From dfa557be8c6e4952245ff96c16b39d22e02a0db9 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 16 Feb 2023 17:18:58 -0500
Subject: [PATCH] CertificateStore CSP
---
.../mdm/certificatestore-csp.md | 3249 ++++++++++++++--
.../mdm/certificatestore-ddf-file.md | 3365 +++++++++--------
2 files changed, 4683 insertions(+), 1931 deletions(-)
diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md
index 7f9a4ba349..96785eab9f 100644
--- a/windows/client-management/mdm/certificatestore-csp.md
+++ b/windows/client-management/mdm/certificatestore-csp.md
@@ -1,441 +1,3116 @@
---
title: CertificateStore CSP
-description: Use the CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
-ms.reviewer:
+description: Learn more about the CertificateStore CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 02/28/2020
+ms.topic: reference
---
+
+
+
# CertificateStore CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
-> [!Note]
-> The CertificateStore configuration service provider does not support installing client certificates.
-> The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
+> [!NOTE]
+> The CertificateStore configuration service provider does not support installing client certificates. The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
For the CertificateStore CSP, you can't use the Replace command unless the node already exists.
+
-The following example shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
+
+The following example shows the CertificateStore configuration service provider in tree format.
-```console
-./Vendor/MSFT
-CertificateStore
-----ROOT
---------*
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
---------System
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
-----MY
---------User
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
---------SCEP
-------------*
-----------------Install
---------------------ServerURL
---------------------Challenge
---------------------EKUMapping
---------------------KeyUsage
---------------------SubjectName
---------------------KeyProtection
---------------------RetryDelay
---------------------RetryCount
---------------------TemplateName
---------------------KeyLength
---------------------HashAlgrithm
---------------------CAThumbPrint
---------------------SubjectAlternativeNames
---------------------ValidPeriod
---------------------ValidPeriodUnit
---------------------Enroll
-----------------CertThumbPrint
-----------------Status
-----------------ErrorCode
---------WSTEP
-------------CertThumprint
-------------Renew
-----------------RenewPeriod
-----------------ServerURL
-----------------RetryInterval
-----------------ROBOSupport
-----------------Status
-----------------ErrorCode
-----------------LastRenewalAttemptTime (Added in Windows 10, version 1607)
-----------------RenewNow (Added in Windows 10, version 1607)
-----------------RetryAfterExpiryInterval (Added in Windows 10, version 1703)
-----CA
---------*
-------------EncodedCertificate
-------------IssuedBy
-------------IssuedTo
-------------ValidFrom
-------------ValidTo
-------------TemplateName
---------System
-------------*
-----------------EncodedCertificate
-----------------IssuedBy
-----------------IssuedTo
-----------------ValidFrom
-----------------ValidTo
-----------------TemplateName
+```text
+./Device/Vendor/MSFT/CertificateStore
+--- CA
+------ {CertHash}
+--------- EncodedCertificate
+--------- IssuedBy
+--------- IssuedTo
+--------- TemplateName
+--------- ValidFrom
+--------- ValidTo
+------ System
+--------- {CertHash}
+------------ EncodedCertificate
+------------ IssuedBy
+------------ IssuedTo
+------------ TemplateName
+------------ ValidFrom
+------------ ValidTo
+--- MY
+------ SCEP
+--------- {UniqueID}
+------------ CertThumbPrint
+------------ ErrorCode
+------------ Install
+--------------- CAThumbPrint
+--------------- Challenge
+--------------- EKUMapping
+--------------- Enroll
+--------------- HashAlgrithm
+--------------- KeyLength
+--------------- KeyProtection
+--------------- KeyUsage
+--------------- RetryCount
+--------------- RetryDelay
+--------------- ServerURL
+--------------- SubjectAlternativeNames
+--------------- SubjectName
+--------------- TemplateName
+--------------- ValidPeriod
+--------------- ValidPeriodUnit
+------------ Status
+------ User
+--------- {CertHash}
+------------ EncodedCertificate
+------------ IssuedBy
+------------ IssuedTo
+------------ TemplateName
+------------ ValidFrom
+------------ ValidTo
+------ WSTEP
+--------- CertThumprint
+--------- Renew
+------------ ErrorCode
+------------ LastRenewalAttemptTime
+------------ RenewNow
+------------ RenewPeriod
+------------ RetryAfterExpiryInterval
+------------ RetryInterval
+------------ ROBOSupport
+------------ ServerURL
+------------ Status
+--- ROOT
+------ {CertHash}
+--------- EncodedCertificate
+--------- IssuedBy
+--------- IssuedTo
+--------- TemplateName
+--------- ValidFrom
+--------- ValidTo
+------ System
+--------- {CertHash}
+------------ EncodedCertificate
+------------ IssuedBy
+------------ IssuedTo
+------------ TemplateName
+------------ ValidFrom
+------------ ValidTo
```
+
-**Root/System**
-Defines the certificate store that contains root, or self-signed, certificates.
