Hi all, Wanted to ask a question please. I am trying to understand the following request, I have no certificate knowlege (as you will find out as you read on!). I am trying to find out the following - Desktop migration: Customer has a non-lockd down environment and end users are able to install their own "stuff" (Windows XP). They are worried that some users have installed content that includes certificates which will be required in future. They want to audit their desktop machines to find out is there any additional certs to the ones that are issued through AD that they will need to migrate. I dont understand certificates or store etc. so am at a bit of a loss, any input gratefully received. Certutil will allow me to query via script but i dont even know if this is necessary or exactly what i should be targetting? My assumption is that i need to query the personal store only as its only non-autoenrolled certs i am interested in. Clients are all AD members, thanks, ps. can trade for performance/debugging questions!! :)

You should take a look at this article on how to work with certificates on remote machines using PowerShell: http://blogs.technet.com/b/heyscriptingguy/archive/2011/02/16/use-powershell-and-net-to-find-expired-certificates.aspx You can use the code from the link to put together a script to query all domain-joined client computers. Brian

What content are they concerned about being installed that "includes certificates?" Are they talking about EFS?

Hi there, Thanks for the response. There is no EFS so its not EFS cert migration. As far as I know the customer is worried that end users could have installed items that come with certificates. They want to make sure those certs are retained when migrated. My understanding is though, that if they have installed an app etc. that issues a cert into the personal store there is no point migrating it as when they reinstall this item it will reinstall the cert on the new migrated OS. So my limited knowledge says this is not something to even bother doing. Of course as I said my cert knowledge is tiny so there may be scenarios i am not aware of.

Just investigate each "special application" the customer is worried about. Maybe a payroll or billing application requires a special certificate installed. Other than that you can feel pretty safe not worrying about it. That is, if there are no EFS files around the network.

I've run into a couple of examples that may or may not apply in your case: If your Tax department is communicating with the IRS over email, they may have installed a personal SSL certificate for secure email communication (S/MIME). It would be in their personal store and would need to be backed up/exported in order to be added to a new computer (or reinstalled O/S). If any employees (such as HR) are utilizing cloud-based services that require certificate authentication, they may have installed certificates for those services. In this case, those would also need to be backed up/exported in order to be added to a new computer (or reinstalled O/S). I'd agree with Snickered too - generally, third-party certificates are not a typical primary concern during a migration. If you've got a bit of extra time on your hands, it couldn't hurt to run a certificate query against all client computers though. Brian

On Thu, 31 Mar 2011 14:08:34 +0000, johnnycage wrote: They want to audit their desktop machines to find out is there any additional certs to the ones that are issued through AD that they will need to migrate. You don't specify the OS on the clients but this can be done quite easily with a Powershell script. You can find an example in this thread: http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/eb3f8f93-07ff-4d30-8b0a-7a5bfbb9420e/ Frankly, if this were my network and users had installed unauthorized applications that required certificates I'd simply send out an email letting them know that it is their responsibility to back up their non-approved certificates. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca This system will self-destruct in five minutes.