I once had request for a way to determine if a specific PKI certificate was installed on some Windows OS machines. To accomplish this task, I decided the easiest method would be to create a simple PowerShell script which would check for the existence of the certificate, and then use the infinitely powerful Compliance Settings feature of Configuration Manager to run the script and report back the results. While on the topic, I also decided to create a CI that checks for Server Authentication intended purpose PKI certificates that are about to expire in 90 days, so that someone can be alerted and hopefully avert an outage caused by an expired certificate. First, for finding machines with a specific certificate installed, here’s a snip of the details of a sample certificate I’m looking for. Notice in my example that the Issuer is “russrimmerman-DC1-CA”. You could check the certificates Issuer, Subject, expiration date, or any other property of choice, but in this example, I’m going to look for the Issuer. You have two options for running PowerShell scripts on clients, one is to sign the script with a trusted certificate, and the other is to set the PowerShell execution policy to “Bypass”. In my example, I won’t be signing my PowerShell script, so I will go into Administration->Client Settings and select the default or create a new Client Settings. Then go into the “Computer Agent” section of the client settings and set the PowerShell execution policy to “Bypass”. This allows unsigned PowerShell scripts to execute when executed by the ConfigMgr client. If you don’t use the default client settings, you’ll also need to make sure the custom client settings you created are also deployed to the collection you will be checking compliance on. Now, go to Assets and Compliance->Compliance Settings->Configuration Items...
Microsoft Premier Field Engineer