diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index c1574476c9..ce1eb79f9c 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,717 +1,3529 @@
---
title: ClientCertificateInstall CSP
-description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
-ms.reviewer:
+description: Learn more about the ClientCertificateInstall CSP.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 07/30/2021
+ms.topic: reference
---
+
+
+
# ClientCertificateInstall CSP
-The table below shows the applicability of Windows:
-
-|Edition|Windows 10|Windows 11|
-|---|---|---|
-|Home|Yes|Yes|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
+
+
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
-For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
-
-> [!Note]
-> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store, both certificates are sent to the device in the same MDM payload and the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
-
-You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+> [!NOTE]
+> For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure that enrollment execution isn't triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
+
+
The following example shows the ClientCertificateInstall configuration service provider in tree format.
-```console
-./Vendor/MSFT
-ClientCertificateInstall
-----PFXCertInstall
---------UniqueID
-------------KeyLocation
-------------ContainerName
-------------PFXCertBlob
-------------PFXCertPassword
-------------PFXCertPasswordEncryptionType
-------------PFXKeyExportable
-------------Thumbprint
-------------Status
-------------PFXCertPasswordEncryptionStore (Added in Windows 10, version 1511)
-----SCEP
---------UniqueID
-------------Install
-----------------ServerURL
-----------------Challenge
-----------------EKUMapping
-----------------KeyUsage
-----------------SubjectName
-----------------KeyProtection
-----------------RetryDelay
-----------------RetryCount
-----------------TemplateName
-----------------KeyLength
-----------------HashAlgorithm
-----------------CAThumbprint
-----------------SubjectAlternativeNames
-----------------ValidPeriod
-----------------ValidPeriodUnits
-----------------ContainerName
-----------------CustomTextToShowInPrompt
-----------------Enroll
-----------------AADKeyIdentifierList (Added in Windows 10, version 1703)
-------------CertThumbprint
-------------Status
-------------ErrorCode
-------------RespondentServerUrl
+```text
+./Device/Vendor/MSFT/ClientCertificateInstall
+--- PFXCertInstall
+------ {UniqueID}
+--------- ContainerName
+--------- KeyLocation
+--------- PFXCertBlob
+--------- PFXCertPassword
+--------- PFXCertPasswordEncryptionStore
+--------- PFXCertPasswordEncryptionType
+--------- PFXKeyExportable
+--------- Status
+--------- Thumbprint
+--- SCEP
+------ {UniqueID}
+--------- CertThumbprint
+--------- ErrorCode
+--------- Install
+------------ AADKeyIdentifierList
+------------ CAThumbprint
+------------ Challenge
+------------ ContainerName
+------------ CustomTextToShowInPrompt
+------------ EKUMapping
+------------ Enroll
+------------ HashAlgorithm
+------------ KeyLength
+------------ KeyProtection
+------------ KeyUsage
+------------ RetryCount
+------------ RetryDelay
+------------ ServerURL
+------------ SubjectAlternativeNames
+------------ SubjectName
+------------ TemplateName
+------------ ValidPeriod
+------------ ValidPeriodUnits
+--------- RespondentServerUrl
+--------- Status
+./User/Vendor/MSFT/ClientCertificateInstall
+--- PFXCertInstall
+------ {UniqueID}
+--------- ContainerName
+--------- KeyLocation
+--------- PFXCertBlob
+--------- PFXCertPassword
+--------- PFXCertPasswordEncryptionStore
+--------- PFXCertPasswordEncryptionType
+--------- PFXKeyExportable
+--------- Status
+--------- Thumbprint
+--- SCEP
+------ {UniqueID}
+--------- CertThumbprint
+--------- ErrorCode
+--------- Install
+------------ AADKeyIdentifierList
+------------ CAThumbprint
+------------ Challenge
+------------ ContainerName
+------------ CustomTextToShowInPrompt
+------------ EKUMapping
+------------ Enroll
+------------ HashAlgorithm
+------------ KeyLength
+------------ KeyProtection
+------------ KeyUsage
+------------ RetryCount
+------------ RetryDelay
+------------ ServerURL
+------------ SubjectAlternativeNames
+------------ SubjectName
+------------ TemplateName
+------------ ValidPeriod
+------------ ValidPeriodUnits
+--------- RespondentServerUrl
+--------- Status
```
+
-**Device or User**
-For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.
