In a domain environment auto enrollment can be used to get create unique certificates for each node that can be used with DSC. The problem is getting the public cert to the machine that creates the DSC MOF files. I wrote a module last year to collect them directly form the Enterprise CA. If it interests you take a look https://blog.bladefirelight.com/nuggets/collecting-ca-certificates-for-dsc-configuration/
That looks pretty good. I have been meaning to get a certificate from a CA for other purposes…I need this for ansible. I will make use of this.