Powershellist - Using Config Baselines with Certificate Detection

This is mainly a post to jog my memory, so I won't go into too much detail, but here is how I handled a recent issue with a certificate that was accidentally deployed to the entire enterprise (not by me 😛).  It was up to me to remedy this utilizing a combination of a Configuration Baseline and Application deployment.  I decided Powershell would best handle this since there was not a way to remedy it in the Config Baseline with certutil.exe.

The Configuration Item's Powershell script was setup as follows:

$str1 = Get-ChildItem Cert:\LocalMachine\My | ? {$_.Extensions | ? {$_.oid.friendlyname -match "Template" -and $_.Format(0) -match "1.3.6.1.4.1.311.21.8.9698164.1945666.12076471.14939724.7091849.139.2709251.9725632"}}
if ($str1) { write-host 'Found'}
else {write-host 'Not found'}

 The Compliance Rule was then configured to be 'Equals: Not found', since we wanted the cert to be removed (and thus would be compliant if so).

I then created a collection based on the Config Baseline, and deployed the 'Cert Removal' application to the collection as Required.  The Cert Removal application was setup as follows:

RemoveCert.bat as command line.

RemoveCert.bat contents:

certutil -delstore MY "1.3.6.1.4.1.311.21.8.9698164.1945666.12076471.14939724.7091849.139.2709251.9725632"

'Cert Removal' Application Detection Method (Powershell):

$str1 = Get-ChildItem Cert:\LocalMachine\My | ? {$_.Extensions | ? {$_.oid.friendlyname -match "Template" -and $_.Format(0) -match "1.3.6.1.4.1.311.21.8.9698164.1945666.12076471.14939724.7091849.139.2709251.9725632"}}
if ($str1) { }
else{write-host 'Installed'}