit - Release Notes
[1.6.0] - 2026-07-07
Changed
- Office Online Server integration is skipped when no OOS node is declared (#37)
- On the SharePoint master, the OOS trusted root authority (
SPTrustedRootAuthority
for the Office Online CA certificate), the WOPI binding
(SPOfficeOnlineServerBinding) and the PDF suppression settings
(SPOfficeOnlineServerSupressionSettings) were provisioned unconditionally.
On a farm that declares noIsOOSServernode this referenced
NonNodeData.OOS/ theOfficeOnlineCertthat such a farm may legitimately
omit, and pushed a WOPI binding for a server that does not exist. The three
resources are now gated on the presence of at least oneIsOOSServernode,
mirroring the gating already applied to the OOS install Node block.
- On the SharePoint master, the OOS trusted root authority (
Fixed
NonNodeData.OOS.AllServersis validated against the declared OOS nodes (#38)AllServersfeeds theServerslist of the OOS cumulative update
(OfficeOnlineServerProductUpdate). When it did not list every node carrying
theIsOOSServerrole, the CU was applied to an incomplete set of machines
while the farm still reported those nodes (the shipped sample even drifted,
withAllServers = @('OOS')while the node isOOS1).CfgAppSps.ps1now
throws at compile time when anyIsOOSServerNodeName is missing from
AllServers(only when the farm declares an OOS node), a matching Pester
assertion covers the invariant, and the sampleAllServersis corrected to
@('OOS1').
Changelog
A full list of changes in each version can be found in the change log
v1.5.0
SPSConfigKit - Release Notes
[1.5.0] - 2026-07-07
Added
- The domain controller publishes DNS A records for the farm host names (#33)
CfgAppPdcgains an optionalNonNodeData.DnsRecordslist
(@{ Name; IPAddress }) and creates each A record in the domain zone with
Add-DnsServerResourceRecordA, so the SharePoint web-application and Office
Online host names (sharepoint.<domain>,oosweb.<domain>) resolve.
Without them, farm creation fails at the WOPI binding step with
"The server did not respond". Native DnsServer module (no new dependency),
idempotent per record.
- Optional domain-join helper for cloud nodes (#18)
- New
scripts/init/Add-DscNodeToDomain.ps1(+.psd1) points a node's DNS at
the domain controller and joins it to Active Directory before the node's DSC
configuration is applied. A freshly provisioned cloud VM (e.g. Azure, whose
default DNS is 168.63.129.16) cannot otherwise resolve or join the domain.
The helper is idempotent (skips when already a member), sets DNS only when
DnsServersis provided (on-prem nodes with working DNS leave it@()),
waits for the domain LDAP SRV record, joins with theSecrets.psd1
JoinAccountcredential (ADSETUPby default) honouring an optional
OUPath, and restarts after a readable countdown (RestartDelaySec).
- New
- The pull server now publishes the SoftwarePackages SMB share (#19)
CfgAppPull.ps1creates<Drives.Data>\SoftwarePackagesand publishes it as
the SMB share named after the last segment ofNonNodeData.SourcePath
(nativeNew-SmbShare, no new DSC module, idempotent). A new optional
NonNodeData.SoftwarePackagesShare.ReadAccesslist (default
'Authenticated Users') lets production lock the share down. Nodes no longer
need the share created by hand before they can pull binaries.
- Dashboard
-Action Installprovisions the node manifest share (#23)SPSDscDashboard.ps1 -Action Installnow creates theNodeManifestPath
folder and publishes it as an SMB share (member nodes write their
<NodeName>.jsonthere at LCM registration viaCfgLcmPull.ps1 -NodeManifestPath). Name and write access come from an optional
NodeManifestShareblock inSPSDscDashboard.psd1(default share name = the
folder leaf, defaultChangeAccess = 'Authenticated Users'). A UNC
NodeManifestPathis left untouched.-Action Defaultis unchanged.
Changed
- Faster software-package downloads (#16)
Initialize-SoftwarePackages.ps1sets$ProgressPreference = 'SilentlyContinue'
(the Invoke-WebRequest progress bar made multi-GB downloads an order of
magnitude slower on Windows PowerShell 5.1) and adds anInvoke-SPSDownload
helper that prefersStart-BitsTransfer(resumable, faster) and falls back to
Invoke-WebRequestwhen BITS is unavailable.