+
+## CA
-Supported operation is Get.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA
+```
+
+
+
+
+This cryptographic store contains intermediary certification authorities.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CA/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### CA/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System
+```
+
+
+
+
+This store holds the System portion of the CA store.
+
+
+
+
+> [!NOTE]
+> Use [RootCATrustedCertificates CSP](rootcacertificates-csp.md) moving forward for installing CA certificates.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### CA/System/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### CA/System/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## MY
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY
+```
+
+
+
+
+This store keeps all end-user personal certificates.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MY/SCEP
> [!NOTE]
-> Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
+> This policy is deprecated and may be removed in a future release.
-**CA/System**
-Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP
+```
+
+
+
+This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
+
+
+
+
> [!NOTE]
-> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
+> Use [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) to install SCEP certificates moving forward.
+
-**My/User**
-Defines the certificate store that contains public keys for client certificates. This certificate store is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-> [!NOTE]
-> My/User is case sensitive.
+
+
+
-**My/System**
-Defines the certificate store that contains public key for client certificate. This certificate store is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
+
-Supported operation is Get.
+
+#### MY/SCEP/{UniqueID}
-> [!NOTE]
-> My/System is case sensitive.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-***CertHash***
-Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}
+```
+
-Supported operations are Get, Delete, and Replace.
+
+
+The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
+
-***CertHash*/EncodedCertificate**
-Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value can't include extra formatting characters such as embedded linefeeds, etc.
+
+
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-***CertHash*/IssuedBy**
-Required. Returns the name of the certificate issuer. This name is equivalent to the *Issuer* member in the CERT\_INFO data structure.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get |
+
-Supported operation is Get.
+
+
+
-***CertHash*/IssuedTo**
-Required. Returns the name of the certificate subject. This name is equivalent to the *Subject* member in the CERT\_INFO data structure.
+
-Supported operation is Get.
+
+##### MY/SCEP/{UniqueID}/CertThumbPrint
-***CertHash*/ValidFrom**
-Required. Returns the starting date of the certificate's validity. This date is equivalent to the *NotBefore* member in the CERT\_INFO structure.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/CertThumbPrint
+```
+
-***CertHash*/ValidTo**
-Required. Returns the expiration date of the certificate. This expiration date is equivalent to the *NotAfter* member in the CERT\_INFO structure.
+
+
+Specify the current cert's thumbprint.
+
-Supported operation is Get.
+
+
+20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
-***CertHash*/TemplateName**
-Required. Returns the certificate template name.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**My/SCEP**
-Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings.
+
+
+
-Supported operation is Get.
+
-> [!NOTE]
-> Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
+
+##### MY/SCEP/{UniqueID}/ErrorCode
-**My/SCEP/***UniqueID*
-Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Replace, and Delete.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/ErrorCode
+```
+
-**My/SCEP/*UniqueID*/Install**
-Required for SCEP certificate enrollment. Parent node to group SCEP certificate installs related request. Format is node.
+
+
+Specify the last hresult in case enroll action failed.
+
-Supported operations are Add, Replace, and Delete.
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install
+```
+
+
+
+
+The group to represent the install request.
+
+
+
+
> [!NOTE]
> Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
+
-**My/SCEP/*UniqueID*/Install/ServerURL**
-Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
+
+**Description framework properties**:
-Supported operations are Get, Add, Delete, and Replace.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**My/SCEP/*UniqueID*/Install/Challenge**
-Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr.
+
+
+
-Supported operations are Get, Add, Replace, and Delete.
+
-Challenge will be deleted shortly after the Exec command is accepted.
