Revoking and Superseding Duplicate Configuration Manager Client Certificates

I noticed that every time we reimaged a workstation, it would be issued a new certificate from our Certificate Authority. Since we only have 1 CA issuing SCCM Client certificates, one of  my coworkers and I threw together the following script. His name is Robert, and he did most of the work on this one. He’s awesome; you should hire him.

Download

It’s named ‘Revoke-DuplicateSCCMClientCerts.ps1’ and is available on my Github repo here: Jpuskar’s Github Page.

Usage

Run the powershell script with the /force argument. By default, it’s read-only and will run in ‘what-if’ mode.

Known Issues

It’s really only designed for a Single-CA environment. If you’ve got multiple CA’s, but only one issues SCCM certs, that’s fine. However, if you’re load-balancing your SCCM certificate issuing across multiple CA’s, the script will only look at a single CA’s certificate database for duplicates. It’s probably possible for it to be modified to work across multiple CA’s, but you’d need to key off of issue date instead of request ID like we’re doing now.

Enjoy!

Advertisements

One thought on “Revoking and Superseding Duplicate Configuration Manager Client Certificates

  1. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s