Identify users who don't have email encryption certificate

My IT department is getting a lot of complaints about users being unable to open an encrypted message.  This is most often due to their PCs missing the required certificate (usually lost during hardware replacement).  We have a fully functional internal ICA to manage all our internal certificates.

I would like to find a way to check, via powershell, for any users missing their certificates so that the IT team can preemptively help the users install the certificate and configure Outlook.

Ideally of course I'd like the script to retrieve & install the cert then configure Outlook but I'm probably dreaming again...

From the digging I've done so far I have the following:
(I am no scripting wizzard)
PS P:\> cd cert:currentuser\my
PS Cert:\currentuser\my> gci . | where{$_.Subject -like "E=*"}

    Directory: Microsoft.PowerShell.Security\Certificate::currentuser\my

Thumbprint                       Subject
----------                                -------
30D1*********************************762  E=rossc@******.com, CN=RossC

Any assistance would be gratefully received
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
why don't you simply deploy the certificates to client computers via GPO instead of checking they are there or not? the certificates have to be installed anyway at the end of the day.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
along the BBAO thought, the CA is internall AD integbrated (enterprise CA) with GPO that autoenroll users.  AD based will mean that the certificate is in the AD and will not depend on whether the workstation or system had to be replaced.
btanExec ConsultantCommented:
you can check this deployment of auto-enrollment template to user machine (, and populating user's entry in their Email field in Active Directory to automate in that sense in the building of station.

Specific to PS, not really encouraging as it is more for exchange backup setup suited instead of automating the user cert enrolment and deployment. Regardless, this is useful series of article about using PS to manage certificate and as a whole it create, deploy cert using GPO, can export into pfx, and cert request import into the certstore..though it is self sign but may be worth checking out.

Get-ExchangeCertificate - get a list of all certificates that are available in your local certificate store
Export-ExchangeCertificate - export a certificate (whether for backup purposes, or for using it on multiple servers)

But for user certificate it is probably better to consider also have users using smartcard so that the certificate missing is handled by the crypto driver once cert is inserted and much more transparent .. just trying to minimise overall but any use of script can still be long term fatigue using PS or even certutil.exe (whihc is handy cmd for cert mgmt)

Likely the case is checking the GAL for folks to send SMIME email to and getting their pub cert , useful PS is e.g. Get-ChildItem cert:CurrentUserAddressBook - query our container in our certificate store

Other - Here is one to deploy computer and user certificates via Group Policy

Other - using certutil.exe instead of PS ..this is still back to managing script fatigue too.

Also good to still to have direction in educate user (not to be frantic), guide and better the helpdesk workflow
rossclarkeAuthor Commented:
Thank you all for your feedback!  Apologies for 'going dark' for so long.  We have necessary CA & GPOs in place to issue/renew/distribute certs to devices and users.  The issue turned out to be in a different direction and two-pronged:
1.  the senders had copied contacts from the GAL to their personal contact lists - this action will also download a copy of the recipient's public certificate
2.  some of the recipients had had their certs replaced instead of renewed (a process error not a technical one)

What we had to do was to have the senders edit their contacts and remove any attached certs - this forces Outlook to look to the GAL for public keys (they could also simply delete the contacts).  Of course we have also reinforced the requirement for certificates to be renewed (not replaced) and to ensure that all certs are transferred when PCs are replaced.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Clients

From novice to tech pro — start learning today.