Script to remove a local certificate possible?

Article
2018-05-24

Question

_{Thursday, May 24, 2018 3:54 PM}

Hello,

I'm trying to write a small script to run on users workstations to delete a certificate in:

Certificates - Current User > Personal > Certificates

It is issues by "Communication Server" and issued to [email protected]

is this possible? I really just need anything that is issued by the "Communication Server" removed.

Thanks

All replies (26)

_{Thursday, May 24, 2018 4:03 PM ✅Answered}

Get-ChildItem Cert:\CurrentUser\My | 
    Where{$_.Issuer -match 'Communication Server'} |
    Remove-Item -WhatIf

\(ツ)_/

_{Tuesday, June 5, 2018 2:31 PM ✅Answered}

"WhatIf" is a tool that runs a command without actually changing anything.

\(ツ)_/

_{Wednesday, June 6, 2018 11:28 PM ✅Answered}

And It won't do anything you have a typo in communication.... is "communications". So the where is empty so nothing will be removed.

The code I just posted run correctly on my system. There is no typo. Please copy and paste correctly.

\(ツ)_/

Here's the answer again to your question.

Since the "where" condition is not met... if you cut and paste, it brings "nothing"

It's empty, there's nothing to pipe to the "remove" cmdlet.

_{Wednesday, June 6, 2018 11:56 PM ✅Answered}

And It won't do anything you have a typo in communication.... is "communications". So the where is empty so nothing will be removed.

The code I just posted run correctly on my system. There is no typo. Please copy and paste correctly.

\(ツ)_/

Here's the answer again to your question.

Since the "where" condition is not met... if you cut and paste, it brings "nothing"

It's empty, there's nothing to pipe to the "remove" cmdlet.

If there is no issuer that contains the string of course the results will be nothing. You must be sure that an issuer string contains the string you are trying to match. This is basic programming and is how all string matching works. Just list all issuers to check to see if any can match.

\(ツ)_/

_{Monday, June 4, 2018 11:05 AM}

Hello,

Sorry for the delay. That didn't seem to work. This is how the cert looks via MMC.

PS script

_{Monday, June 4, 2018 3:50 PM}

What does "didn't seem to work" mean? What message did you get?

\(ツ)_/

_{Tuesday, June 5, 2018 10:06 AM}

It didn't remove the certificate jrv, so I ran your script as above and refresh mmc and the certificate still remains.

_{Tuesday, June 5, 2018 3:26 PM}

Good morning, @jrv this is the error:

Remove-Item : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties 
do not match any of the parameters that take pipeline input.
At D:\Libs\Desktop\Upwork\test3.ps1:2 char:5
+     Remove-Item $_ -WhatIf
+     ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: ([Subject]
  CN...DE08043C599E8
:PSObject) [Remove-Item], ParameterBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.RemoveItemCommand

And this is the solution:

Get-ChildItem Cert:\CurrentUser\My\ | where{ $_.Issuer -eq 'CN=Communications Server'}  | %{
    #comment this line for production  (Test)
    Remove-Item -Path "Cert:\CurrentUser\My\$($_.Thumbprint)" -WhatIf 
    #Then Uncomment the line below to production,Remember: you need an elevated PS console (Production)
    #Remove-Item -Path "Cert:\CurrentUser\My\$($_.Thumbprint)" -confirm:$false
}

_{Tuesday, June 5, 2018 3:29 PM}

You didn't use the code I posted and your methods will not work.

Get-ChildItem Cert:\CurrentUser\My | 
    Where{$_.Issuer -match 'Communication Server'} |
    Remove-Item -WhatIf

After the WhatIf message shows you are successful, remove it.

\(ツ)_/

_{Tuesday, June 5, 2018 3:43 PM}

I edited it, check it again pls.

_{Tuesday, June 5, 2018 3:45 PM}

Don't edit. Use the code I posted.

\(ツ)_/

_{Tuesday, June 5, 2018 3:46 PM}

Your error doesn't work because it has 2 typos, " in 'Token' you have 3 's.

And in "communication" it should say "Communications", after those 2 fixes it works.

To test:

Get-ChildItem "Cert:\CurrentUser\My\" | WHERE{$_.Issuer -match "Communications Server"} | Remove-Item -WhatIf

For production:

Get-ChildItem "Cert:\CurrentUser\My\" | WHERE{$_.Issuer -match "Communications Server"} | Remove-Item -confirm:$false

_{Tuesday, June 5, 2018 3:47 PM}

Copy and run this exact code.

