Tech Services Endpoint Services, MECM Certificate Audit and Reporting

Systems

Microsoft Endpoint Configuration Manager (MECM)

Intended Audience

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

How to audit certificate expiration on endpoints

• In the MECM console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines
  
  
• Select the 'InCommon\UofI ADCS Cert Expiration Audit' configuration baseline
  
  
• Select 'Deploy' from the top ribbon
  
  
• In the 'Deploy Configuration Baseline' dialog box, select the collection to run this configuration baseline on
  
  
• Select 'OK'
  
  
• Navigate to \Monitoring\Overview\Deployments and search for 'InCommon\UofI ADCS Cert Expiration Audit' in the search bar
  
  
• Select 'InCommon\UofI ADCS Cert Expiration Audit' from the results and select 'View Status' from the top ribbon
  • Allow enough time for clients to run the baseline and report the results to MECM.  Select 'Run Summarization' from the top ribbon to gather the latest reported data.
  • Devices under the 'Compliant' tab have certificates with more than 31 days remaining
  • Devices under the 'Non-Compliant' tab either have certificates with 31 days or less remaining, an expired certificate, or no certificate
    
    
• For non-compliant devices, direct the respective users to connect to the VPN
  • This allows the device to contact the Active Directory and obtain a renewed certificate from ADCS.  Devices must be connected to the VPN long enough to allow these steps to take place.
    
    
• A graphical compliance report can be generated on a recurring basis:
  • Navigate to \Monitoring\Overview\Reporting\Reports\Useful Reports in the console
  • Select the 'Baseline Status by Collection' report
  • Select 'Create Subscription' from the top ribbon
  • Customize the subscription schedule
  • Select the relevant collection and baseline under 'Subscription Parameters'

Contact the EPS team