I noticed that every time we reimaged a workstation, it would be issued a new certificate from our Certificate Authority. Since we only have 1 CA issuing SCCM Client certificates, one of my coworkers and I threw together the following script. His name is Robert, and he did most of the work on this one. He’s awesome; you should hire him.
It’s named ‘Revoke-DuplicateSCCMClientCerts.ps1’ and is available on my Github repo here: Jpuskar’s Github Page.
Run the powershell script with the /force argument. By default, it’s read-only and will run in ‘what-if’ mode.
It’s really only designed for a Single-CA environment. If you’ve got multiple CA’s, but only one issues SCCM certs, that’s fine. However, if you’re load-balancing your SCCM certificate issuing across multiple CA’s, the script will only look at a single CA’s certificate database for duplicates. It’s probably possible for it to be modified to work across multiple CA’s, but you’d need to key off of issue date instead of request ID like we’re doing now.