Is there any way to secure the arguments string inside the package resource?
Spent the day configuring the cert setup for using PsDscRunAsCredential and then… oh yeah, the credentials are also in the Arguments string 
I’m not certain I follow… “also in the Arguments string?” “Inside the package resource?”
Unfortunately I have something like this. I can encrypt the PsDscRunAsCredential but I also have to use this string in the arguments.
$commandargs = @"
/s /v" /qn SILENT_MODE=1 /Li SDInstall.log INSTALLDIR=\"c:\Program Files\NetApp\SnapDrive\" SVCUSERNAME=$SMSQLUSER SVCUSERPASSWORD=$SMSQLPASS"
"@
$credentials = New-Object System.Management.Automation.PSCredential($SMSQLUSER,$SMSQLPASS)
WindowsFeature Netframework
{
Ensure = "Present"
Name = "NET-Framework-Core"
}
Package SnapInstall
{
Ensure = "Present"
Path = "c:\windows\temp\SnapDrive7.1.4P1_x64.exe"
Name = "SnapDrive"
ProductId = "{0BD0F422-C9DF-4438-ABCE-74805CC8C2F5}"
Arguments = $commandargs
PsDscRunAsCredential = $credentials
DependsOn = '[WindowsFeature]Netframework'
}
Oh. So you’re generally asking, “how can I protect sensitive information in an argument” regardless of whether it’s a credential per se.
That was more or less asked at powershell - Passing SecureString variables to DSC Configuration for Read Only Domain Controller - Stack Overflow also.
Also at xPackage: Is it possible to pass a secure parameter to the Arguments value? · Issue #266 · dsccommunity/xPSDesiredStateConfiguration · GitHub, which gives us a clue: you can’t. The intent would be to have that data live in some kind of key vault, and you’d retrieve it dynamically somehow.
Thanks. I hope encrypting the entire mof is planned for the future.