While working on a new setup, we had to deploy some binaries on a server using DSC.
To make the process scale for many machines, we created a network share to host the binaries in order to centralize the access. In the DSC world, this meant we had 2 options :
1- Add the computer account of each machine accessing the share in the permissions of the share.
2- Use the encryption feature in DSC (define an account in the MOF in order to access the share)
During the testing phase, everything went well. The configuration was as is :
Authoring machine : Windows 10, Powershell 5.1.14393.693
Target machine : Server 2016, Powershell 5.1.14393.0
We then deployed the configuration on a Windows Server 2012 R2 and the LCM kept getting in error, throwing the message “Decryption failed. LCM failed to start desired state configuration manually.”
Digging a little deeper in the ‘Microsoft-Windows-Desired State Configuration/Operational’ event log, just before the “Decryption failed” error, another error was caught :
“Message Invalid provider type specified.”
With the help of the Internet and some querying, I was able to “decrypt” our issue. I began by reading this nice article :
Which led me to review the certificate we used for the DSC encryption.
The initial setup was using a CA issued custom certificate we created following Microsoft’s recommendation stated here :
And since we wanted to follow the MS’ Best practices, we configured our certificate template using the provider ‘Microsoft RSA SChannel Cryptographic Provider’.
The caveat with this configuration is that Windows Server 2012 R2 doesn’t know how to decrypt anything using the ‘Microsoft RSA SChannel Cryptographic Provider‘. Even if you deploy WMF 5.1 Preview, it won’t help.
If you use the Self-Signed certificate generator script, it will work flawlessly because it actually uses the legacy provider named ‘Legacy Cryptographic Service Provider‘.
Either you create a certificate template using the Provider category ‘Legacy Cryptographic Service Provider’ thus not following Microsoft’s certificate requirements or you use only self-signed certificate using the custom script or you upgrade your OS to Windows 2016.