+
+## Device/PFXCertInstall
-**ClientCertificateInstall**
-The root node for the ClientCertificateInstaller configuration service provider.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**ClientCertificateInstall/PFXCertInstall**
-Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall
+```
+
-Supported operation is Get.
+
+
+Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
-**ClientCertificateInstall/PFXCertInstall/***UniqueID*
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/PFXCertInstall/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}
+```
+
+
+
+
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
-The data type format is node.
+
+
+
-Supported operations are Get, Add, and Replace.
+
+**Description framework properties**:
-Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/KeyLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation
+```
+
+
+
+
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
-Supported operations are Get, Add, and Replace.
+
+
+
-The data type is an integer corresponding to one of the following values:
+
+**Description framework properties**:
-| Value | Description |
-|-------|---------------------------------------------------------------------------------------------------------------|
-| 1 | Install to TPM if present, fail if not present. |
-| 2 | Install to TPM if present. If not present, fall back to software. |
-| 3 | Install to software. |
-| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
-Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
+
+**Allowed values**:
-Date type is string.
+| Value | Description |
+|:--|:--|
+| 1 | Install to TPM if present, fail if not present. |
+| 2 | Install to TPM if present. If not present, fallback to software. |
+| 3 | Install to software. |
+| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+
-Supported operations are Get, Add, Delete, and Replace.
+
+
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
-CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation.
+
-The data type format is binary.
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertBlob
-Supported operations are Get, Add, and Replace.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob
+```
+
-If Add is called on this node for a new PFX, the certificate will be added. When a certificate doesn't exist, Replace operation on this node will fail.
+
+
+Required.
+[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
-In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
+
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bin |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword
+```
+
+
+
+
Password that protects the PFX blob. This is required if the PFX is password protected.
-
-Data Type is a string.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
-Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
-
-The data type is int. Valid values:
-
-- 0 - Password isn't encrypted.
-- 1 - Password is encrypted with the MDM certificate.
-- 2 - Password is encrypted with custom certificate.
-
-When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
-Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM.
-
-> [!Note]
-> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
-
-The data type bool.
-
-Supported operations are Get, Add, and Replace.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
-Returns the thumbprint of the installed PFX certificate.
-
-The datatype is a string.
-
-Supported operation is Get.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
-Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
-
-Data type is an integer.
-
-Supported operation is Get.
-
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
-Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
-
-Data type is string.
-
-Supported operations are Add, Get, and Replace.
-
-**ClientCertificateInstall/SCEP**
-Node for SCEP.
-
-> [!Note]
-> An alert is sent after the SCEP certificate is installed.
-
-**ClientCertificateInstall/SCEP/***UniqueID*
-A unique ID to differentiate different certificate installation requests.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install**
-A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
-
-Supported operations are Get, Add, Replace, and Delete.
-
-> [!Note]
-> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
-Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
-Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
-Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs is separated by a plus +. For example, OID1+OID2+OID3.
-
-Data type is string.
-
-Supported operations are Get, Add, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name.
-
-The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
-
-For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
-
-Data type is string.
-
-Supported operations are Add, Get, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
-Optional. Specifies where to keep the private key.
-
-> [!Note]
-> Even if the private key is protected by TPM, it isn't protected with a TPM PIN.
-
-The data type is an integer corresponding to one of the following values:
-
-| Value | Description |
-|---|---|
-| 1 | Private key protected by TPM. |
-| 2 | Private key protected by phone TPM if the device supports TPM. |
-| 3 | (Default) Private key saved in software KSP. |
-| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
-Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-
-Data type is int.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
-Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
-
-Data type format is an integer.
-
-The default value is 5.
-
-The minimum value is 1.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
-Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
-
-Data type is integer.
-
-Default value is 3.
-
-Maximum value is 30. If the value is larger than 30, the device will use 30.
-
-Minimum value is 0, which indicates no retry.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
-Optional. OID of certificate template name.
-
-> [!Note]
-> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
-Required for enrollment. Specify private key length (RSA).
-
-Data type is integer.
-
-Valid values are 1024, 2048, and 4096.
-
-For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
-Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.
-
-For Windows Hello for Business, only SHA256 is the supported algorithm.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
-Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail.
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
-Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN.
-
-Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
-
-Data type is string.
-
-Supported operations are Add, Get, Delete, and Replace.
