Unable to restore with certificate in Cert:\\CurrentUser\My

[leitzler]

Details of the scenario you tried and the problem that is occurring

I exported a clean developer tenant with default sample data using certificate thumbprint and Full mode:

$Cert = Import-PfxCertificate -FilePath C:\\Cert\\foobar.pfx -CertStoreLocation Cert:\\CurrentUser\\My -Password $CertPassword;
Export-M365DSCConfiguration -CertificateThumbprint $Cert.Thumbprint -TenantId <redacted>.onmicrosoft.com -ApplicationId 01234567-890a-bcde-f012-34567890abcd -Path full -Mode Full -MaxProcesses 64

Note that the certificate is imported to Cert:\\CurrentUser\\My.

After workarounds for #3179, #3181, #3193 & #3182 (removed/renamed duplicates or invalid entries before convert) I ran a restore:

Start-DSCConfiguration -Path C:\full\M365TenantConfig -Wait -Verbose -Force

It outputs a load of errors, indicating that the certificate can't be found. It seems like the export works fairly fine with a certificate in Cert:\\CurrentUser\My while retore require Cert:\\LocalMachine\\My:

Cannot find path '\LocalMachine\My\C2A6BF407F46E8EAA7C3FC7D182AE9E164AC1EB9' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\LocalMachine\M...82AE9E164AC1EB9:) [], CimException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
    + PSComputerName        : localhost

VERBOSE: [701AE4068A8E]: LCM:  [ End    Test     ]  [[AADApplication]AADApplication-DSC test]  in 9.3120 seconds.
PowerShell DSC resource MSFT_AADApplication  failed to execute Test-TargetResource functionality with error message: Must specify 'CertificateThumbprint or CertificateName or Certificate'.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Cannot find path '\LocalMachine\My\C2A6BF407F46E8EAA7C3FC7D182AE9E164AC1EB9' because it does not exist.
    + CategoryInfo          : ObjectNotFound: (\LocalMachine\M...82AE9E164AC1EB9:) [], CimException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
    + PSComputerName        : localhost

PowerShell DSC resource MSFT_AADGroup  failed to execute Test-TargetResource functionality with error message: Must specify 'CertificateThumbprint or CertificateName o
r Certificate'.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost

Verbose logs showing the problem

See above.

Suggested solution to the issue

Consistent certificate store support between export and restore.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Using Windows Server Core container, mcr.microsoft.com/windows/servercore:1809-amd64.

Install-PackageProvider -Name NuGet -Force
Install-Module Microsoft365DSC -Force
Update-M365DSCDependencies

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}
$PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.17763.3770
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.3770
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.412.1 Microsoft365DSC                     PSGallery            This DSC module is used to configure and monitor Microsoft tenants, including SharePoint Online, Exchange, Teams, etc.

[NikCharlebois]

That is because the Export process doesn't leverage the DSC engine and acts as a normal PowerShell script impersonating the current user whereas the Start-DSCConfiguration process starts a separate process that runs under the LocalSystem.

When doing an export, the certificate needs to be in the current user's store and for the deployment it needs to be in the Local System's one. It is unfortunately a limitation of how DSC works. One alternative option would be to add the PSDSCRunAsCredential parameter to every resource instance which will force the DSC process to impersonate the specified user and whcih I believe will make DSC look inside of that user's store instead.

[leitzler]

I see! The workaround was simple for this issue as I just imported it to both locations.

[andikrueger]

@leitzler Is this one resolved?

[leitzler]

Yes, unless someone want it mentioned in documentation somewhere. It could be useful to avoid surprises. Otherwise feel free to close it. Thanks!