Tech Services Endpoint Services, MECM Certificate Audit and Reporting

Follow this guide to verify endpoints have valid certificates in order to enable off-campus management by Microsoft Endpoint Configuration Manager. Review the article at https://answers.uillinois.edu/71950 for more information about MECM's off-campus management features.

Systems

Microsoft Endpoint Configuration Manager (MECM)

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

How to audit certificate expiration on endpoints

The 'InCommon\UofI ADCS Cert Expiration Audit' configuration baseline queries the endpoint for any Active Directory Certificate Services (ADCS) or InCommon certificates.

  • In the MECM console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines

  • Select the 'InCommon\UofI ADCS Cert Expiration Audit' configuration baseline

  • Select 'Deploy' from the top ribbon

  • In the 'Deploy Configuration Baseline' dialog box, select the collection to run this configuration baseline on

  • Select 'OK'

  • Navigate to \Monitoring\Overview\Deployments and search for 'InCommon\UofI ADCS Cert Expiration Audit' in the search bar

  • Select 'InCommon\UofI ADCS Cert Expiration Audit' from the results and select 'View Status' from the top ribbon
    • Allow enough time for clients to run the baseline and report the results to MECM.  Select 'Run Summarization' from the top ribbon to gather the latest reported data.
    • Devices under the 'Compliant' tab have certificates with more than 31 days remaining
    • Devices under the 'Non-Compliant' tab either have certificates with 31 days or less remaining, an expired certificate, or no certificate

  • For non-compliant devices, direct the respective users to connect to the VPN
    • This allows the device to contact the Active Directory and obtain a renewed certificate from ADCS.  Devices must be connected to the VPN long enough to allow these steps to take place.

  • A graphical compliance report can be generated on a recurring basis:
    • Navigate to \Monitoring\Overview\Reporting\Reports\Useful Reports in the console
    • Select the 'Baseline Status by Collection' report
    • Select 'Create Subscription' from the top ribbon
    • Customize the subscription schedule
    • Select the relevant collection and baseline under 'Subscription Parameters'




Keywords:EPS MECM SCCM certificate ADCS   Doc ID:101558
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2020-04-29 13:42 CDTUpdated:2020-05-01 11:25 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0