Fact 1: Trusted Root Certificates belong in the Trusted Root Certification Authorities Store and Intermediate Certificates belong in the Intermediate Certification Authorities Store.
Fact 2: Lync Server 2013 on Windows Server 2012 does not like environments that do not believe Fact 1.
Related to well known issue: https://support.microsoft.com/en-us/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012 there are many oddities that may occur on your Lync 2013 Server’s in the event you have a certificate placed in the incorrect store. In my experience this is also true for trusted/intermediate certs that have nothing to do with the actual certificate chain that’s assigned to your Lync services. Example being you use a DigiCert as your CA for your Lync services which is setup correctly but you may have a private CA cert in which it was placed in the wrong store by some masterful GPO admins. Microsoft commonly references the basic single command in the above article as well when resolving this for BUT…. what I have not yet seen is how to quickly do it for bulk servers at once. Hence the reason for this post, enjoy.
This script can be executed from any server/workstation which has WinRM connectivity to your servers in which you want to clean the cert stores. It’s based on using an input file you’ll need to create (FixMe.txt) in the same folder which you run this script from that contains a basic list of the server FQDN’s.
For any servers in which it detects a Trusted Root certificate placed in the Intermediate Store or vice versa it’ll write to host a count of each then list the cert thumbprint(s) as it moves to the correct store.
For any servers that has no certs placed in the wrong store it’ll simply state there are 0 and move on to the next server.
Hopefully this saves some of you some time as I understand how annoying it is to clean manually.