Fixed
- Remote Event Log Management firewall rule no longer drifts every pass (#35)
- The
SYSTEM_EnableRemoteEventLogManagementScript tested theDomainprofile
but enabled the rule with-Profile Any, so its Test never matched its Set and
the resource re-ran every consistency check (a permanent, error-free drift on
all four configs). The Test now checks theAnyprofile.
- The
- CfgAppSps default disk Ids match the SharePoint VMs (no temp disk) (#32)
CfgAppSps.psd1shipped the temp-disk layout (0/2/3), but the SharePoint VM
sizes (APP / SCH / WFE) have no Azure temp disk, so their real layout is 0/1/2.
Defaulted DATA to disk Number 1 and LOGS to Number 2; a VM with a temp disk
still shifts to 0/2/3 (as PDC/PULL/SQL use).
- Extracted ISO content is now unblocked (Mark-of-the-Web) (#30)
Initialize-SoftwarePackagesunblocked directly-downloaded files but not
content extracted from ISOs. Mounting a downloaded ISO propagates the
Mark-of-the-Web to the copied files, soprerequisiteinstaller.exestayed
blocked and SharePoint'sSPInstallPrereqsfailed. The extracted content is
now unblocked recursively.
- SQL Server TCP/IP protocol is now enabled, not just its port (#29)
CfgAppSqlset the IPAll TCP port but never enabled the TCP/IP protocol, so
Configuration Manager showed TCP/IP = Disabled and the instance listened on no
TCP port — SharePoint and remote clients failed with "SQL Server does not exist
or access denied". ASqlProtocolresource now enables TcpIp (with a service
restart) before the port is set.
- CfgAppSps CU references now match the package manifest (#28)
- The SharePoint (
UberCumulativeUpdate) and OOS (CUFileName) cumulative
updates referenced byCfgAppSps.psd1pointed at older KBs than
Initialize-SoftwarePackages.psd1downloads, so a fresh farm's patch step
looked for a CU that was never fetched. Aligned to the downloaded CUs
(SharePointkb5002863, OOSkb5002871).
- The SharePoint (
- Dashboard shows a node's last real state while a run is in flight (#34)
- A node whose LCM is mid-consistency-check has an in-progress report on top
(no Status, sentinelEndTime); the dashboard picked it and showedUnknown,
hiding the real state. It now selects the most recent report with a definitive
Status (Success/Failure).
- A node whose LCM is mid-consistency-check has an in-progress report on top
- Dashboard renders node errors and timestamps cleanly (#25)
- Failed-node error banners showed raw report JSON with undecoded
\uXXXX
escapes; they now display the human-readableErrorMessage. A node with no
valid report yet (e.g. midUpdate-DscConfiguration) showed the sentinel
date1899-12-30; it now renders—.
- Failed-node error banners showed raw report JSON with undecoded
- CfgAppSql no longer creates a duplicate SqlLogin for the FARM account (#24)
- When the farm account is also a SQL sysadmin (the default posture), the
SQLSysAdministratorsloop and the separateMIDDLEWARE_SqlLogin_FARMblock
created twoSqlLoginresources for the same login, which DSC rejected with
"conflicting values of PsDscRunAsCredential". The FARM login is now created
only when it is not already inSQLSysAdministrators, and the dependent
dbcreator / securityadminSqlRolegrants point at whichever login exists.
- When the farm account is also a SQL sysadmin (the default posture), the
- SQL configuration resources run under a SQL sysadmin account (#26)
SqlLogin/SqlRole/SqlMemory/SqlMaxDop/SqlProtocolTcpIPran
withPsDscRunAsCredential = $ADSETUP, whichSqlSetupnever grants sysadmin,
so every SQL resource failed with "Failed to connect to SQL instance"
(SQLCOMMON0019). They now run under$SETUP(a member of the default
SQLSysAdministrators, so a sysadmin from install).
- PDC
WaitForADDomainno longer loops after a new-forest promotion (#17)- Removed
Credential = $ADSETUP/WaitForValidCredentials = $truefrom
WaitForADDomain WaitForDCReady: on the DC itself (running as SYSTEM) that
impersonated a domain account this configuration has not created yet, so the
resource never found the DC and loopedWaitTimeout×RestartCount.
