Clear Computer SSL Certificates through Group Policy
Closed     Case # 10053     Affiliated Job:  New Trier Township District 2031
Opened:  Friday, April 29, 2011     Closed:  Friday, April 29, 2011
Total Hit Count:  14586     Last Hit:  Wednesday, December 11, 2024 2:57:01 AM
Unique Hit Count:  4947     Last Unique Hit:  Wednesday, December 11, 2024 2:57:01 AM
Case Type(s):  Development, Server
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Problem:
Recently our district is migrating away from Script Logics/Desktop Authority and over to Microsoft's System Center Configuration Manager (SCCM) - while trying to push out the SCCM client to machines with the Desktop Authority installed, many of these machines would fail because of multiple SSL certificates in the machine's personal store. Depending on the SSL certificate used (Domain assigned or Expert Assist assigned) the client push would randomly fail.

Resolution:
We decided since the A.D. assigned certificates would be re-populated, we would run a group policy script (that would only run once) to clear out the currently assigned certificates, after a follow up reboot, the A.D. assigned certificate would be re-assigned back to the workstation. Because we are running SCCM in native mode, these machine SSL certificates are required for communication with SCCM.

Create a group policy to run the computer startup script below and assign the policy to the OU with the machines you need to clear out the SSL certs - NOTE, careful not to run this on your servers/DCs/CA servers.

-   Download the CertMgr.Exe (not to be confused with CertMgr.msc) - part of the Windows SDK bundle (i.e. C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin)
-   Position this exe in the policy i.e. \\domain.net\sysvol\domain.net\Policies\{GUID}\Machine\Scripts\Startup\CertEXE
-   Create the below CertRemove.bat and assign it to run via Startup Script policy
    --Start Code--
    @ECHO OFF
    IF EXIST C:\Windows\System32\CertEXE\CertMgr.Exe GOTO END
    
    :INSTALL
    ECHO Fixing computers by removing the ExpertAssist Certificates...
    C:
    CD\Windows\System32
    MKDIR CertEXE
    CD CertExe
    COPY "\\domain.net\sysvol\domain.net\Policies\{GUID}\Machine\Scripts\Startup\CertEXE\CertMgr.Exe" "C:\Windows\System32\CertEXE\CertMgr.Exe"
    CertMgr.Exe -del -all -c -r localMachine -s my
    gpupdate
    
    GOTO COMPLETE
    
    :END
    ECHO File Already Exists...
    
    :COMPLETE
    ECHO Setup Complete...
    ^--End Code--^
-   Assign the group policy the following WMI filter designating it to run only on XP Pro machines
  o   Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional"


The result will require two reboots on behalf of the XP Pro machine, 1st to clear the SSL certificates from the Personal Machine Store and the 2nd to re-issue the domain certificate - if this needs to be run on additional operating systems - update this WMI filter to correspond to the operating system required and verify the batch works accordingly. Adjustments to the path may be needed.



Profile IMG: Footer Left Profile IMG: Footer Right