Delete SCCM Certificate from Command Line
So we have a situation where a contractor deployed about 200 Windows 7 computers that were cloned improperly. The SCCM cert was not cleaned off the reference machine before it was sysprepped. Now because of the duplicate certs, the SCCM console is getting crapped up with invalid device records all over the place.
I need to script the removal of the bad cert on all these machines but I don't know how to do it from the command line. I assume I would be using Certutil.exe but I can't figure out what arguments to pass. I'm also familiar with WMI and VBScript, so if there were a certificate class I could use that would would work too.
I appreciate any help anyone could offer.
Solution 1:
You could use PSEXEC to remotely reinstall the SCCM client and reset the key to all 200 computers.
psexec @c:\lists\NeedSccm.txt -u domain\admin -h -d "\\SCCMSERVER\SHARE$\ccmsetup.exe" RESETKEYINFORMATION=TRUE
Solution 2:
I don't know about an SCCM certificate, as our clients use the autorequested domain certificate for client auth. However, I still may be able to help. Navigate to the cert store in powershell, like so:
PS Cert:\LocalMachine\My> Get-ChildItem
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
A34F86ACC5HAHAYEAHRIGHTF731B798EF24F6D6D0B CN=BIG-HOMIEPC, OU=Computers, DC=eng, DC=mit, DC=edu
5DAC23B07490B5C602EC4F04GEDDABOUDIT94FF41A CN=localhost
Once there, simply remove the certificate with the proper subject,
PS Cert:\LocalMachine\My> Get-ChildItem | where {$_.Subject -like "*DC=end, DC=mit, DC=edu*"} | Remove-Item -WhatIf
This will work in a script as well.