Extending Hardware Inventory for System Center Configuration Manager

Hello everyone, Jonathan Warnken here, and I am a Premier Field Engineer (PFE) for Microsoft. I primarily support Configuration Manager and I have been getting a lot of questions recently on how to collect custom information and include it in the device inventory within Configuration Manager. I wanted to share one way to accomplish this that demonstrates some of the great ways to extend the built-in features. For this post, I am going to show how to capture the information about local machine certificates. I do want to take a moment to thank MVP Sherry Kissinger for this post with the base powershell script used to collect the certificate information.

#Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.#

Now on to the good stuff. PowerShell makes it easy to get information about certificates. Using get-childitem and selecting one certificate we can see all the information available

While you can collect all of this information we are going to limit this down to just the Thumbprint, Subject, Issuer, NotBefore, NotAfter, and FriendlyName. We are also going to add a custom value of ExpiresinDays and ScriptLastRan. Next, we use a PowerShell script to collect the information and publish it to a custom wmi class.

https://github.com/mrbodean/AskPFE/blob/master/ConfigMgr%20Certificate%20Inventory/publish-CertInfo2WMI.ps1

Next create a configuration item that uses the script to publish the certificates in the local machine personal store, the local machine trusted publishers, and the local machine trusted root certificate stores to wmi that will allow the hardware inventory to collect the information.

  1. Download https://github.com/mrbodean/AskPFE/raw/master/ConfigMgr%20Certificate%20Inventory/Inventory%20Machine%20Certificates.cab to c:\temp\Examples\
  2. Navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines
  3. Click on “Import Configuration Data” (You will find this as a button on the top toolbar or in the context menu when you right click on Configuration Baselines
    1. Select C:\temp\Examples\Inventory Machine Certificates.cab
    2. Click Yes on the warning “The publisher of Inventory Machine Certificates.cab file could not be verified. Are you sure that you want to import this file?”
    3. Click next twice to progress through the wizard and once complete, click close.
  4. You will now see a new sub folder named Custom under Configuration Items (\Assets and Compliance\Overview\Compliance Settings\Configuration Items\Custom) and a configuration item named “Inventory Machine Certificates” in the Custom folder.
  5. You will also see a Configuration baseline named “Inventory Machine Certificates”
    1. Deploy this baseline to a test collection

The documentation for using configuration items is available at:

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/configuration-items-for-devices-managed-with-the-client

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/create-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/deploy-configuration-baselines

https://docs.microsoft.com/en-us/sccm/compliance/deploy-use/monitor-compliance-settings

These steps will extend the Hardware Inventory to collect the certificate information that has been published in WMI. To extend the inventory you must use a MOF file, MOF files are a convenient way to change WMI settings and to transfer WMI objects between computers. For more info see https://technet.microsoft.com/en-us/library/cc180827.aspx

  1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/CertInfo.mof to c:\temp\Examples\
  2. Create a new Custom Device Client Setting (\Administration\Overview\Client Settings)
    1. Name the setting “Custom HW Inventory” and only enable Hardware Inventory
    2. Select Hardware Inventory on the left just under General
      1. Ensure Enable hardware inventory on clients is set to yes
      2. The default schedule is for 7 days, update the schedule if you would like to change it
      3. Click the “Set Classes …” button
        1. Click on the “Import …” button
          1. Select the c:\temp\Examples\CertInfo.mof
        2. Once back on the Hardware Inventory Classes dialog ensure the CertInfo (cm_CertInfo) class is enabled
        3. Click Ok
      4. Click Ok (again)
    3. Deploy the “Custom HW Inventory” Client Setting to a test collection.

Once the configuration item runs and publishes the data info WMI, the next time hardware inventory runs for systems in the test collection the certificate information will be available for reporting in Configuration Manager.

These steps will create console query that you can use to search for systems with a specific certificate thumbprint

  1. Download https://raw.githubusercontent.com/mrbodean/AskPFE/master/ConfigMgr%20Certificate%20Inventory/Find_Cert_Query.MOF to c:\temp\Examples\
  2. Navigate to \Monitoring\Overview\Queries
  3. Click on “Import Objects”, this is available a button on the top toolbar and the context menu when you right click on Queries
    1. Click next to navigate through the wizard
    2. On the MOF File Name step, select c:\temp\Examples\Find_Cert_Query.MOF
  4. Once the import completes, you will see a query named “Find Machines with a Certificate by thumbprint”

  5. Once you have systems reporting the certificates as part of the inventory you can run this report
    1. When you run this report, it will prompt you for the thumbprint of a certificate to search for
    2. If any systems are found with the certificate the system name and the thumbprint will be returned by the query

This is a SQL query that can be used to view the certificate inventory data and can also be used as the basis for creating a custom report

Select sys.Name0 as ‘Name’, Location0 as ‘Certificate Location’, FriendlyName0 as ‘Friendly Name’, ExpiresinDays0 as ‘Expires in Days’, Issuer0 as Issuer, NotAfter0 as ‘Not After’, NotBefore0 as
‘Not Before’, Subject0 as Subject, Thumbprint0 as Thumbprint, ScriptLastRan0 as ‘Script last Ran’

from v_GS_CM_CERTINFO

Inner Join v_R_System as sys ON v_GS_CM_CERTINFO.ResourceID = sys.ResourceID

 

Thank you for reading, and I hope this helps you out!