- Removed
- Pull server MOF can now be applied when document encryption is enabled (#20)
- Added
CertificateID = $Node.Thumbprintto the pull server's
LocalConfigurationManagerblock (matching SQL/SPS/PDC), so the LCM can
decrypt the encrypted MOF instead of failing with "The Local Configuration
Manager is not configured with a certificate". The pull quick-start now also
documents theSet-DscLocalConfigurationManagermeta-config step.
- Added
- Pull server resolves its own certificate paths locally (#22)
CfgAppPull.ps1derives theDscPull.cer/.pfxpaths from the local
Data drive (<Drives.Data>\<share leaf>, e.g.F:\SoftwarePackages) instead
of its own UNC share, removing a chicken-and-egg (the share is published by
the same MOF, so the UNC did not resolve at first apply andxDscWebService
failed on the0000…sentinel thumbprint). The other configurations keep
reading from the UNC share.
Changelog
A full list of changes in each version can be found in the change log
v1.4.0
SPSConfigKit - Release Notes
[1.4.0] - 2026-07-06
Added
- Automatic data-disk initialisation during node bootstrap (#15)
- New
scripts/init/Initialize-DscDisks.ps1prepares a node's data disks from
the sameNonNodeData.Disksblock the configuration uses (read via
-ConfigPath). It onlines each raw non-OSdisk, applies a GPT partition,
NTFS-formats it with the requestedFSLabel/AllocationUnitSizeand
assigns the drive letter — so a brand-new farm has its volumes before
anything writes to them, with no manualGet-Disk/Format-Volumestep.
Disk preparation is a one-time node-prep action, so it runs during bootstrap
(like the domain join and module install) rather than inside the recurring
application MOF. The script uses native Windows Storage cmdlets (no extra DSC
module), is idempotent, and is non-destructive — a disk already carrying
data is reported and left intact, never reformatted. - Every configuration (
CfgAppSql/CfgAppSps/CfgAppPdc/CfgAppPull)
declares its physical disks in a new authoritativeNonNodeData.Disksarray
(Id/Letter/Type/FSLabel/AllocationUnitSize). Disks are keyed
by disk Number (Get-Disk), portable across bare-metal, VMware, Hyper-V
and Azure — not an Azure LUN. TheOSdisk (Type = 'OS') is never touched. - New
NonNodeData.ManageDisksboolean (default$true). Set it to$false
when the customer manages their own storage:Initialize-DscDisks.ps1then
does nothing, but the derivedDriveshashtable is still produced so every
path resolves.
- New
Changed
NonNodeData.Drivesis now DERIVED, not hand-written (#15)- Each
Cfg*.ps1buildsNonNodeData.Drives = @{ Data; Logs; Temp }from the
newDisksarray (keyed byType) immediately after loading the psd1, so a
drive letter is declared exactly once (inDisks) instead of duplicated.
All existingDrives.Data/Drives.Logs/Drives.Tempconsumers keep
working unchanged;Tempfalls back to theDataletter when no dedicated
Tempdisk is declared. FSLabels follow an UPPERCASE convention
(SYSTEM/DATA/LOGS/TEMP), and every tier declares at least the
three baseline disks. SQLDATA/LOGSvolumes use a64KBallocation
unit size per SQL Server best practice. ConfigData.Tests.ps1derivesDrivesfromDisksthe same way and adds a
NonNodeData Diskscheck block (required per-disk keys, oneOSdisk,
uniqueIds andLetters,SYSTEM/DATA/LOGSpresent).
- Each
Changelog
A full list of changes in each version can be found in the change log
v1.3.1
SPSConfigKit - Release Notes
[1.3.1] - 2026-07-02
Changed
- Sample share host moved off the domain controller (#13)
- Every sample and wiki reference to the
SoftwarePackagesshare now points at
\\PULL\Softwarepackages(a member server) instead of\\PDC1\Softwarepackages
(the domain controller). The v1.2.2 docs already required hosting the share on
a member server — a node holds a machine session to the DC, and Windows refuses
a second identity to the same server, so a share on the DC fails at apply with
"Access is denied" — but the samples still pointed at the DC.
