Server 2012R2 winrm https listener autocertificate reneval
If you enable an https listener on a server and use it with an autoenrolled certificate, the listener will not be updated when the new autoenrollment takes place as the thumbprint will be hardcoded to the listener. This makes the technologie to use an https listener on all your servers to a big administrative burden as you have to keep the listeners up-to-date. Please develop some solution that this certificate will stay up-to-date with each new autoenrollment (like with a scheduled task which starts after autoenrollment scheduled task)
Stephen Owen commented
This is a big problem for a financial customer of mine. With WiNRM HTTPs enabled across the whole environment, we anticipate a nightmare scenario when WinRM stops funtioning, once the certificate is no longer valid.
To clarify, this issue exists because WinRM will configure listeners using a hard-coded reference to a given certificate thumbprint. Once the cert no longer exists due to revocation, machine renaming or expiration, the listenere will still remain with the previous Cert Thumbprint. I've written code to resolve this problem, which can be deployed as a Scheduled Task or to execute with any tooling, but it's still an unneeded complication.
Tools like SCCM and SCOM already have built-in tasks to remediate cert issues. I think PowerShell should as well.