Decrypted credentials visibility


As we develop our DSC strategy, we would like to have different teams (Operations, DBAs) to be able to update configurations but not be able to see any sensitive credentials used in configurations.
At the moment we use MOF certificate encryption with private keys that are are distributed to nodes and we use corresponding public keys to encrypt MOFs on pull server.
We also use WMF 5.1 and it also encrypts MOFs stored on nodes meaning that credentials in MOfs are encrypted using Certificates and MOF files themselves are encrypted locally on nodes using DPAPI.
Configuration files would be updated by other teams using source control.Once the configuration files are checked in, CD/CI would pick them up, build, test and deploy the MOFs to Pull servers.
Now the issue that we face: Operations and other teams members will have local administrator privileges on the nodes they own. Does it mean that they would be able to see decrypted credentials one way or another?
If this is a case, how can we mitigate it? Someone suggested using separate encryption/decryption certificates for different teams but this seems like a complication and does not resolve the issue entirely.

It depends on how the certificates are built. The decrypting node needs a private key; if someone has access to that node, and its certificate store, then yes, they could manually decrypt a MOF with some amount of labor and knowledge. With administrator credentials, I imagine they could do a lot worse damage with a lot less effort. But there’s really not much of an alternative, short of creating custom resources that somehow grab secrets from a credential store on-the-fly.