Feature request - -WhatIf / ShouldProcess on cmdlet Complete-SCEPmanInstallation

[o-l-a-v]

It'd be useful if Complete-SCEPmanInstallation had a -WhatIf parameter and supported ShouldProcess, to don't actually do any changes, just output what would've been changed. A "read only", if you will.

About -WhatIf and ShouldProcess:

• https://learn.microsoft.com/en-us/powershell/scripting/learn/deep-dives/everything-about-shouldprocess

Relevant code:

• https://github.com/scepman/scepman-psmodule/blob/main/SCEPman/Public/Complete-SCEPmanInstallation.ps1

---

One could probably achieve this now, at least partially, by only having read only permissions in Entra ID and Azure RM activated? It'd probably throw errors though.

[bb-froggy]

Removing the write permissions is no proper replacement for -WhatIf. If you miss a permission, you'd have unwanted changes. In any case, it probably breaks very early with errors, so you wouldn't really see what is going on.

We have the -WhatIf support in three other CMDlets, but haven't yet implemented it in Complete-SCEPmanInstallation. The main reason for this is that you use Complete-SCEPmanInstallation mostly for new installations where you cannot break anything. And hence we thought other stuff has higher priority. Since you are now asking, we'll raise the priority :-).

[o-l-a-v]

We have a message in our Certificate Master instance that says newer versions requires to re-run Complete-SCEPmanInstallation. Which is why I wish for -WhatIf with Complete-SCEPmanInstallation too. 😊

Would be nice to see what new features we're not currently set up to use.

[bb-froggy]

The way it is currently implemented in the main branch, it will be hard to see what is actually new. This is because it will show some operations as WhatIf that will not actually change anything. E.g., it will say it would add some permissions, although they are already there -- the script just doesn't check whether they are already there in these cases and therefore skips the command when running in WhatIf mode. I currently think we should not make this a high priority, as it would require quite some additional work only for this WhatIf use case.

For your specific situation, I have a spoiler ... it will add permissions DeviceManagementConfiguration.Read.All and DeviceManagementManagedDevices.Read.All for the Certificate Master App Service. This allows Certificate Master to query Graph for certificates enrolled over Intune. It will display them in a new menu item appearing on the left when it has the required permissions. It likely uses only one of the two permissions, depending on what you have configured for IntuneCertificateSearchStrategy. Newer SCEPman installations store all enrolled certificates in the Storage Account and so do not rely on this API anymore. This is because the ARM template sets AppConfig:EnableCertificateStorage to true. You can enable this on an existing installation, too, and wait for older non-stored certificates to expire or use the upcoming migration CMDlet.