+
+###### MY/SCEP/{UniqueID}/Install/CAThumbPrint
-**My/SCEP/*UniqueID*/Install/EKUMapping**
-Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs is separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/CAThumbPrint
+```
+
-**My/SCEP/*UniqueID*/Install/KeyUsage**
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. Value type is an integer.
+
+
+Specify root CA thumbprint.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails.
+
-**My/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name.
+
+**Description framework properties**:
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
-Value type is chr.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+###### MY/SCEP/{UniqueID}/Install/Challenge
-**My/SCEP/*UniqueID*/Install/KeyProtection**
-Optional. Specifies the location of the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported values are one of the following values:
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Challenge
+```
+
-- 1 – Private key is protected by device TPM.
+
+
+Enroll requester authentication shared secret.
+
-- 2 – Private key is protected by device TPM if the device supports TPM.
+
+
+The value must be base64 encoded. Challenge is deleted shortly after the Exec command is accepted.
+
-- 3 (default) – Private key is only saved in the software KSP.
+
+**Description framework properties**:
-Value type is an integer.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**My/SCEP/*UniqueID*/Install/RetryDelay**
-Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer.
+
-Supported operations are Get, Add, and Delete.
+
+###### MY/SCEP/{UniqueID}/Install/EKUMapping
-**My/SCEP/*UniqueID*/Install/RetryCount**
-Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/EKUMapping
+```
+
-**My/SCEP/*UniqueID*/Install/TemplateName**
-Optional. OID of certificate template name.
+
+
+Specify extended key usages. The list of OIDs are separated by plus "+".
+
-> [!Note]
-> Template name is typically ignored by the SCEP server, so the MDM server typically doesn't need to provide it. Value type is `chr`.
+
+
+
-Supported operations are Get, Add, and Delete.
+
+**Description framework properties**:
-**My/SCEP/*UniqueID*/Install/KeyLength**
-Required for enrollment. Specifies private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**My/SCEP/*UniqueID*/Install/HashAlgorithm**
-Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
+
-Value type is chr.
+
+###### MY/SCEP/{UniqueID}/Install/Enroll
-Supported operations are Get, Add, Delete, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/SCEP/*UniqueID*/Install/CAThumbprint**
-Required. Specifies the root CA thumbprint. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. Value type is chr.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Enroll
+```
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+Start the cert enrollment.
+
-**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
-Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *\*+*\*;*\*+*\*. Value type is chr.
+
+
+The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+**Description framework properties**:
-**My/SCEP/*UniqueID*/Install/ValidPeriod**
-Optional. Specifies the units for the valid period. Value type is chr.
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-Valid values are one of the following values:
+
+
+
+###### MY/SCEP/{UniqueID}/Install/HashAlgrithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/HashAlgrithm
+```
+
+
+
+
+Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
+
+
+
+
+Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Specify private key length (RSA).
+
+
+
+
+Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Specify where to keep the private key.
+
+
+
+
+Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. Supported values are one of the following values:
+
+- 1: Private key is protected by device TPM.
+- 2: Private key is protected by device TPM if the device supports TPM.
+- 3 (default): Private key is only saved in the software KSP.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
+
+
+
+
+The value must be specified in decimal format and should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+When the SCEP sends pending status, specify device retry times.
+
+
+
+
+Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+Default value is 5 and the minimum value is 1.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Specify the cert enrollment server.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
+
+
+
+
+or example, multiple subject alternative names are presented in the format `+;+`.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Specify the subject name.
+
+
+
+
+The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (`,`, `=`, `+`, `;`). For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Certificate Template Name OID (As in AD used by PKI infrastructure.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
+
+
+
+
+Valid values are one of the following:
- Days (default)
- Months
- Years
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+###### MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
+```
+
+
+
+
+Specify valid period unit type.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get |
+
+
+
+
+Default is 0. The period is defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
+
-**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
+
-Supported operations are Get, Add, Delete, and Replace.
+
+##### MY/SCEP/{UniqueID}/Status
-> [!NOTE]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/SCEP/*UniqueID*/Install/Enroll**
-Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Status
+```
+
-Supported operation is Exec.
-
-**My/WSTEP/CertThumbprint**
-Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr.
-
-Supported operation is Get.
-
-**My/SCEP/*UniqueID*/Status**
-Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr.
-
-Supported operation is Get.
+
+
+Specify the latest status for the certificate due to enroll request.
+
+
+
Valid values are one of the following values:
-- 1 – Finished successfully.
