WMF 4.0 DSC credential decryption bug in Get-DscConfiguration

cDscCredentials.psd1

@{
ModuleVersion = '1.0'
GUID = '7855f1e0-0012-4f60-8b2a-cb75a761529c'
}

config.ps1

configuration CredEcho
{
	Param (
		[PSCredential] $cred
	)
	Import-DscResource -Name JB_CredentialEcho
	node $AllNodes.NodeName
	{
		LocalConfigurationManager
		{
			CertificateId = $Node.Thumbprint
		}

		cCredentialEcho Echo1
		{
			Name = 'Abc'
			Credential = $cred
		}
		cCredentialEcho Echo2
		{
			Name = 'Abc2'
			Credential = $cred
		}
	}
}
$cd = @{
	AllNodes = @(
		@{
			NodeName = 'localhost'
			CertificateFile = '.\cert.cer'
			Thumbprint = '7C166D5F031EDD82848E02DB94E3F7A5A166C016'
		}
	)
}
CredEcho -ConfigurationData $cd -cred (New-Object PSCredential 'DOM\usr',(ConvertTo-SecureString 'xyz' -AsPlainText -Force))
Write-Host 'invoking Set-DscLocalConfigurationManager'
Set-DscLocalConfigurationManager -Path .\CredEcho -ComputerName localhost -Verbose
Write-Host 'invoking Start-DscConfiguration'
Start-DscConfiguration -Path .\CredEcho -ComputerName localhost -Verbose -Wait
Write-Host 'invoking Get-DscConfiguration'
Get-DscConfiguration -Verbose

JB_CredentialEcho.psm1

function Get-TargetResource
{
	[CmdletBinding()]
	[OutputType([System.Collections.Hashtable])]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$Name,

		[System.Management.Automation.PSCredential]
		$Credential
	)

	Write-Verbose "Get-TargetResource"
	Dump-Credential -c $Credential

	return @{
		Name = $Name
		Credential = $null
	}
}


function Set-TargetResource
{
	[CmdletBinding()]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$Name,

		[System.Management.Automation.PSCredential]
		$Credential
	)

	Write-Verbose "Set-TargetResource"
	Dump-Credential -c $Credential
}


function Test-TargetResource
{
	[CmdletBinding()]
	[OutputType([System.Boolean])]
	param
	(
		[parameter(Mandatory = $true)]
		[System.String]
		$Name,

		[System.Management.Automation.PSCredential]
		$Credential
	)

	Write-Verbose "Test-TargetResource"
	Dump-Credential -c $Credential
	return $false
}


function Dump-Credential([System.Management.Automation.PSCredential] $c)
{
	if ($c -eq $null) {
		Write-Warning "credential is null"
	} else {
		$nc = $c.GetNetworkCredential()
		Write-Warning "credential: Domain [$($nc.Domain)] UserName [$($nc.UserName)] Password [$($nc.Password)]"
	}
}

Export-ModuleMember -Function *-TargetResource

JB_CredentialEcho.schema.mof

[ClassVersion("1.0.0.0"), FriendlyName("cCredentialEcho")]
class JB_CredentialEcho : OMI_BaseResource
{
	[Key] string Name;
	[Write, EmbeddedInstance("MSFT_Credential")] String Credential;
};