-
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
-Optional. Specifies the units for the valid certificate period.
-
-Data type is string.
-
-Valid values are:
-
-- Days (Default)
-- Months
-- Years
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+```
+
+
+
+
+Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+```
+
+
+
+
+Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Password is not encrypted. |
+| 1 | Password is encrypted with the MDM certificate. |
+| 2 | Password is encrypted with custom certificate. |
+
+
+
+
+
+
+
+
+
+#### Device/PFXCertInstall/{UniqueID}/PFXKeyExportable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable
+```
+
+
+
+
+Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+The PFX isn't exportable when it's installed to TPM.
> [!NOTE]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
+> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node.
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | true |
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
+
-> [!Note]
-> The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+**Allowed values**:
-Data type is string.
+| Value | Description |
+|:--|:--|
+| false | False. |
+| true (Default) | True. |
+
-> [!Note]
-> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
-Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
+
+#### Device/PFXCertInstall/{UniqueID}/Status
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status
+```
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
-Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
+
+
+Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
-Data type is string.
+
+
+
-Supported operations are Add, Get, Delete, and Replace.
+
+**Description framework properties**:
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
-Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
-The date type format is Null, meaning this node doesn’t contain a value.
+
+
+
-The only supported operation is Execute.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
-Optional. Specify the Azure Active Directory Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
+
+#### Device/PFXCertInstall/{UniqueID}/Thumbprint
-Data type is string.
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-Supported operations are Add, Get, Delete, and Replace.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint
+```
+
-**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
-Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+Returns the thumbprint of the PFX certificate installed.
+
-If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string.
+
+
+
-Data type is string.
+
+**Description framework properties**:
-The only supported operation is Get.
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-**ClientCertificateInstall/SCEP/*UniqueID*/Status**
-Required. Specifies latest status of the certificated during the enrollment request.
+
+
+
-Data type is string. Valid values:
+
-The only supported operation is Get.
+
+## Device/SCEP
-| Value | Description |
-|-------|---------------------------------------------------------------------------------------------------|
-| 1 | Finished successfully |
-| 2 | Pending (the device hasn’t finished the action but has received the SCEP server pending response) |
-| 16 | Action failed |
-| 32 | Unknown |
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
-**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
-Optional. An integer value that indicates the HRESULT of the last enrollment error code.
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP
+```
+
-The only supported operation is Get.
+
+
+Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
-**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### Device/SCEP/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}
+```
+
+
+
+
+Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/CertThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint
+```
+
+
+
+
+Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+> [!NOTE]
+> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode
+```
+
+
+
+
+Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install
+```
+
+
+
+
+Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+```
+
+
+
+
+Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/CAThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint
+```
+
+
+
+
+Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/Challenge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge
+```
+
+
+
+
+Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+```
+
+
+
+
+Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/EKUMapping
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping
+```
+
+
+
+
+Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/Enroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll
+```
+
+
+
+
+Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/HashAlgorithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm
+```
+
+
+
+
+Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+> [!NOTE]
+> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1024 | 1024. |
+| 2048 | 2048. |
+| 4096 | 4096. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn't support TPM PIN protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Private key protected by TPM. |
+| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
+| 3 (Default) | (Default) Private key saved in software KSP. |
+| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-30]` |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ).
+
+
+
+
+For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Days |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Days (Default) | Days. |
+| Months | Months. |
+| Years | Years. |
+
+
+
+
+
+
+
+
+
+##### Device/SCEP/{UniqueID}/Install/ValidPeriodUnits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits
+```
+
+
+
+
+Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+> [!NOTE]
+> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### Device/SCEP/{UniqueID}/RespondentServerUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl
+```
+
+
+
+
Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
-Data type is string.
+
+
+
-The only supported operation is Get.
+
+**Description framework properties**:
-## Example
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
-Enroll a client certificate through SCEP.