Get-ChildItem Cert:\CurrentUser\My | 
    Where{$_.Issuer -match 'Communication Server'} |
    Remove-Item -WhatIf

\(ツ)_/

_{Tuesday, June 5, 2018 4:04 PM}

And It won't do anything you have a typo in communication...It's "communications". So the where is empty and nothing will be removed.

_{Tuesday, June 5, 2018 4:05 PM}

And It won't do anything you have a typo in communication.... is "communications". So the where is empty so nothing will be removed.

The code I just posted run correctly on my system. There is no typo. Please copy and paste correctly.

\(ツ)_/

_{Tuesday, June 5, 2018 5:01 PM}

If to me it doesn't work, and to the asker, doesn't work... something must be wrong...don't you think?...

My last comment for this nonsense conversation

_{Tuesday, June 5, 2018 5:04 PM}

If to me it doesn't work, and to the asker, doesn't work... something must be wrong...don't you think?...

My last comment for this nonsense conversation

What does "it doesn't work" mean. What is your error? What messages are you getting?

Why are you asking a new question on another users thread?

\(ツ)_/

_{Friday, June 15, 2018 1:58 PM}

Hi - If I manually run the script it works great. If I save as a file (.ps1) and use as a user logoff script then the workstations hang on shutdown for around 5-10 mins and the certificate doesn't get removed.

How can I troubleshoot this issue?

_{Friday, June 15, 2018 2:05 PM}

A logoff script is not a good place to do this.

\(ツ)_/

_{Friday, June 15, 2018 2:49 PM}

how can we get this removed at the end of the day when a user shuts down then please?

_{Friday, June 15, 2018 2:54 PM}

Why do you have to remove a cert? They are intended to be installed and left in place.

You can also use AD to distribute and manage certs.

\(ツ)_/

_{Friday, June 15, 2018 3:39 PM}

It’s a very strange issue and many of us haven’t solved it including many forum posts. This only started happening too when we upgraded Windows 10 workstations on build 1511 or 1604 to the 170x builds or 1803 builds. The user will log on to the network fine wirelessly, but as soon as they open Skype we get a pop up box to choose a certificate and the WiFi drops off until we choose one. The drop down box shows the 2 certificates, one says the UPN so [email protected] and the other is the email address, if the UPN one is selected WiFi will connect again then Skype logs in. The workstation will now be fine until for days until a Cumulative update comes out or O365 updates, so quite often. What we have noticed you never get the issue if Skype is not installed or on windows 7, 8 or 10 with builds under 170x. What we have found out if the Cominications certificate doesn’t exist when Skype opens it issues a new one and there are no complaints, hence the log off or log on script to remove it. Thanks

_{Friday, June 15, 2018 5:58 PM}

It would make more sense to permanently bind the certificate.

I have the latest builds of W10, W7 and Skype installed and have never seen that issue. You need to contact MS for assistance with this. I would start with a re-install of W10 n one system as most issues like this are resolved with that.

Logon and Logoff scripts will not resolve your issue due to how they are executed on newer systems.

\(ツ)_/

_{Monday, June 18, 2018 7:42 AM}

We have tried a new build of our Windows 10 and get the same issue. One of our engineers did contact a source within MS and they did say it's a known issue and are looking to add this into a future cumulative update, but it never happens. I guess we need to pay them for a fix.

One of our admins said he did bind the certificate, but I'm not sure he has, can you remind me of where to do this and what certificate should be bound as we have one for WiFi and one for Skype as you know?

_{Monday, June 18, 2018 7:45 AM}

We have tried a new build of our Windows 10 and get the same issue. One of our engineers did contact a source within MS and they did say it's a known issue and are looking to add this into a future cumulative update, but it never happens. I guess we need to pay them for a fix.

One of our admins said he did bind the certificate, but I'm not sure he has, can you remind me of where to do this and what certificate should be bound as we have one for WiFi and one for Skype as you know?

I remind you that this is not a support forum. If you need help with this then contact MS Support with your issue.

You can also try posting your issues in the Security, Skype or networking forums for more assistance.

\(ツ)_/

_{Monday, June 18, 2018 12:51 PM}

Already did that some weeks about without success.

You asked about the issue so I answered that's all.

Share via

Script to remove a local certificate possible?

Question

All replies (26)

Additional resources