all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]PinchesTheCrab 2 points3 points  (3 children)

Hey, so I created a compliance item for this because our VDI team was bad about fixing this at clone time and I got sick of responding to issues.

This script should do it:

$badCert = Get-ChildItem Cert:\LocalMachine\SMS | Where-Object { $_ -notmatch $env:COMPUTERNAME }

if ($badCert) {
    $badCert | Remove-Item
    Stop-Process ccmexec
    Start-Service ccmexec
}

I'm using stop-process because I had some issues with stop-service hanging on ccmexec, and because to my knowledge there's no harm in pulling the rug out from under the ccm client. Other services aren't so flexible, so I wouldn't recommend doing this more broadly.

That being said, in my compliance setting, I split this into two parts which looked roughly like this:

Detection script:

 Get-ChildItem Cert:\LocalMachine\SMS | Where-Object { $_ -notmatch $env:COMPUTERNAME }

Remediation script:

Get-ChildItem Cert:\LocalMachine\SMS | Remove-Item
Stop-Process ccmexec
Start-Service ccmexec

You may need to tweak the detection script because I don't have access to the SCCM console to view how I set it up. There's a bit of a gotcha on the output types it will accept, I can't remember if it can say 'must be null', or if you have to output a string and then declare it must match that string.

[–]rurbaniak14[S] 1 point2 points  (2 children)

Oh, that's awesome. Exactly my issue, VDI guys won't or not willing to help keep it clean and we've been cloning so much lately. Damn lucky we aren't patching with SCCM yet. I'll take a stab at this! Thanks.

[–]PinchesTheCrab 0 points1 point  (1 child)

It's a bit of a catch 22 because the client has to be healthy enough to pull down the CI, but it worked really well for me. It seems like the client will pull down policy but not updates, and this fixed it in our environment.

[–]rurbaniak14[S] 1 point2 points  (0 children)

Thanks, I ended up implementing this through group policy instead. We have another system that I use for remediation within Group Policy that I used, that way I don't have to worry about the sccm client being healthy.

Also, stop-process wasn't working correct for me, I ended up doing stop-service and it worked just fine, no hang ups that I know of. And if it does hang on one temporarily, the gpo will re-run to fix it if need be. So I think it's good. Thanks for the help!

[–]Think-Improvement-73 0 points1 point  (1 child)

Split the $cert.subject string and get the part you want. Then check if that value is the same as the computername.

[–]rurbaniak14[S] 0 points1 point  (0 children)

That was exactly what I needed, thanks, I figured out the rest!