Delete SCCM Certificate from Command Line

Question

So we have a situation where a contractor deployed about 200 Windows 7 computers that were cloned improperly. The SCCM cert was not cleaned off the reference machine before it was sysprepped. Now because of the duplicate certs, the SCCM console is getting crapped up with invalid device records all over the place.

I need to script the removal of the bad cert on all these machines but I don't know how to do it from the command line. I assume I would be using Certutil.exe but I can't figure out what arguments to pass. I'm also familiar with WMI and VBScript, so if there were a certificate class I could use that would would work too.

I appreciate any help anyone could offer.

What version of Windows? Specifically what version of WMF is out there on your clients? — , Jun 06 '14 at 18:00
Hah. Win7. My bad for not mentioning that. I edited the post — Wes Sayeed, Jun 06 '14 at 18:02
For clarification, I'm talking about the SCCM certificate that the SCCM client automatically generates on the machine when it gets installed. — Wes Sayeed, Jun 06 '14 at 18:28

score 4 · Accepted Answer · answered Jun 06 '14 at 18:28

4

You could use PSEXEC to remotely reinstall the SCCM client and reset the key to all 200 computers.

psexec @c:\lists\NeedSccm.txt -u domain\admin -h -d "\\SCCMSERVER\SHARE$\ccmsetup.exe" RESETKEYINFORMATION=TRUE

answered Jun 06 '14 at 18:28

Bin

864
5
15

Brilliant. This is exactly the kind of thing I was looking for. I want to run it on a couple machines to test it out first. How would I verify right away that it's been reset? – Wes Sayeed Jun 06 '14 at 20:37
Communication between the computer and the server will be (re)established so you will see them pop up in the SCCM console. – Bin Jun 12 '14 at 12:47

score 2 · Answer 2 · answered Jun 06 '14 at 18:35

I don't know about an SCCM certificate, as our clients use the autorequested domain certificate for client auth. However, I still may be able to help. Navigate to the cert store in powershell, like so:

PS Cert:\LocalMachine\My> Get-ChildItem


    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My


Thumbprint                                Subject                                                                                                                           
----------                                -------                                                                                                                           
A34F86ACC5HAHAYEAHRIGHTF731B798EF24F6D6D0B  CN=BIG-HOMIEPC, OU=Computers, DC=eng, DC=mit, DC=edu                                                       
5DAC23B07490B5C602EC4F04GEDDABOUDIT94FF41A  CN=localhost

Once there, simply remove the certificate with the proper subject,

PS Cert:\LocalMachine\My> Get-ChildItem | where {$_.Subject -like "*DC=end, DC=mit, DC=edu*"} | Remove-Item -WhatIf

This will work in a script as well.

Delete SCCM Certificate from Command Line

2 Answers2