How To: Scan for Client Brokerconfig Certificates

Version 3

    Verified Product Versions

    Endpoint Manager 2016.x





    The purpose of this custom definition is to provide a way to determine which machines have a brokerconfig certificate and which do not. Because requesting the brokerconfig certificate is a manual process, it is sometimes easily missed when a machine is deployed. This definition looks for the 3 main files for the brokerconfig under C:\Program Files\LANDesk\Shared Files\cbaroot\broker. If either broker.csr, broker.key, or broker.crt are missing, the machine will be detected as vulnerable, meaning they are not configured for the management gateway. The remediation of this vulnerability runs brokerconfig.exe -r to request the certificate.






    Download and import the attached custom definition into Security and Patch Manager. Make sure the definition is in the scan folder and that you are scanning for Custom Definitions in your client Scan and Repair settings. Because you do not need the broker certificate on all of your machines (i.e. desktops that always sit on the network), do not set this patch to autofix. I recommend creating this as a policy repair task and targeting only the devices needing the broker (i.e. laptops). This can be done using an LDAP query if all of your laptops are in one OU or by and inventory query for model or chassis type.