ConfigMgr Global Condition – Use Certificate Existence as Condition

Related Posts:

I’m not going to go into a lot of detail on making them, you can look at the details in the Related posts. I’m just providing the information to use a Certificate as the Condition

You’ll need to know the Path to the Certificate, in this example, I’m confirming the WSUS Self-signed Certificate is on the device in the Trusted Root

$Cert = Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq "ddf67dc780f9c52caf5a75c46205ef68ef6b0066"}
if ($Cert){$true}

So when I run the short script, it returns “True”, since the device has a certificate matching the thumbprint.

If I remove that certificate, it will no longer return any value

ConfigMgr Global Condition

  • Set the name to something that makes sense
  • Condition type: Setting
  • Setting type: Script
  • Data type: Boolean

And now you’ve got it.

Assing to an Application DT:

  • Custom Condition: The one you just made
  • Rule type: Existential
  • Choose: The selected global condition must exist on client devices

Endpoint Tests: Device with Certificate

Device installs the software fine, as it found the certificate to meet the requirements.

Endpoint Tests: Device without Certificate

Device blocks installation, as it doesn’t meet the Global condition requirements.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.