+- 1: Finished successfully.
+- 2: Pending. The device hasn't finished the action, but has received the SCEP server pending response.
+- 16: Action failed.
+- 32: Unknown.
+
-- 2 – Pending. The device hasn't finished the action, but has received the SCEP server pending response.
+
+**Description framework properties**:
-- 16 - Action failed.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-- 32 – Unknown.
+
+
+
-**My/SCEP/*UniqueID*/ErrorCode**
-Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
-Supported operation is Get.
+
+### MY/User
-**My/SCEP/*UniqueID*/CertThumbprint**
-Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Get.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User
+```
+
-**My/SCEP/*UniqueID*/RespondentServerUrl**
-Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string.
+
+
+This store holds the User portion of the MY store.
+
-Supported operation is Get.
+
+
+
-**My/WSTEP**
-Required for MDM enrolled device. Specifies the parent node that hosts the MDM enrollment client certificate related settings that are enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
+
+**Description framework properties**:
-Supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-**My/WSTEP/Renew**
-Optional. The parent node to group renewal related settings.
+
+
+
-Supported operation is Get.
+
-**My/WSTEP/Renew/ServerURL**
-Optional. Specifies the URL of certificate renewal server. If this node doesn't exist, the client uses the initial certificate enrollment URL.
+
+#### MY/User/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate. **Note** that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/User/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### MY/WSTEP
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP
+```
+
+
+
+
+The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
+
+
+
+
+The nodes under WSTEP are mostly for MDM client certificate renew requests.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MY/WSTEP/CertThumprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/CertThumprint
+```
+
+
+
+
+The thumb print of enrolled MDM client certificate.
+
+
+
+
+If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### MY/WSTEP/Renew
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew
+```
+
+
+
+
+The parent node to group renewal related settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+| Atomic Required | True |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ErrorCode
+```
+
+
+
+
+If certificate renew fails, this node provide the last hresult code during renew process.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/LastRenewalAttemptTime
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/LastRenewalAttemptTime
+```
+
+
+
+
+Time of last attempted renew.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | time |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RenewNow
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewNow
+```
+
+
+
+
+Initiate a renew now.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RenewPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewPeriod
+```
+
+
+
+
+Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
+
+
+
+
+The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+
+The default value is 42 and the valid values are 1-1000.
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-1000]` |
+| Default Value | 42 |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RetryAfterExpiryInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryAfterExpiryInterval
+```
+
+
+
+
+How long after the enrollment cert has expiried to keep trying to renew.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | time |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/RetryInterval
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryInterval
+```
+
+
+
+
+Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. The default value is 7 and the valid values are 1 - 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
+
+
+
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[1-1000]` |
+| Default Value | 7 |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ROBOSupport
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ROBOSupport
+```
+
+
+
+
+Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
+
+
+
+
+> [!NOTE]
+> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | true |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| true (Default) | True. |
+
+
+
+
+
+
+
+
+
+##### MY/WSTEP/Renew/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ServerURL
+```
+
+
+
+
+Optional. Specifies the cert renewal server URL which is the discovery server.
+
+
+
+
+If this node doesn't exist, the client uses the initial certificate enrollment URL.
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**My/WSTEP/Renew/RenewalPeriod**
-Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-The default value is 42 and the valid values are 1 – 1000. Value type is an integer.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+##### MY/WSTEP/Renew/Status
-**My/WSTEP/Renew/RetryInterval**
-Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/Status
+```
+
-For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
+
+
+Show the latest action status for this certificate. Supported values are one of the following: 0 - Not started. 1 - Renewal in progress. 2 - Renewal succeeded. 3 - Renewal failed.
+
-The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-**My/WSTEP/Renew/ROBOSupport**
-Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
+
+
+
-ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+## ROOT
-> [!NOTE]
-> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**My/WSTEP/Renew/Status**
-Required. Shows the latest action status for this certificate. Value type is an integer.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT
+```
+
-Supported operation is Get.
+
+
+This store holds only root (self-signed) certificates.
+
-Supported values are one of the following values:
+
+
+
-- 0 – Not started.
-- 1 – Renewal in progress.
-- 2 – Renewal succeeded.
-- 3 – Renewal failed.
+
+**Description framework properties**:
-**My/WSTEP/Renew/ErrorCode**
-Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
-Supported operation is Get.