+
+
+
-```xml
-
-
-
-
- 301
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/
-
-
- node
-
-
-
-
- 302
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount
-
-
- int
-
- 1
-
-
-
- 303
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay
-
-
- int
-
- 1
-
-
-
- 304
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage
-
-
- int
-
- 160
-
-
-
- 305
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength
-
-
- int
-
- 1024
-
-
-
- 306
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm
-
-
- chr
-
- SHA-1
-
-
-
- 307
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName
-
-
- chr
-
- CN=ContosoCSP
-
-
-
- 308
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames
-
-
- chr
-
-
-
-
-
- 309
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod
-
-
- chr
-
- Years
-
-
-
- 310
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits
-
-
- int
-
- 1
-
-
-
- 311
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping
-
-
- chr
-
- 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2
-
-
-
- 312
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection
-
-
- int
-
- 3
-
-
-
- 313$
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL
-
-
- chr
-
- http://constoso.com/certsrv/mscep/mscep.dll
-
-
-
- 314
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge
-
-
- chr
-
- 1234CB055B7EBF384A9486A22B7559A5
-
-
-
- 315
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint
-
-
- chr
-
- 12345087E648875D1DF5D9F9FF89DD10
-
-
-
- 316
- -
-
- ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll
-
-
-
-
+
+
+
+#### Device/SCEP/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status
+```
+
+
+
+
+Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 - finished successfully
+2 - pending (the device hasn't finished the action but has received the SCEP server pending response)
+32 - unknown
+16 - action failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/PFXCertInstall
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall
+```
+
+
+
+
+Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/PFXCertInstall/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}
+```
+
+
+
+
+Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/KeyLocation
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/KeyLocation
+```
+
+
+
+
+Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Install to TPM if present, fail if not present. |
+| 2 | Install to TPM if present. If not present, fallback to software. |
+| 3 | Install to software. |
+| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertBlob
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertBlob
+```
+
+
+
+
+Required.
+[CRYPT_DATA_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)) structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bin |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPassword
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPassword
+```
+
+
+
+
+Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionStore
+```
+
+
+
+
+Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Get, Replace |
+| Dependency [EncryptionTypeDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType`
Dependency Allowed Value: `[2]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXCertPasswordEncryptionType
+```
+
+
+
+
+Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Password is not encrypted. |
+| 1 | Password is encrypted with the MDM certificate. |
+| 2 | Password is encrypted with custom certificate. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/PFXKeyExportable
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/PFXKeyExportable
+```
+
+
+
+
+Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+> [!NOTE]
+> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | bool |
+| Access Type | Add, Get, Replace |
+| Default Value | true |
+| Dependency [KeyLocationDependency] | Dependency Type: `DependsOn`
Dependency URI: `Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation`
Dependency Allowed Value: `[3]`
Dependency Allowed Value Type: `Range`
|
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| false | False. |
+| true (Default) | True. |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Status
+```
+
+
+
+
+Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/PFXCertInstall/{UniqueID}/Thumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/{UniqueID}/Thumbprint
+```
+
+
+
+
+Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## User/SCEP
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP
+```
+
+
+
+
+Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+### User/SCEP/{UniqueID}
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}
+```
+
+
+
+
+Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+| Atomic Required | True |
+| Dynamic Node Naming | ServerGeneratedUniqueIdentifier |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/CertThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/CertThumbprint
+```
+
+
+
+
+Optional. Specify the current cert's thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+> [!NOTE]
+> If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted, etc.) then it will return an empty string.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/ErrorCode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/ErrorCode
+```
+
+
+
+
+Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/Install
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install
+```
+
+
+
+
+Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | node |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/AADKeyIdentifierList
+```
+
+
+
+
+Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/CAThumbprint
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CAThumbprint
+```
+
+
+
+
+Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/Challenge
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Challenge
+```
+
+
+
+
+Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ContainerName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ContainerName
+```
+
+
+
+
+Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/CustomTextToShowInPrompt
+```
+
+
+
+
+Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/EKUMapping
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/EKUMapping
+```
+
+
+
+
+Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus "+". Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/Enroll
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/Enroll
+```
+
+
+
+
+Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | null |
+| Access Type | Exec |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/HashAlgorithm
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/HashAlgorithm
+```
+
+
+
+
+Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyLength
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyLength
+```
+
+
+
+
+Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+> [!NOTE]
+> For Windows Hello for Business (formerly known as Microsoft Passport for Work) , 2048 is the only supported key length.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1024 | 1024. |
+| 2048 | 2048. |
+| 4096 | 4096. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyProtection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyProtection
+```
+
+
+
+
+Optional. Specify where to keep the private key. **Note** that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn't support TPM PIN protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 3 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 1 | Private key protected by TPM. |
+| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
+| 3 (Default) | (Default) Private key saved in software KSP. |
+| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/KeyUsage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/KeyUsage
+```
+
+
+
+
+Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/RetryCount
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryCount
+```
+
+
+
+
+Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-30]` |
+| Default Value | 3 |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/RetryDelay
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/RetryDelay
+```
+
+
+
+
+Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-4294967295]` |
+| Default Value | 5 |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ServerURL
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ServerURL
+```
+
+
+
+
+Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectAlternativeNames
+```
+
+
+
+
+Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/SubjectName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/SubjectName
+```
+
+
+
+
+Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: ("," "=" "+" ";" ).