log.txt

PS C:\Users\Administrator> .\config.ps1


    Directory: C:\Users\Administrator\CredEcho


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        2016-03-18     11:11       3646 localhost.mof
-a---        2016-03-18     11:11        872 localhost.meta.mof
invoking Set-DscLocalConfigurationManager
VERBOSE: Performing the operation "Start-DscConfiguration: SendMetaConfigurationApply" on target
"MSFT_DSCLocalConfigurationManager".
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendMetaConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer JB-S13T01 with user sid
S-1-5-21-2982317268-1144194326-3473732824-500.
VERBOSE: [JB-S13T01]: LCM:  [ Start  Set      ]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Resource ]  [MSFT_DSCMetaConfiguration]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Set      ]  [MSFT_DSCMetaConfiguration]
VERBOSE: [JB-S13T01]: LCM:  [ End    Set      ]  [MSFT_DSCMetaConfiguration]  in 0.3600 seconds.
VERBOSE: [JB-S13T01]: LCM:  [ End    Resource ]  [MSFT_DSCMetaConfiguration]
VERBOSE: [JB-S13T01]: LCM:  [ End    Set      ]    in  0.5070 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Set-DscLocalConfigurationManager finished in 0.904 seconds.
invoking Start-DscConfiguration
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' =
SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer JB-S13T01 with user sid
S-1-5-21-2982317268-1144194326-3473732824-500.
VERBOSE: [JB-S13T01]: LCM:  [ Start  Set      ]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Resource ]  [[cCredentialEcho]Echo1]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Test     ]  [[cCredentialEcho]Echo1]
VERBOSE: [JB-S13T01]:                            [[cCredentialEcho]Echo1] Test-TargetResource
WARNING: [JB-S13T01]:                            [[cCredentialEcho]Echo1] credential: Domain [DOM] UserName [usr]
Password [xyz]
VERBOSE: [JB-S13T01]: LCM:  [ End    Test     ]  [[cCredentialEcho]Echo1]  in 0.1880 seconds.
VERBOSE: [JB-S13T01]: LCM:  [ Start  Set      ]  [[cCredentialEcho]Echo1]
VERBOSE: [JB-S13T01]:                            [[cCredentialEcho]Echo1] Set-TargetResource
WARNING: [JB-S13T01]:                            [[cCredentialEcho]Echo1] credential: Domain [DOM] UserName [usr]
Password [xyz]
VERBOSE: [JB-S13T01]: LCM:  [ End    Set      ]  [[cCredentialEcho]Echo1]  in 0.0150 seconds.
VERBOSE: [JB-S13T01]: LCM:  [ End    Resource ]  [[cCredentialEcho]Echo1]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Resource ]  [[cCredentialEcho]Echo2]
VERBOSE: [JB-S13T01]: LCM:  [ Start  Test     ]  [[cCredentialEcho]Echo2]
VERBOSE: [JB-S13T01]:                            [[cCredentialEcho]Echo2] Test-TargetResource
WARNING: [JB-S13T01]:                            [[cCredentialEcho]Echo2] credential: Domain [DOM] UserName [usr]
Password [xyz]
VERBOSE: [JB-S13T01]: LCM:  [ End    Test     ]  [[cCredentialEcho]Echo2]  in 0.0310 seconds.
VERBOSE: [JB-S13T01]: LCM:  [ Start  Set      ]  [[cCredentialEcho]Echo2]
VERBOSE: [JB-S13T01]:                            [[cCredentialEcho]Echo2] Set-TargetResource
WARNING: [JB-S13T01]:                            [[cCredentialEcho]Echo2] credential: Domain [DOM] UserName [usr]
Password [xyz]
VERBOSE: [JB-S13T01]: LCM:  [ End    Set      ]  [[cCredentialEcho]Echo2]  in 0.0310 seconds.
VERBOSE: [JB-S13T01]: LCM:  [ End    Resource ]  [[cCredentialEcho]Echo2]
VERBOSE: [JB-S13T01]: LCM:  [ End    Set      ]    in  0.6316 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.642 seconds
invoking Get-DscConfiguration
VERBOSE: An LCM method call arrived from computer JB-S13T01 with user sid
S-1-5-21-2982317268-1144194326-3473732824-500.
VERBOSE: [JB-S13T01]: LCM:  [ Start  Get      ]
VERBOSE: [JB-S13T01]:                            [[cCredentialEcho]Echo1] Get-TargetResource
WARNING: [JB-S13T01]:                            [[cCredentialEcho]Echo1] credential: Domain [DOM] UserName [usr]
Password [xyz]
VERBOSE: [JB-S13T01]: LCM:  [ End    Get      ]  [[cCredentialEcho]Echo1]  in 0.0000 seconds.
Get-DscConfiguration : Decryption failed.
At C:\Users\Administrator\config.ps1:41 char:1
+ Get-DscConfiguration -Verbose
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_DSCLocalConfigurationManager:root/Microsoft/...gurationManager) [Get
   -DscConfiguration], CimException
    + FullyQualifiedErrorId : Windows System Error -2146893819,Get-DscConfiguration