takoroni Posted September 22, 2020 Report post Posted September 22, 2020 hi is there a way to find/display specific certificate that is on client side is there and rdl for the sccm report server ? can i see the certificate in resource explorer ? roni Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted September 22, 2020 Report post Posted September 22, 2020 There are no built in inventory task for Certs and therefore no reports for this either. Quote Share this post Link to post Share on other sites More sharing options...
takoroni Posted September 22, 2020 Report post Posted September 22, 2020 thank you is there a way to create a query base on certificate template ? Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted September 22, 2020 Report post Posted September 22, 2020 Since Certs are not inventory by ConfigMgr, you will not be able to query on cert templates either. Quote Share this post Link to post Share on other sites More sharing options...
takoroni Posted September 23, 2020 Report post Posted September 23, 2020 thanks - hope Microsoft will include in the future . Quote Share this post Link to post Share on other sites More sharing options...
GarthMJ Posted September 23, 2020 Report post Posted September 23, 2020 There is a user voice for it, I would not hold my breath that it will happen anytime soon. As it only has 0 votes. https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/40878685-hardware-inventory-to-collect-certificates Quote Share this post Link to post Share on other sites More sharing options...
kevinnns Posted September 27, 2020 Report post Posted September 27, 2020 (edited) You could use a Configuration Item + Baseline to build something that does this, pending on what you're looking for exactly. It's not Ideal, but possible. With the WFH I've hacked a Powershell script together to check if the SCCM Client cert on the system is about to expire. $Compliance = 'Compliant' $templateName = 'SCCM Client Certificate' $Check = Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object{ $_.Extensions | Where-Object{ ($_.Oid.FriendlyName -eq 'Certificate Template Information') -and ($_.Format(0) -match $templateName) }} | where { $_.notafter -le (get-date).AddDays(24)} If ($Check) {$Compliance = 'NonCompliant'} $Compliance I've got the Data type set as a string and Compliance Rule to Equal "Compliant". In above case we're checking on days validity left, you can change it as you like off course, and make sure to match the TemplateName to your actual Template name for the Cert from your certificate server. We've deployed this on our workstations and put all non-compliant marked clients in a collection twice a day and based on that give our end-users some "attention" to connect to the VPN and get their cert renewed. Preferably we wouldn't be in this situation and we would have all the machine AzureAD joined so that with the CMG Client cert authentication wasn't needed, but for now alas it still is (but not for long anymore). Hope it helps or at least gives you a start to build what you need ?! Edited September 27, 2020 by kevinnns Quote Share this post Link to post Share on other sites More sharing options...