+
+
+
+
+For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks).
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/TemplateName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/TemplateName
+```
+
+
+
+
+Optional. OID of certificate template name. **Note** that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn't need to provide it.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ValidPeriod
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriod
+```
+
+
+
+
+Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | Days |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| Days (Default) | Days. |
+| Months | Months. |
+| Years | Years. |
+
+
+
+
+
+
+
+
+
+##### User/SCEP/{UniqueID}/Install/ValidPeriodUnits
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Install/ValidPeriodUnits
+```
+
+
+
+
+Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. **Note** the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+
+> [!NOTE]
+> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) the SCEP server as part of certificate enrollment request. It is the server's decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/RespondentServerUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/RespondentServerUrl
+```
+
+
+
+
+Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+#### User/SCEP/{UniqueID}/Status
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1511 [10.0.10586] and later |
+
+
+
+```User
+./User/Vendor/MSFT/ClientCertificateInstall/SCEP/{UniqueID}/Status
+```
+
+
+
+
+Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 - finished successfully
+2 - pending (the device hasn't finished the action but has received the SCEP server pending response)
+32 - unknown
+16 - action failed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+
+## Examples
+
+- Enroll a client certificate through SCEP.
+
+ ```xml
+
+
+
+
+ 301
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/
+
+
+ node
+
+
+
+
+ 302
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount
+
+
+ int
+
+ 1
+
+
+
+ 303
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay
+
+
+ int
+
+ 1
+
+
+
+ 304
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage
+
+
+ int
+
+ 160
+
+
+
+ 305
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength
+
+
+ int
+
+ 1024
+
+
+
+ 306
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm
+
+
+ chr
+
+ SHA-1
+
+
+
+ 307
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName
+
+
+ chr
+
+ CN=ContosoCSP
+
+
+
+ 308
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames
+
+
+ chr
+
+
+
+
+
+ 309
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod
+
+
+ chr
+
+ Years
+
+
+
+ 310
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits
+
+
+ int
+
+ 1
+
+
+
+ 311
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping
+
+
+ chr
+
+ 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2
+
+
+
+ 312
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection
+
+
+ int
+
+ 3
+
+
+
+ 313$
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL
+
+
+ chr
+
+ http://constoso.com/certsrv/mscep/mscep.dll
+
+
+
+ 314
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge
+
+
+ chr
+
+ 1234CB055B7EBF384A9486A22B7559A5
+
+
+
+ 315
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint
+
+
+ chr
+
+ 12345087E648875D1DF5D9F9FF89DD10
+
+
+
+ 316
+ -
+
+ ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll
+
+
+
+
+
+
+
+ ```
+
+- Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
+
+ ```xml
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C
+
+
+
+
+ $CmdID$
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation
+
+
+ int
+
+ 2
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob
+
+
+ chr
+
+ Base64_Encode_Cert_Blob
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword
+
+
+ chr
+
+ Base64Encoded_Encrypted_Password_Blog
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType
+
+
+ int
+
+ 2
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore
+
+
+ chr
+
+ My
+
+
+
+ $CmdID$
+ -
+
+ ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable
+
+
+ bool
+
+ true
+
+
+
-
-
-```
+
+
+ ```
+
-Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate from "My" store.
