v1.2.0
SPSConfigKit - Release Notes
[1.2.0] - 2026-07-01
Added
scripts/test/MofEncryption.Tests.ps1/scripts/test/Invoke-MofEncryptionTest.ps1- New post-compile Pester v5 guard-rail that scans compiled MOF files and fails
(exit code 1) if any credentialPasswordvalue is not a CMS-encrypted blob,
or if a credential-bearing MOF is missing theContentType="PasswordEncrypted"
marker. Catches the most dangerous DSC mistake — shipping a MOF whose
credentials were compiled in clear text — and is wired for CI / release gates.
- New post-compile Pester v5 guard-rail that scans compiled MOF files and fails
wiki/Securing-Credentials.md- New dedicated page documenting why MOF credential encryption is mandatory, the
end-to-end flow (Initialize-DscEncryption→ import.pfxper node → compile →
verify), the clear-text-vs-CMS before/after, certificate rotation with-Force,
and a troubleshooting table.
- New dedicated page documenting why MOF credential encryption is mandatory, the
.editorconfig- Locks repository encoding and formatting:
*.ps1/*.psd1/*.psm1are
utf-8-bom(Windows PowerShell 5.1 reads a BOM-less file as ANSI, corrupting
non-ASCII characters at runtime);*.md/*.yml/*.yaml/*.jsonstay
BOM-less (YAML linters anddsc.exereject a BOM).
- Locks repository encoding and formatting:
Changed
scripts/test/ConfigData.Tests.ps1- The wildcard AllNodes baseline check no longer requires
PSDscAllowPlainTextPassword = $true— which wrongly failed a secured
configuration (the state left byInitialize-DscEncryption.ps1). It now
validates the encrypted branch instead: when
PSDscAllowPlainTextPassword = $false, the wildcard must carry a
CertificateFileand a 40-hex-charThumbprint; when the config isn't yet
encrypted it is skipped with a reminder (the post-compile MofEncryption
guard-rail is the hard gate).
- The wildcard AllNodes baseline check no longer requires
- Encoding — every
*.ps1/*.psd1underscripts/is now UTF-8 with BOM
(13 previously BOM-less files converted; the 4 already-BOM files unchanged), so
Windows PowerShell 5.1 always reads them as UTF-8. No functional content change. README.md- New Security section stating that credentials are encrypted and that
compiling them in clear text is not a supported configuration, with the
four-step mandatory flow and a link to the new wiki page.
- New Security section stating that credentials are encrypted and that
wiki/Getting-Started.md- Certificate generation (step 3) is now flagged mandatory with a security
call-out; a new post-compile step runsInvoke-MofEncryptionTest.ps1as a gate.
- Certificate generation (step 3) is now flagged mandatory with a security
wiki/Usage.md- New "Verify the MOFs are encrypted" gate documented right after compilation.
Changelog
A full list of changes in each version can be found in the change log