Issue with DSCFileDownloadManager Credentials
So, it seems as though in WMF 5.0 there is a regression in functionality. In WMF 4.0, you could set up a DSCFileDownloadManager and Credential to have a Target Node contact a Pull Server SMB Share and download new mof files and resources. Everything worked perfectly including Certificate based encryption of the credentials. However, in WMF 5, it seems as though the LCM of the Target Node attempts to contact the SMB Share Anonymously, even in credentials are provided. Now, in a Non domain joined environment, you can just provide EVERYONE full control and then change Local Security Policy such that Anonymous=Everyone (even though this is a massive security risk in an enterprise environment). However, even worse, in a Domain Joined environment, there is no workaround. As the LCM cannot contact the LCM anonymously anymore (at least with no settings I saw), it instead attempts to contact the SMB share as the Computer Account, which of course will fail. This also makes it untenable to provide EVERYONE access because they will still get denied. I haven't found a workaround to get SMB Share working at all in a domain joined environment. Obviously, all of this worked in 4.0 including Certificate encryption with DSCFileDownloadManager. With 8.1 and beyond now offering SMB Encryption as well, the DSCFileDownloadManager is still a viable enterprise solution, and thus a potentially major issue.
If there are any workaround in the mean time, I'd love to hear them. Also, if I have misunderstood/misimplemented the issue, I'd love to hear that too. I did a wireshark capture of the traffic and it appears pretty cut and dry.
Thanks
Bobby Reed
shared this idea
This bug has been identified and the issue has been resolved. The fix will be available in future releases, including the Windows Insider Fast Ring preview