+
+
+
-**My/WSTEP/Renew/LastRenewalAttemptTime**
-Added in Windows 10, version 1607. Specifies the time of the last attempted renewal.
+
-Supported operation is Get.
+
+### ROOT/{CertHash}
-**My/WSTEP/Renew/RenewNow**
-Added in Windows 10, version 1607. Initiates a renewal now.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operation is Execute.
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}
+```
+
-**My/WSTEP/Renew/RetryAfterExpiryInterval**
-Added in Windows 10, version 1703. Specifies how long after the enrollment certificate has expired before trying to renew.
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
-Supported operations are Add, Get, and Replace.
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### ROOT/System
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System
+```
+
+
+
+
+This store holds the System portion of the root store.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### ROOT/System/{CertHash}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}
+```
+
+
+
+
+The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Delete, Get |
+| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/EncodedCertificate
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/EncodedCertificate
+```
+
+
+
+
+The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | b64 |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/IssuedBy
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedBy
+```
+
+
+
+
+The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/IssuedTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedTo
+```
+
+
+
+
+The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/TemplateName
+```
+
+
+
+
+Returns the certificate template name.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/ValidFrom
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidFrom
+```
+
+
+
+
+The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+##### ROOT/System/{CertHash}/ValidTo
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device :x: User | :x: Home :heavy_check_mark: Pro :heavy_check_mark: Enterprise :heavy_check_mark: Education :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidTo
+```
+
+
+
+
+The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
## Examples
Add a root certificate to the MDM server.
@@ -703,10 +3378,10 @@ Configure the device to automatically renew an MDM client certificate with the s
```
+
-## Related topics
-
-[Configuration service provider reference](index.yml)
-
+
+## Related articles
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md
index 638bdd1748..8cf58152f0 100644
--- a/windows/client-management/mdm/certificatestore-ddf-file.md
+++ b/windows/client-management/mdm/certificatestore-ddf-file.md
@@ -1,1670 +1,1747 @@
---
title: CertificateStore DDF file
-description: Learn about OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used with OMA DM provisioning XML.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the CertificateStore configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/16/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# CertificateStore DDF file
-This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the CertificateStore configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ CertificateStore
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+ This object is used to add or delete a security certificate to the device's certificate store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- CertificateStore
- ./Vendor/MSFT
+ ROOT
+
+
+
+
+ This store holds only root (self-signed) certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
- This object is used to add or delete a security certificate to the device's certificate store.
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
- ROOT
-
-
-
-
- This store holds only root (self-signed) certificates.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- System
-
-
-
-
- This store holds the System portion of the root store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- MY
-
-
-
-
- This store keeps all end-user personal certificates.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- User
-
-
-
-
- This store holds the User portion of the MY store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate. Note that during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node and properly enroll a client certificate including private needs a cert enroll protocol to handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- SCEP
-
-
-
-
- This store holds the SCEP portion of the MY store and handles operations related to SCEP certificate enrollment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
-
- The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Install
-
-
-
-
- The group to represent the install request.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerURL
-
-
-
-
-
- Specify the cert enrollment server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Challenge
-
-
-
-
-
- Enroll requester authentication shared secret.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EKUMapping
-
-
-
-
-
- Specify extended key usages. The list of OIDs are separated by plus “+”.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyUsage
-
-
-
-
-
- Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectName
-
-
-
-
-
- Specify the subject name.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyProtection
-
-
-
-
-
- Specify where to keep the private key.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryDelay
-
-
-
-
-
- When the SCEP server sends pending status, specify device retry waiting time in minutes.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryCount
-
-
-
-
-
- When the SCEP sends pending status, specify device retry times.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
- Certificate Template Name OID (As in AD used by PKI infrastructure.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyLength
-
-
-
-
-
- Specify private key length (RSA).