+
-```xml
-
-
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C
-
-
-
-
- $CmdID$
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation
-
-
- int
-
- 2
-
-
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob
-
-
- chr
-
- Base64_Encode_Cert_Blob
-
-
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword
-
-
- chr
-
- Base64Encoded_Encrypted_Password_Blog
-
-
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType
-
-
- int
-
- 2
-
-
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore
-
-
- chr
-
- My
-
-
+## Related articles
-
- $CmdID$
- -
-
- ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable
-
-
- bool
-
- true
-
-
-
-
-
-
-```
-
-## Related topics
-
-[Configuration service provider reference](index.yml)
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 8d8a117d95..08abb4da3e 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,1055 +1,2198 @@
---
title: ClientCertificateInstall DDF file
-description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.reviewer:
+description: View the XML file containing the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
+author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.topic: article
+ms.date: 02/24/2023
+ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/05/2017
+ms.topic: reference
---
+
+
# ClientCertificateInstall DDF file
-This topic shows the OMA DM device description framework (DDF) for the **ClientCertificateInstall** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-ddf.md).
-
-The XML below is the current version for this CSP.
+The following XML file contains the device description framework (DDF) for the ClientCertificateInstall configuration service provider.
```xml
-]>
+]>
- 1.2
+ 1.2
+
+
+
+ ClientCertificateInstall
+ ./User/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
- ClientCertificateInstall
- ./Vendor/MSFT
+ PFXCertInstall
+
+
+
+
+ Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- com.microsoft/1.1/MDM/ClientCertificateInstall
-
-
-
- PFXCertInstall
-
-
-
-
- Required for PFX certificate installation. The parent node grouping the PFX cert related settings. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
-Supported operations are Get, Add, Delete
+
+
+
+
+
+
+ Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
-
-
-
-
-
-
-
-
-
- UniqueID
-
-
-
-
-
- KeyLocation
-
-
-
-
-
-
- Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation. Supported operations are Get, Add.
- Datatype will be int
-1- Install to TPM, fail if not present
-2 – Install to TPM if present, if not present fallback to Software
-3 – Install to software
-4 – Install to NGC container whose name is specified
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ContainerName
-
-
-
-
-
-
- Optional.
-Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-Format is chr.
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertBlob
-
-
-
-
-
-
- Required.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ KeyLocation
+
+
+
+
+
+
+ Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Install to TPM if present, fail if not present.
+
+
+ 2
+ Install to TPM if present. If not present, fallback to software.
+
+
+ 3
+ Install to software.
+
+
+ 4
+ Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertBlob
+
+
+
+
+
+
+ Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
-Format is Binary64.
-Supported operations are Get, Add, Replace.
If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
-CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx
+CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPassword
-
-
-
-
-
-
-
-Required if PFX is password protected.
-Password that protects the PFX blob.
-Format is chr. Supported operations are Add, Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPasswordEncryptionType
-
-
-
-
-
-
- 0
- Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
-If the value is
-0 - Password is not encrypted
-1- Password is encrypted using the MDM certificate by the MDM server
-2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
-The datatype for this node is int.
-Supported operations are Add, Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXKeyExportable
-
-
-
-
-
-
- true
- Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool.
-Supported operations are Add, Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Thumbprint
-
-
-
-
- Returns the thumbprint of the PFX certificate installed. Format is string.Supported operations are Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int.
-Support operations are Get.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- PFXCertPasswordEncryptionStore
-
-
-
-
-
-
- Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
-Datatype is string,
-Support operation are Add, Get and Replace.
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- SCEP
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
-Supported operations are Get, Add, Delete.
+ PFXCertPassword
+
+
+
+
+
+
+ Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionType
+
+
+
+
+
+
+ 0
+ Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Password is not encrypted.
+
+
+ 1
+ Password is encrypted with the MDM certificate.
+
+
+ 2
+ Password is encrypted with custom certificate.
+
+
+
+
+
+ PFXKeyExportable
+
+
+
+
+
+
+ true
+ Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation
+
+ [3]
+
+
+
+
+
+
+
+ Thumbprint
+
+
+
+
+ Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionStore
+
+
+
+
+
+
+ Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType
+
+ [2]
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
Calling Delete on the this node, should delete the corresponding SCEP certificate
-
-
-
-
-
-
-
-
-
- UniqueID
-
-
-
-
-
- Install
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete.
-
-NOTE: Though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ServerURL
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
-Format is string.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Challenge
-
-
-
-
-
-
-
- Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Format is chr. Supported operations are Get, Add, Replace, Delete. Challenge will be deleted shortly after the Exec command is accepted.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- EKUMapping
-
-
-
-
-
-
-
- Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyUsage
-
-
-
-
-
-
-
- Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectName
-
-
-
-
-
-
-
- Required. Specify the subject name. Format is chr. Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyProtection
-
-
-
-
-
-
-
- 3
- Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
-
-SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
-
-1 – private key protected by TPM,
-
-2 – private key protected by phone TPM if the device supports TPM.
