The Local Configuration Manager is not configured with a certificate.

Welcome Forums DSC (Desired State Configuration) The Local Configuration Manager is not configured with a certificate.

This topic contains 5 replies, has 5 voices, and was last updated by

2 years, 8 months ago.

  • Author
  • #46180

    Points: 0
    Rank: Member

    Hey guys,

    on push and pull models i'm having a issue with encryption. when the configuration runs i receive the following error
    The Local Configuration Manager is not configured with a certificate Or decryption failed. I have followed microsoft guide to create the certificate with the certificate created on the target node and export the public key to the authoring node. I have created the certificate from ADCS 2012r2 PKI.

    The guest is server 2012r2

    I have tried to move the "certificateid" from ConfigurationRepositoryWeb to settings on the LCM no difference.

    In event viewer i can the below event

    event id 4257
    Job {B5C48003-44EA-11E6-80EB-001DD8B75749} : 
    MIResult: 6
    Error Message: The Local Configuration Manager is not configured with a certificate. Resource '[File]exampleFile' in configuration 'CredentialEncryptionExample' cannot be processed.
    Message ID: MI RESULT 6
    Error Category: 13
    Error Code: 6
    Error Type: MI
    PS C:\Windows\system32> $PSVersionTable
    Name                           Value                                                                                                                                                                                            
    ----                           -----                                                                                                                                                                                            
    PSVersion                      5.0.10586.117                                                                                                                                                                                    
    PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                                          
    BuildVersion                   10.0.10586.117                                                                                                                                                                                   
    CLRVersion                     4.0.30319.34014                                                                                                                                                                                  
    WSManStackVersion              3.0                                                                                                                                                                                              
    PSRemotingProtocolVersion      2.3                                                                                                                                                                                              

    The below configuration is just testing to see if it was a error in my real configuration

    $ConfigData= @{ 
        AllNodes = @(     
                    NodeName = "TPKI01" 
                    CertificateFile = "C:\temp\TPKI01.cer" 
                    Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
    configuration CredentialEncryptionExample 
            [PsCredential] $credential 
        Node $AllNodes.NodeName 
            File exampleFile 
                SourcePath = "\\TPKI01\D$\PKI\ING_IntCA1+.crl"
                DestinationPath = "C:\temp\" 
                Credential = $credential 
              LocalConfigurationManager {
                CertificateID = $node.Thumbprint
    Write-Host "Generate DSC Configuration..."
    CredentialEncryptionExample -ConfigurationData $ConfigData -OutputPath \\sofs\dsc\AU\Configuration
    $nodes = 'TPKI01'
    Write-Verbose  (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
    foreach  ($item in $nodes) {
        configuration PullClientConfigID
            Node $item
                    RefreshMode = 'Pull'
                    RefreshFrequencyMins = 30 
                    RebootNodeIfNeeded = $True
                    DebugMode = 'ALL'
                    AllowModuleOverWrite = $false
                    #CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                ConfigurationRepositoryWeb PullSrv
                    ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                    RegistrationKey = 'd7d29e47-FFFF-402b-9553-d331713d96bc'
                    AllowUnsecureConnection = $false
                    CertificateID = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint 
                    ConfigurationNames = @("$item")
                ReportServerWeb PullSrv
                     ServerURL = 'https://DSC:8080/PSDSCPullServer.svc'
                     RegistrationKey = 'd7d29e47-1a46-402b-9553-d331713d96bc'
        PullClientConfigID -verbose
       Set-DSCLocalConfigurationManager –Path .\PullClientConfigID –Verbose -force -ComputerName $item