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HashAlgrithm
-
-
-
-
-
- Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CAThumbPrint
-
-
-
-
-
- Specify root CA thumbprint.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectAlternativeNames
-
-
-
-
-
- Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriod
-
-
-
-
- Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriodUnit
-
-
-
-
-
- Specify valid period unit type.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enroll
-
-
-
-
- Start the cert enrollment.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertThumbPrint
-
-
-
-
- Specify the current cert’s thumbprint.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Specify the latest status for the certificate due to enroll request.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- Specify the last hresult in case enroll action failed.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
- WSTEP
-
-
-
-
- The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- CertThumprint
-
-
-
-
- The thumb print of enrolled MDM client certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Renew
-
-
-
-
- Under this node are the renew properties.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- RenewPeriod
-
-
-
-
-
-
-
- Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ServerURL
-
-
-
-
-
-
-
- Optional. Specifies the cert renewal server URL which is the discovery server.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryInterval
-
-
-
-
-
-
-
- Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ROBOSupport
-
-
-
-
-
-
-
- Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Show the latest action status for this certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- If certificate renew fails, this node provides the last hresult code during renew process.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- LastRenewalAttemptTime
-
-
-
-
- Time of last attempted renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RenewNow
-
-
-
-
- Initiate a renew now.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryAfterExpiryInterval
-
-
-
-
-
- How long after the enrollment cert has expired to keep trying to renew.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
-
-
- CA
-
-
-
-
- This cryptographic store contains intermediary certification authorities.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- System
-
-
-
-
- This store holds the System portion of the CA store.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- *
-
-
-
-
-
- The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- EncodedCertificate
-
-
-
-
-
-
- The base64 Encoded X.509 certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedBy
-
-
-
-
- The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- IssuedTo
-
-
-
-
- The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidFrom
-
-
-
-
- The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidTo
-
-
-
-
- The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+ This store holds the System portion of the root store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ MY
+
+
+
+
+ This store keeps all end-user personal certificates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ User
+
+
+
+
+ This store holds the User portion of the MY store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+ Install
+
+
+
+
+ The group to represent the install request
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+ Specify the cert enrollment server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+ Enroll requester authentication shared secret.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+ Specify extended key usages. The list of OIDs are separated by plus “+”.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+ Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+ Specify the subject name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+ Specify where to keep the private key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+ When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryCount
+
+
+
+
+
+ When the SCEP sends pending status, specify device retry times.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+
+ Certificate Template Name OID (As in AD used by PKI infrastructure.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+ Specify private key length (RSA).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ HashAlgrithm
+
+
+
+
+
+ Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbPrint
+
+
+
+
+
+ Specify root CA thumbprint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+ Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+ Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriodUnit
+
+
+
+
+
+ Specify valid period unit type.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Start the cert enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertThumbPrint
+
+
+
+
+ Specify the current cert’s thumbprint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Specify the latest status for the certificate due to enroll request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Specify the last hresult in case enroll action failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ WSTEP
+
+
+
+
+ The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CertThumprint
+
+
+
+
+ The thumb print of enrolled MDM client certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Renew
+
+
+
+
+ The parent node to group renewal related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RenewPeriod
+
+
+
+
+
+
+
+ 42
+ Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-1000]
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Optional. Specifies the cert renewal server URL which is the discovery server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RetryInterval
+
+
+
+
+
+
+
+ 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [1-1000]
+
+
+
+
+ ROBOSupport
+
+
+
+
+
+
+
+ true
+ Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+ True
+
+
+
+
+
+ Status
+
+
+
+
+ Show the latest action status for this certificate. Supported values are one of the following: 0 – Not started. 1 – Renewal in progress. 2 – Renewal succeeded. 3 – Renewal failed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ If certificate renew fails, this node provide the last hresult code during renew process.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ LastRenewalAttemptTime
+
+
+
+
+ Time of last attempted renew
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+ RenewNow
+
+
+
+
+ Initiate a renew now
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.0
+
+
+
+
+ RetryAfterExpiryInterval
+
+
+
+
+
+
+ How long after the enrollment cert has expiried to keep trying to renew
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+
+
+ CA
+
+
+
+
+ This cryptographic store contains intermediary certification authorities.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ System
+
+
+
+
+ This store holds the System portion of the CA store.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+ CertHash
+
+
+
+
+ The SHA1 hash for the certificate.
+
+
+
+ EncodedCertificate
+
+
+
+
+
+
+ The base64 Encoded X.509 certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedBy
+
+
+
+
+ The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ IssuedTo
+
+
+
+
+ The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidFrom
+
+
+
+
+ The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidTo
+
+
+
+
+ The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ TemplateName
+
+
+
+
+ Returns the certificate template name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[CertificateStore configuration service provider](certificatestore-csp.md)
\ No newline at end of file
+[CertificateStore configuration service provider reference](certificatestore-csp.md)