-
-3 (default) – private key saved in software KSP
-
-4 – private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
-
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryDelay
-
-
-
-
-
-
-
- 5
- Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+
+
+ Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+
+
+ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+
+
+ Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+
+
+ 3
+ Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn’t support TPM PIN protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Private key protected by TPM.
+
+
+ 2
+ Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
+
+
+ 3
+ (Default) Private key saved in software KSP.
+
+
+ 4
+ Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail.
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+
+
+ 5
+ Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is: 5
-The min value is 1.
-
-Format is int.
-
-Supported operations are Get, Add, Delete noreplace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RetryCount
-
-
-
-
-
-
-
- 3
- Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
-The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- TemplateName
-
-
-
-
-
-
-
- Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- KeyLength
-
-
-
-
-
-
-
- Required for enrollment. Specify private key length (RSA). Format is int.
-
-Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- HashAlgorithm
-
-
-
-
-
-
-
- Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
-
-For NGC, only SHA256 is supported as the supported algorithm
-
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CAThumbprint
-
-
-
-
-
-
-
- Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- SubjectAlternativeNames
-
-
-
-
-
-
-
- Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
-
-Format is chr.
-
-Supported operations are Get, Add, Delete, Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriod
-
-
-
-
-
-
-
- Days
- Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
-Format is chr.
-Supported operations are Get, Add, Delete, Replace.
+The min value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ RetryCount
+
+
+
+
+
+
+
+ 3
+ Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-30]
+
+
+
+
+ TemplateName
+
+
+
+
+
+
+
+ Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+
+
+ Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1024
+ 1024
+
+
+ 2048
+ 2048
+
+
+ 4096
+ 4096
+
+
+
+
+
+ HashAlgorithm
+
+
+
+
+
+
+
+ Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+For NGC, only SHA256 is supported as the supported algorithm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbprint
+
+
+
+
+
+
+
+ Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+
+
+ Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+
+
+
+ Days
+ Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Days
+ Days
+
+
+ Months
+ Months
+
+
+ Years
+ Years
+
+
+
+
+
+ ValidPeriodUnits
+
+
+
+
+
+
+
+ 0
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ValidPeriodUnits
-
-
-
-
-
-
-
- 0
- Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
-
-Format is int.
-
-Supported operations are Get, Add, Delete, Replace.
-
-NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ContainerName
-
-
-
-
-
-
-
- Optional.
-Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- CustomTextToShowInPrompt
-
-
-
-
-
-
-
- Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
-
-Format is chr.
-
-Supported operations are Get, Add, Delete and Replace.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Enroll
-
-
-
-
- Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
-
-Format is null, e.g. this node doesn’t contain a value.
-
-Supported operation is Exec.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- AADKeyIdentifierList
-
-
-
-
-
-
-
- Optional. Specify the Azure Active Directory Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
-
- CertThumbprint
-
-
-
-
- Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Format is chr. Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- Status
-
-
-
-
- Required. Specify the latest status for the certificate due to enroll request.
-
-Format is chr.
-
-Supported operation is Get.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomTextToShowInPrompt
+
+
+
+
+
+
+
+ Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AADKeyIdentifierList
+
+
+
+
+
+
+
+ Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+ CertThumbprint
+
+
+
+
+ Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Required. Specify the latest status for the certificate due to enroll request.
Valid values are:
1 – finished successfully
2 – pending (the device hasn’t finished the action but has received the SCEP server pending response)
32 – unknown
16 - action failed
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- ErrorCode
-
-
-
-
- Optional. The integer value that indicates the HRESULT of the last enrollment error code.
-Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
- RespondentServerUrl
-
-
-
-
- Required. Returns the URL of the SCEP server that responded to the enrollment request.
-
-Format is String.
-
-Supported operation is Get.
-
-
-
-
-
-
-
-
-
-
- text/plain
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RespondentServerUrl
+
+
+
+
+ Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ClientCertificateInstall
+ ./Device/Vendor/MSFT
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.10586
+ 1.0
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD;
+
+
+
+ PFXCertInstall
+
+
+
+
+ Required for PFX certificate installation. The parent node grouping the PFX cert related settings.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ KeyLocation
+
+
+
+
+
+
+ Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Install to TPM if present, fail if not present.
+
+
+ 2
+ Install to TPM if present. If not present, fallback to software.
