v1.2.2
SPSConfigKit - Release Notes
[1.2.2] - 2026-07-02
Fixed
- LCM decryption certificate (
CertificateID)- Since 1.2.0 made MOF encryption mandatory, every node's MOF carries encrypted
credentials, but no LCM configuration told the LCM which certificate to
decrypt them with.Start-DscConfiguration/Test-DscConfigurationfailed
on the first resource with "The Local Configuration Manager is not configured
with a certificate".CfgAppSql.ps1,CfgAppSps.ps1andCfgAppPdc.ps1now
setLocalConfigurationManager.CertificateID = $Node.Thumbprint, and
CfgLcmPull.ps1setsSettings.CertificateID(resolved from the local
CN=DSC Encryptioncertificate or the new-CertificateThumbprint).
- Since 1.2.0 made MOF encryption mandatory, every node's MOF carries encrypted
- Share-copy credential harmonised on
$SETUP- The
Fileresources that copy binaries from the SoftwarePackages share used
three different accounts ($PULLSETUPin SQL,$ADSETUPfor the SharePoint
and OOS copies). They now all use$SETUP(svcspssetup), so a single account
needs Read on the share. Genuine Active Directory operations keep$ADSETUP.
- The
Initialize-DscEncryption.ps1certificate drift- The script always re-exported the public
.cerbut only exported the private
.pfxwhen-PfxPasswordwas supplied, so rotating without it left a stale
.pfxand nodes failed with "Decryption failed".-Forcenow requires
-PfxPassword, and the script verifies the.cer, the.pfxand the active
certificate all share one thumbprint.
- The script always re-exported the public
Added
Initialize-DscNode.ps1hardening- Post-import validation that the certificate installed in the node's store
matches the share's.certhumbprint (and has its private key), flagging the
mismatch that otherwise surfaces later as "Decryption failed". -PullMode/-SkipModulesswitches to skip the localInstall-Modulephase
(in Pull mode the pull server serves the modules as.zippackages).-ShareAccessCredentialto verify the share-copy account can actually read
the SoftwarePackages share before the DSC apply does.
- Post-import validation that the certificate installed in the node's store
CfgLcmPull.ps1:-CertificateThumbprint/-CertificateSubjectparameters to
control the LCM decryption certificate lookup.
Changed
- Wiki (
Securing-Credentials,Usage,Getting-Started)- Document that the LCM
CertificateIDmust be set (apply the*.meta.mofwith
Set-DscLocalConfigurationManagerbefore pushing), the-Force/-PfxPassword
rotation guard-rail, hosting the SoftwarePackages share on a member server
(not a domain controller) withsvcspssetupRead, and running
Initialize-DscEncryption.ps1on the authority host only. New troubleshooting
rows for "LCM is not configured with a certificate" and "Decryption failed".
- Document that the LCM
Changelog
A full list of changes in each version can be found in the change log