- Every sample and wiki reference to the
- Certificate paths are now DRY (#13)
CfgAppSql/CfgAppSps/CfgAppPdc/CfgAppPullpsd1 cert entries carry only
the.cer/.pfxfile name (CerFileName/PfxFileName); the full path
is derived by the Cfg*.ps1 scripts from the singleNonNodeData.SourcePath.
The share host is therefore declared exactly once per configuration — changing
servers is a one-line edit and theSourcePath/CertPathdivergence that
caused earlier PDC1↔PULL mismatches can no longer happen. An explicit
CertPath/PfxPathon an entry is still honoured (backward compatible).
NonNodeData.SourcePathwas added to the PDC and PULL configurations, and the
ConfigData.Tests.ps1cert checks accept either the file-name or explicit-path
form.
Changelog
A full list of changes in each version can be found in the change log
v1.3.0
SPSConfigKit - Release Notes
[1.3.0] - 2026-07-02
Added
scripts/dashboard/SPSDscDashboard.ps1+SPSDscDashboard.psd1(#6, #8, #9, #10, #11)- New DSC compliance dashboard tool, driven by
-Actionand configured by a
trackedSPSDscDashboard.psd1settings file (matching the SPSWakeUp-Action
and SPSUserSync.psd1conventions). Actions:Defaultgenerates a
self-contained, dependency-freeDashboard.html(inline CSS/JS, SVG donut — no
CDN) classifying every node as Compliant / Non-Compliant / Failed /
Unresponsive with drift counts, last-report time, a per-node detail view and a
persisted OS-aware light/dark theme toggle;Installregisters/updates a
Scheduled Task that refreshes it on a schedule into the IIS-served folder;
Uninstallremoves it.-MockDataPathrenders offline. The node list comes
from a shared manifest folder (populated byCfgLcmPull.ps1) queried via the
keyed OData endpointNodes(AgentId='…')/Reports, because the classic pull
server's OData API cannot enumerate nodes —GET /Nodesreturns HTTP 400
"resourceKeys is unexpected for MSFT.DSCNode" (#8). The refresh schedule
enforces a 30-minute floor: nodes only report on their LCM consistency interval
(typically 60-120 min), so a shorter refresh adds load without newer data (#10).
Runs the task as SYSTEM by default; supports a domainRunAsUserfor remote
manifests. (Consolidates the earlierNew-SPSDscDashboard.ps1and
Register-SPSDscDashboardTask.ps1into one-Action-driven script (#11).)
The script exposes only-Action,-InstallAccountand-InputFile; every
other setting lives in the trackedSPSDscDashboard.psd1. The refresh task is
created in the\SharePoint\Task Scheduler folder (configurable via
Schedule.TaskPath), alongside the other SPS* project tasks.
- New DSC compliance dashboard tool, driven by
scripts/dashboard/README.mdandscripts/dashboard/samples/- Dashboard documentation plus a
mock-data.jsonfixture andNew-MockData.ps1
so the page can be generated and reviewed without a live pull server.
- Dashboard documentation plus a
Changed
scripts/pull/CfgLcmPull.ps1(#7, #8)- Enriched the LCM pull registration: added
-UpdateNow(trigger the first pull
immediately so the node applies its config and sends its first status report
right away) and-DomainDefaultsPath, which resolves-DSCRegistrationKey/
-DSCPullServerUrlper Active Directory domain from a git-ignored
CfgLcmPull.DomainDefaults.psd1(template*.sample.psd1tracked). HTTPS/443
and theReportServerWebblock are kept so nodes report to the dashboard. - Added
-NodeManifestPath: after registering, each node publishes a
<NodeName>.json(NodeName + AgentId + ConfigurationNames) to a shared folder
so the compliance dashboard can enumerate nodes (also resolvable per-domain via
theNodeManifestPathkey in the defaults file).
