Category filter

Script to delete certificate on Windows 10 devices

Keeping devices secure often requires a robust certificate management system in place. Proper certificate management practices will also ensure that only valid and up-to-date certificates are used. However, if there is a lack of a dedicated tool for certificate management, IT administrators will have to manage certificate life cycles manually. Here’s a script that will help admins delete expired certificates to maintain seamless operation and security of the systems. Hexnode’s Execute Custom Script remote action for Windows simplifies script execution. It is a one-step action that allows admins to deploy customized scripts to devices.


The sample scripts provided below are adapted from third-party open-source sites.

Batch Script

To delete a certificate from LocalMachine, use the following script:

Whereas, if you want to delete a certificate from current user, you can use the following script:

certutil is a command-line tool on Windows that serves multiple functions related to certificates. It allows users to perform different operations on certificates. The certutil command with the delstore is used to delete certificates from a certificate repository on a device.
Replace “Thumbprint” with the actual thumbprint of the certificate you want to remove.

E.g: To delete a certificate with the thumbprint “8aa3c3a0a0152387f64b8392a72bd098a3a61c90” from Trusted Root Certification Authorities folder in current user.

certutil –delstore –user Root 8aa3c3a0a0152387f64b8392a72bd098a3a61c90

PowerShell Script

The Get-ChildItem cmdlet is used to get items within a container, such as files in a directory. Here, Get-ChildItem Cert is used to retrieve details about certificates stored in the certificate repository on the device. The argument Cert refers to the certificate repository present on the device. The Remove-Item cmdlet is used to remove the specified certificate from the device.

If you want to delete a certificate from the current user, replace LocalMachine with CurrentUser.

E.g: To delete a certificate with the thumbprint “8aa3c3a0a0152387f64b8392a72bd098a3a61c90” from personal folder in local machine.

Get-ChildItem Cert:\LocalMachine\My\8aa3c3a0a0152387f64b8392a72bd098a3a61c90 | Remove-Item


  • Depending on the system store you need to delete the certificate from, replace ‘certificatestorename’ with My, Root, CA, or Trust.
  • It is recommended to manually validate the script execution on a system before executing the action in bulk.
  • Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.

  • Sample Script Repository