    Target node LCM

    ActionAfterReboot              : ContinueConfiguration
    AgentId                        : 21631C66-1A6C-11E6-80E6-001DD8B75749
    AllowModuleOverWrite           : False
    CertificateID                  : 
    ConfigurationDownloadManagers  : {[ConfigurationRepositoryWeb]PullSrv}
    ConfigurationID                : 
    ConfigurationMode              : ApplyAndMonitor
    ConfigurationModeFrequencyMins : 15
    Credential                     : 
    DebugMode                      : {All}
    DownloadManagerCustomData      : 
    DownloadManagerName            : 
    LCMCompatibleVersions          : {1.0, 2.0}
    LCMState                       : PendingConfiguration
    LCMStateDetail                 : 
    LCMVersion                     : 2.0
    StatusRetentionTimeInDays      : 10
    PartialConfigurations          : 
    RebootNodeIfNeeded             : True
    RefreshFrequencyMins           : 30
    RefreshMode                    : Pull
    ReportManagers                 : {[ReportServerWeb]PullSrv}
    ResourceModuleManagers         : {}
    PSComputerName                 : TPKI01
    PSComputerName                 : TPKI01
    ResourceId              : [ConfigurationRepositoryWeb]PullSrv
    SourceInfo              : ::53::13::ConfigurationRepositoryWeb
    AllowUnsecureConnection : True
    CertificateID           : 
    ConfigurationNames      : {TPKI01}
    RegistrationKey         : 
    ServerURL               : https://DSC:8080/PSDSCPullServer.svc
    PSComputerName          : TPKI01
    @GenerationDate=07/08/2016 18:46:03
    instance of MSFT_Credential as $MSFT_Credential1ref
     UserName = "corp\\svc_dsc";
    instance of MSFT_FileDirectoryConfiguration as $MSFT_FileDirectoryConfiguration1ref
    ResourceID = "[File]exampleFile";
     Credential = $MSFT_Credential1ref;
     DestinationPath = "C:\\temp\\";
     ModuleName = "PSDesiredStateConfiguration";
     SourceInfo = "::21::9::File";
     SourcePath = "\\\\tpki01\\D$\\PKI\\ING_IntCA1+.crl";
    ModuleVersion = "1.0";
     ConfigurationName = "CredentialEncryptionExample";
    instance of OMI_ConfigurationDocument
                            MinimumCompatibleVersion = "1.0.0";
                            CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
                            GenerationDate="07/08/2016 18:46:03";

    certificate on the pullserver/authoring node

    tpki01.corp.intranet}                                                  {Document Encryption (}             6/07/2018 3:05:11 PM           False System.Security.Cryptography.Oid CN=tpki01..

    any ideas?



  • #46253

    Points: 1
    Rank: Member

    Hey Nathan! There are a lot of things that can cause this, but let's start at the beginning. What type of certificate did you issue and did you add Document Encryption to the certificate before issuing?


  • #46362

    Points: 0
    Rank: Member


    tpki01.corp.intranet} {Document Encryption (}

    Isn't this only for PSv4?

    LocalConfigurationManager {
        CertificateID = $node.Thumbprint

    Also, I don't know if the following will work from withing $ConfigData, either. The example in the documentation is done differently.

    Thumbprint = (get-childitem -path  Cert:\LocalMachine\My |  ?{$_.subject -like "*$item*"}).Thumbprint

    Won't all of that run locally? And it won't know what $item is, because it hasn't been set yet.

    Basically, I'm worried some parts are being implemented from Cert generated on Authoring node, and others from Cert generated on Client node.

    Sadly the documentation is very confusing:

  • #46378

    Points: 0
    Rank: Member

    Hey Jason!

    thanks for taking a look at my messy post.

    I believe i duplicated my web server certificate template. But i did do the following to the template before issuing:
    1. Removed Client and Server Authentication and added Document Encryption.
    2. Removed Digitial Signature from key usage.
    3. Allow Key Exchange only with key encryption (key Encipherment) and Allow encryption of user data.
    4. Provider Category is Key Storage Provider – RSA – 2048 Bits – request hash of SHA256



  • #46411

    Points: 62
    Team Member
    Rank: Member

    Change the provider to Microsoft RSA SChannel Cryptographic Provider and put the certificate on the CertificateID on the LCM, not the certificate ID on the ConfigRepositoryWeb.

    Good luck!

  • #46455

    Points: 0
    Rank: Member

    Hey Missy,

    That did the trick! Thanks for your help.



The topic ‘The Local Configuration Manager is not configured with a certificate.’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort