rmbolger/Find-ExpiredR3.ps1

## Find-ExpiredR3.ps1
#Requires -Version 5.1
#Requires -RunAsAdministrator

[CmdletBinding()]
param(
    [switch]$Remediate,
    [switch]$Quiet
)

$InformationPreference = 'Continue'
if ($Quiet) { $InformationPreference = 'SilentlyContinue' }

# check the Local Computer Intermediate store
$hklmR3Path = "HKLM:\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\48504E974C0DAC5B5CD476C8202274B24C8C7172"
Write-Information "Checking Local Computer Intermediate store"
if ($hklmR3 = (Get-Item $hklmR3Path -EA Ignore)) {
    if ($Remediate) {
        Write-Information " - Removing expired R3"
        $hklmR3 | Remove-Item
    }
    else {
        Write-Information " - Found expired R3"
    }
}

# mount a PSDrive for HKEY_USERS if it doesn't already exist
if (-not (Get-PSDrive | Where-Object { $_.Name -eq 'HKU' })) {
    Write-Verbose "Mounting HKEY_USERS to check SYSTEM user's hive"
    New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
}

# enumerate the currently loaded user hives
$hiveSIDs = Get-ChildItem HKU:\ | Where-Object {
    $_.Name -notlike '*\.DEFAULT' -and $_.Name -notlike '*_Classes'
} | Sort-Object Name | ForEach-Object {
    $_.Name.Replace('HKEY_USERS\','')
}

# check each user hive's Intermediate store
$hiveSIDs | ForEach-Object {

    # try to translate the SID to a human-readable username
    $sid = [System.Security.Principal.SecurityIdentifier]::new($_)
    try {
        $sidUsername = $sid.Translate([System.Security.Principal.NTAccount]).Value
    } catch {
        $sidUsername = $_
    }

    $r3Path = "HKU:\$_\Software\Microsoft\SystemCertificates\CA\Certificates\48504E974C0DAC5B5CD476C8202274B24C8C7172"
    Write-Information "Checking $sidUsername Intermediate store"
    if ($r3 = (Get-Item $r3Path -EA Ignore)) {
        if ($Remediate) {
            Write-Information " - Removing expired R3"
            $r3 | Remove-Item
        }
        else {
            Write-Information " - Found expired R3"
        }
    }

}

<#
.SYNOPSIS
    Find and optionally remove copies of Let's Encrypt's expired R3 intermediate certificate

.DESCRIPTION
    Some Windows systems present certificate validation errors connecting to sites using Let's Encrypt certificates due to a cached copy of an expired intermediate certificate called R3. This script attempts to find those cached copies and optionally remove them.

    You must be running PowerShell 5.1 as Administrator for this script to function properly.

.PARAMETER Remediate
    If specified, the script will attempt to delete any copies of the expired R3 that it finds.

.PARAMETER Quiet
    If specified, no console output will be produced. This should only be used with the -Remediate switch.

.EXAMPLE
    .\Find-ExpiredR3.ps1

    Check for copies of the expired R3 certificate, but do not remove them.

.EXAMPLE
    .\Find-ExpiredR3.ps1 -Remediate

    Check for and remove copies of the expired R3 certificate.

.LINK
    https://gist.github.com/rmbolger/426a5d4e39db6ea7f99b80de5d236c3f
#>
	#Requires -Version 5.1
	#Requires -RunAsAdministrator

	[CmdletBinding()]
	param(
	[switch]$Remediate,
	[switch]$Quiet
	)

	$InformationPreference = 'Continue'
	if ($Quiet) { $InformationPreference = 'SilentlyContinue' }

	# check the Local Computer Intermediate store
	$hklmR3Path = "HKLM:\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\48504E974C0DAC5B5CD476C8202274B24C8C7172"
	Write-Information "Checking Local Computer Intermediate store"
	if ($hklmR3 = (Get-Item $hklmR3Path -EA Ignore)) {
	if ($Remediate) {
	Write-Information " - Removing expired R3"
	$hklmR3 \| Remove-Item
	}
	else {
	Write-Information " - Found expired R3"
	}
	}

	# mount a PSDrive for HKEY_USERS if it doesn't already exist
	if (-not (Get-PSDrive \| Where-Object { $_.Name -eq 'HKU' })) {
	Write-Verbose "Mounting HKEY_USERS to check SYSTEM user's hive"
	New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS \| Out-Null
	}

	# enumerate the currently loaded user hives
	$hiveSIDs = Get-ChildItem HKU:\ \| Where-Object {
	$_.Name -notlike '\.DEFAULT' -and $_.Name -notlike '_Classes'
	} \| Sort-Object Name \| ForEach-Object {
	$_.Name.Replace('HKEY_USERS\','')
	}

	# check each user hive's Intermediate store
	$hiveSIDs \| ForEach-Object {

	# try to translate the SID to a human-readable username
	$sid = [System.Security.Principal.SecurityIdentifier]::new($_)
	try {
	$sidUsername = $sid.Translate([System.Security.Principal.NTAccount]).Value
	} catch {
	$sidUsername = $_
	}

	$r3Path = "HKU:\$_\Software\Microsoft\SystemCertificates\CA\Certificates\48504E974C0DAC5B5CD476C8202274B24C8C7172"
	Write-Information "Checking $sidUsername Intermediate store"
	if ($r3 = (Get-Item $r3Path -EA Ignore)) {
	if ($Remediate) {
	Write-Information " - Removing expired R3"
	$r3 \| Remove-Item
	}
	else {
	Write-Information " - Found expired R3"
	}
	}

	}

	<#
	.SYNOPSIS
	Find and optionally remove copies of Let's Encrypt's expired R3 intermediate certificate

	.DESCRIPTION
	Some Windows systems present certificate validation errors connecting to sites using Let's Encrypt certificates due to a cached copy of an expired intermediate certificate called R3. This script attempts to find those cached copies and optionally remove them.

	You must be running PowerShell 5.1 as Administrator for this script to function properly.

	.PARAMETER Remediate
	If specified, the script will attempt to delete any copies of the expired R3 that it finds.

	.PARAMETER Quiet
	If specified, no console output will be produced. This should only be used with the -Remediate switch.

	.EXAMPLE
	.\Find-ExpiredR3.ps1

	Check for copies of the expired R3 certificate, but do not remove them.

	.EXAMPLE
	.\Find-ExpiredR3.ps1 -Remediate

	Check for and remove copies of the expired R3 certificate.

	.LINK
	https://gist.github.com/rmbolger/426a5d4e39db6ea7f99b80de5d236c3f
	#>