Revoking and Superseding Duplicate Configuration Manager Client Certificates

I noticed that every time we reimaged a workstation, it would be issued a new certificate from our Certificate Authority. Since we only have 1 CA issuing SCCM Client certificates, one of  my coworkers and I threw together the following script. His name is Robert, and he did most of the work on this one. He’s awesome; you should hire him.

Download

It’s named ‘Revoke-DuplicateSCCMClientCerts.ps1’ and is available on my Github repo here: Jpuskar’s Github Page.

Usage

Run the powershell script with the /force argument. By default, it’s read-only and will run in ‘what-if’ mode.

Known Issues

It’s really only designed for a Single-CA environment. If you’ve got multiple CA’s, but only one issues SCCM certs, that’s fine. However, if you’re load-balancing your SCCM certificate issuing across multiple CA’s, the script will only look at a single CA’s certificate database for duplicates. It’s probably possible for it to be modified to work across multiple CA’s, but you’d need to key off of issue date instead of request ID like we’re doing now.

Enjoy!