- Enriched the LCM pull registration: added
Changelog
A full list of changes in each version can be found in the change log
v1.2.2
SPSConfigKit - Release Notes
[1.2.2] - 2026-07-02
Fixed
- LCM decryption certificate (
CertificateID)- Since 1.2.0 made MOF encryption mandatory, every node's MOF carries encrypted
credentials, but no LCM configuration told the LCM which certificate to
decrypt them with.Start-DscConfiguration/Test-DscConfigurationfailed
on the first resource with "The Local Configuration Manager is not configured
with a certificate".CfgAppSql.ps1,CfgAppSps.ps1andCfgAppPdc.ps1now
setLocalConfigurationManager.CertificateID = $Node.Thumbprint, and
CfgLcmPull.ps1setsSettings.CertificateID(resolved from the local
CN=DSC Encryptioncertificate or the new-CertificateThumbprint).
- Since 1.2.0 made MOF encryption mandatory, every node's MOF carries encrypted
- Share-copy credential harmonised on
$SETUP- The
Fileresources that copy binaries from the SoftwarePackages share used
three different accounts ($PULLSETUPin SQL,$ADSETUPfor the SharePoint
and OOS copies). They now all use$SETUP(svcspssetup), so a single account
needs Read on the share. Genuine Active Directory operations keep$ADSETUP.
- The
Initialize-DscEncryption.ps1certificate drift- The script always re-exported the public
.cerbut only exported the private
.pfxwhen-PfxPasswordwas supplied, so rotating without it left a stale
.pfxand nodes failed with "Decryption failed".-Forcenow requires
-PfxPassword, and the script verifies the.cer, the.pfxand the active
certificate all share one thumbprint.
- The script always re-exported the public
Added
Initialize-DscNode.ps1hardening- Post-import validation that the certificate installed in the node's store
matches the share's.certhumbprint (and has its private key), flagging the
mismatch that otherwise surfaces later as "Decryption failed". -PullMode/-SkipModulesswitches to skip the localInstall-Modulephase
(in Pull mode the pull server serves the modules as.zippackages).-ShareAccessCredentialto verify the share-copy account can actually read
the SoftwarePackages share before the DSC apply does.
- Post-import validation that the certificate installed in the node's store
CfgLcmPull.ps1:-CertificateThumbprint/-CertificateSubjectparameters to
control the LCM decryption certificate lookup.
Changed
- Wiki (
Securing-Credentials,Usage,Getting-Started)- Document that the LCM
CertificateIDmust be set (apply the*.meta.mofwith
Set-DscLocalConfigurationManagerbefore pushing), the-Force/-PfxPassword
rotation guard-rail, hosting the SoftwarePackages share on a member server
(not a domain controller) withsvcspssetupRead, and running
Initialize-DscEncryption.ps1on the authority host only. New troubleshooting
rows for "LCM is not configured with a certificate" and "Decryption failed".
- Document that the LCM
Changelog
A full list of changes in each version can be found in the change log
v1.2.1
SPSConfigKit - Release Notes
[1.2.1] - 2026-07-02
Fixed
scripts/pull/CfgAppPull.ps1- Removed the
Script MIDDLEWARE_PullServer_DscServiceAclresource that granted
the pull-server AppPool identity write access to the DSC service folder via
Get-Acl/Set-Acl. That folder is owned byNT SERVICE\TrustedInstaller
and grants SYSTEM / Administrators only Modify (no Change-Permissions /
WRITE_DAC), soSet-Aclfailed at apply time with
"Attempted to perform an unauthorized operation" — breaking the whole PULL
Start-DscConfigurationrun. The grant is now a dedicated post-configuration
script (see Added) that takes ownership first, which the DSC consistency loop
should not do.
- Removed the
Added
scripts/pull/Set-SPSPullServerPermission.ps1- New one-shot, elevated post-configuration script that grants the pull-server
AppPool identity Modify on the DSC service folder (takeown /athen
icacls /grant …:(OI)(CI)M), so the ESENT repository (Devices.edb) can be
created. The AppPool identity is resolved fromSecrets.psd1(IISPULLAPP)
by default so it always matches the accountCfgAppPull.ps1assigns, with
-AppPoolIdentityas an explicit override. Idempotent,-WhatIf-aware, and
parameterised by-SecretsFile/-AppPoolSecretName/-DscServicePath/
-TakeOwnership, with a final verification.
