First published on TECHNET on Oct 15, 2018
Hello everyone, Jonathan Warnken here, and I am a Premier Field Engineer (PFE) for Microsoft. I primarily support Configuration Manager and I have been getting a lot of questions recently on how to collect custom information and include it in the device inventory within Configuration Manager. I wanted to share one way to accomplish this that demonstrates some of the great ways to extend the built-in features. For this post, I am going to show how to capture the information about local machine certificates. I do want to take a moment to thank MVP Sherry Kissinger for this post with the base powershell script used to collect the certificate information.
#Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.#
Now on to the good stuff. PowerShell makes it easy to get information about certificates. Using get-childitem and selecting one certificate we can see all the information available
While you can collect all of this information we are going to limit this down to just the Thumbprint, Subject, Issuer, NotBefore, NotAfter, and FriendlyName. We are also going to add a custom value of ExpiresinDays and ScriptLastRan. Next, we use a PowerShell script to collect the information and publish it to a custom wmi class.
https://github.com/mrbodean/AskPFE/blob/master/ConfigMgr%20Certificate%20Inventory/publish-CertInfo...
Next create a configuration item that uses the script to publish the certificates in the local machine personal store, the local machine trusted publishers, and the local machine trusted root certificate stores to wmi that will allow the hardware inventory to collect the information.
The documentation for using configuration items is available at:
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/configuration-items-for-devices-managed...
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines
https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings
These steps will extend the Hardware Inventory to collect the certificate information that has been published in WMI. To extend the inventory you must use a MOF file, MOF files are a convenient way to change WMI settings and to transfer WMI objects between computers. For more info see https://technet.microsoft.com/en-us/library/cc180827.aspx
Once the configuration item runs and publishes the data info WMI, the next time hardware inventory runs for systems in the test collection the certificate information will be available for reporting in Configuration Manager.
These steps will create console query that you can use to search for systems with a specific certificate thumbprint
This is a SQL query that can be used to view the certificate inventory data and can also be used as the basis for creating a custom report
Select sys.Name0 as 'Name', Location0 as 'Certificate Location', FriendlyName0 as 'Friendly Name', ExpiresinDays0 as 'Expires in Days', Issuer0 as Issuer, NotAfter0 as 'Not After', NotBefore0 as
'Not Before', Subject0 as Subject, Thumbprint0 as Thumbprint, ScriptLastRan0 as 'Script last Ran'
from v_GS_CM_CERTINFO
Inner Join v_R_System as sys ON v_GS_CM_CERTINFO.ResourceID = sys.ResourceID
Thank you for reading, and I hope this helps you out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.