Certificate Existence and Removal via SCCM Compliance Rules

I need to find some certificates by the template name and thumbprint. Here are two SCCM compliance rules to for detection:

Certificate Detection based on Template Name:

# Certificate Existence Discover Script
# Rui Qiu
# v1.0
# 7/9/2020

$Result = Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match "Certificate Template Information" -and $_.Format(0) -like "*Name_of_your_cert_template*"}} 

if ($Result -ne $null)
{$Compliance = "Yes"}
Else
{$Compliance = "No"}
 
$Compliance

Certificate Detection based on Thumbprints:
(Check if any certificates expiring in 30 days inside “Personal” machine container)

$Result=Get-ChildItem -Path cert:\LocalMachine\My -Recurse -ExpiringInDays 30
$Compliance = "Yes" 

if ($Result -ne $null) {
$Compliance = "No"}
$Compliance

Certificate Detection based on Friendly name:

$Result = Get-ChildItem Cert:\CurrentUser\My | Where-Object {$_.FriendlyName -like "*Certificate Friendly Name*"}

SCCM Compliance Rule for unused root certificates discover:

# Find Unused Root Certificates
# Rui Qiu
# 08132020
# v1.0

$result1 = Get-ChildItem cert:\LocalMachine\Root | Where {($_.Thumbprint -eq "thumbprint-id")-or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id")} | Select-Object Thumbprint

$result2 = Get-ChildItem cert:\LocalMachine\CA | Where {($_.Thumbprint -eq "thumbprint-id")-or ($_.Thumbprint -eq  "thumbprint-id") -or ($_.Thumbprint -eq  "thumbprint-id")} | Select-Object Thumbprint

$result = -join $result1,$result2

if ($Result -ne $null)
{$Compliance = "No"}
Else
{$Compliance = "Yes"}
 
$Compliance

Remediation script for deleting unused certificates:

certutil -delstore -enterprise root "thumbprint-id"
certutil -delstore -Intermediate root "thumbprint-id"
certutil -delstore root "thumbprint-id"
certutil -delstore -grouppolicy root "thumbprint-id"

Or use Powershell to remove the certificates:

Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match "Certificate Template Information" -and $_.Format(0) -like "*Template Name*"}} | Remove-Item

Get-ChildItem Cert:\LocalMachine\my | Where-Object {$_.Extensions | Where-Object {$_.oid.friendlyname -match "Certificate Template Information" -and $_.Format(0) -like "*Template Name*"}} | Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -lt "08/22/2022"}