u/funkytechmonkey

I know some of you guys work for larger companies with 10s of thousands of devices. I am curious how your company handles stale devices, or devices that get thrown in a drawer and come out every 30+ days. Do you just allow cleanup to remove them and not your problem any more? Do you have any type of alerting for department or device owners? I work in a large manufacturing company where 80% of our workstations are laptops and I feel like I am in a constant battle or tracking down devices and get them back online.
I'd love to know what you guys have in place, or do you rely on Service Desk to track them down and get them updated?

I have over 200 devices that are failing to install updates. I noticed in the UpdateDeployment.log for several devices there are a lot of "Failed in GetCertificate(...): 0x87d00281". and "Successfully installed certificate with thumbprint..... That is an old expired cert.

I check the Trusted Root Cert Auth and there are two WSUS Publishers Self-signed certs... the latest one (expires 2028) and the expired one (2024). Same in Trusted Publishers... new one and expired one.

I manually delete the expired one and restart the ccmexec and BAM it shows back up. I have tried the client nuking script to completely remove the client but it still comes back. This has to be coming from a policy but I can not figure out where or how. How can I get rid of this cert?? I would really appreciate any help you guys can give me.

Forgot to mention... under the Site's Software Update Point properties I have "Config Manager manages the cert" and the "Current WSUS signing cert details" has the latest cert that expires in 2028.