- New one-shot, elevated post-configuration script that grants the pull-server
scripts/pull/Publish-SPSPullModules.ps1- New script that packages the pinned DSC resource modules as
<Name>_<Version>.zip+ checksum into the pull server'sModulesfolder, so
Pull-mode nodes can download the resources their MOF imports (without them the
LCM fails at apply time with "could not find the module"). Reads the module
list fromInitialize-DscNode.psd1by default, or derives it from a
configuration'sImport-DscResourcelines via the AST with
-ConfigurationScriptPath(replacing the fragile string-matching of the older
ad-hocPrepareModules.ps1). Idempotent,-WhatIf-aware, and parameterised by
-ManifestPath/-ModulePath/-SourceModulesPath.
- New script that packages the pinned DSC resource modules as
scripts/pull/README.md- Documents the end-to-end pull workflow (stand up server → grant permission →
publish modules → publish MOFs → register LCMs with-UpdateNow→ watch the
dashboard) and why the ACL grant is a separate privileged step rather than a
DSC resource.
- Documents the end-to-end pull workflow (stand up server → grant permission →
.gitignore- Added a properly tracked
.gitignore(ignoring.vscode/,**/.DS_Store,
and the realCfgLcmPull.DomainDefaults.psd1), dropping the historical
self-ignore line that kept.gitignoreuntracked across branches.
- Added a properly tracked
Changed
wiki/Usage.md- The pull-server option now documents the mandatory
Set-SPSPullServerPermission.ps1step and points atscripts/pull/README.md.
- The pull-server option now documents the mandatory
Changelog
A full list of changes in each version can be found in the change log
v1.2.0
SPSConfigKit - Release Notes
[1.2.0] - 2026-07-01
Added
scripts/test/MofEncryption.Tests.ps1/scripts/test/Invoke-MofEncryptionTest.ps1- New post-compile Pester v5 guard-rail that scans compiled MOF files and fails
(exit code 1) if any credentialPasswordvalue is not a CMS-encrypted blob,
or if a credential-bearing MOF is missing theContentType="PasswordEncrypted"
marker. Catches the most dangerous DSC mistake — shipping a MOF whose
credentials were compiled in clear text — and is wired for CI / release gates.
- New post-compile Pester v5 guard-rail that scans compiled MOF files and fails
wiki/Securing-Credentials.md- New dedicated page documenting why MOF credential encryption is mandatory, the
end-to-end flow (Initialize-DscEncryption→ import.pfxper node → compile →
verify), the clear-text-vs-CMS before/after, certificate rotation with-Force,
and a troubleshooting table.
- New dedicated page documenting why MOF credential encryption is mandatory, the
.editorconfig- Locks repository encoding and formatting:
*.ps1/*.psd1/*.psm1are
utf-8-bom(Windows PowerShell 5.1 reads a BOM-less file as ANSI, corrupting
non-ASCII characters at runtime);*.md/*.yml/*.yaml/*.jsonstay
BOM-less (YAML linters anddsc.exereject a BOM).
- Locks repository encoding and formatting:
Changed
scripts/test/ConfigData.Tests.ps1- The wildcard AllNodes baseline check no longer requires
PSDscAllowPlainTextPassword = $true— which wrongly failed a secured
configuration (the state left byInitialize-DscEncryption.ps1). It now
validates the encrypted branch instead: when
PSDscAllowPlainTextPassword = $false, the wildcard must carry a
CertificateFileand a 40-hex-charThumbprint; when the config isn't yet
encrypted it is skipped with a reminder (the post-compile MofEncryption
guard-rail is the hard gate).
- The wildcard AllNodes baseline check no longer requires
- Encoding — every
*.ps1/*.psd1underscripts/is now UTF-8 with BOM
(13 previously BOM-less files converted; the 4 already-BOM files unchanged), so
Windows PowerShell 5.1 always reads them as UTF-8. No functional content change. README.md- New Security section stating that credentials are encrypted and that
compiling them in clear text is not a supported configuration, with the
four-step mandatory flow and a link to the new wiki page.
- New Security section stating that credentials are encrypted and that
wiki/Getting-Started.md- Certificate generation (step 3) is now flagged mandatory with a security
call-out; a new post-compile step runsInvoke-MofEncryptionTest.ps1as a gate.
- Certificate generation (step 3) is now flagged mandatory with a security
wiki/Usage.md- New "Verify the MOFs are encrypted" gate documented right after compilation.
Changelog
A full list of changes in each version can be found in the change log