+
+
+ 3
+ Install to software.
+
+
+ 4
+ Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertBlob
+
+
+
+
+
+
+ Required.
+CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
+If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten.
+If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail.
+In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate
+CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPassword
+
+
+
+
+
+
+ Password that protects the PFX blob. This is required if the PFX is password protected.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionType
+
+
+
+
+
+
+ 0
+ Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
+If the value is
+0 - Password is not encrypted
+1- Password is encrypted using the MDM certificate by the MDM server
+2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+ Password is not encrypted.
+
+
+ 1
+ Password is encrypted with the MDM certificate.
+
+
+ 2
+ Password is encrypted with custom certificate.
+
+
+
+
+
+ PFXKeyExportable
+
+
+
+
+
+
+ true
+ Optional. Used to specify if the private key installed is exportable (can be exported later).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+ False
+
+
+ true
+ True
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/KeyLocation
+
+ [3]
+
+
+
+
+
+
+
+ Thumbprint
+
+
+
+
+ Returns the thumbprint of the PFX certificate installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ PFXCertPasswordEncryptionStore
+
+
+
+
+
+
+ Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/[UniqueID]/PFXCertPasswordEncryptionType
+
+ [2]
+
+
+
+
+
+
+
+
+
+ SCEP
+
+
+
+
+ Node for SCEP. An alert is sent after the SCEP certificate is installed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Calling Delete on the this node, should delete the corresponding SCEP certificate
+
+
+
+
+
+
+
+
+
+ UniqueID
+
+
+
+
+
+
+
+
+
+ Install
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ServerURL
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Challenge
+
+
+
+
+
+
+
+ Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge will be deleted shortly after the Exec command is accepted.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ EKUMapping
+
+
+
+
+
+
+
+ Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyUsage
+
+
+
+
+
+
+
+ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectName
+
+
+
+
+
+
+
+ Required. Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyProtection
+
+
+
+
+
+
+
+ 3
+ Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+SCEP enrolled cert doesn’t support TPM PIN protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1
+ Private key protected by TPM.
+
+
+ 2
+ Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
+
+
+ 3
+ (Default) Private key saved in software KSP.
+
+
+ 4
+ Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail.
+
+
+
+
+
+ RetryDelay
+
+
+
+
+
+
+
+ 5
+ Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+
+Default value is: 5
+The min value is 1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-4294967295]
+
+
+
+
+ RetryCount
+
+
+
+
+
+
+
+ 3
+ Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30.
+The min value is 0 which means no retry.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ [0-30]
+
+
+
+
+ TemplateName
+
+
+
+
+
+
+
+ Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ KeyLength
+
+
+
+
+
+
+
+ Required for enrollment. Specify private key length (RSA).
+Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1024
+ 1024
+
+
+ 2048
+ 2048
+
+
+ 4096
+ 4096
+
+
+
+
+
+ HashAlgorithm
+
+
+
+
+
+
+
+ Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+
+For NGC, only SHA256 is supported as the supported algorithm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CAThumbprint
+
+
+
+
+
+
+
+ Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ SubjectAlternativeNames
+
+
+
+
+
+
+
+ Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ValidPeriod
+
+
+
+
+
+
+
+ Days
+ Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Days
+ Days
+
+
+ Months
+ Months
+
+
+ Years
+ Years
+
+
+
+
+
+ ValidPeriodUnits
+
+
+
+
+
+
+
+ 0
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ContainerName
+
+
+
+
+
+
+
+ Optional.
+Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ CustomTextToShowInPrompt
+
+
+
+
+
+
+
+ Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Enroll
+
+
+
+
+ Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ AADKeyIdentifierList
+
+
+
+
+
+
+
+ Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.15063
+ 1.0
+
+
+
+
+
+
+
+ CertThumbprint
+
+
+
+
+ Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Status
+
+
+
+
+ Required. Specify the latest status for the certificate due to enroll request.
+Valid values are:
+1 – finished successfully
+2 – pending (the device hasn’t finished the action but has received the SCEP server pending response)
+32 – unknown
+16 - action failed
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ErrorCode
+
+
+
+
+ Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RespondentServerUrl
+
+
+
+
+ Required. Returns the URL of the SCEP server that responded to the enrollment request.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
```
-## Related topics
+## Related articles
-[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md)
+[ClientCertificateInstall configuration service provider reference](clientcertificateinstall-csp.md)