--- title: CertificateStore CSP description: Learn more about the CertificateStore CSP. ms.date: 03/12/2025 ms.topic: generated-reference --- # CertificateStore CSP The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. > [!NOTE] > The CertificateStore configuration service provider does not support installing client certificates. The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive. For the CertificateStore CSP, you can't use the Replace command unless the node already exists. The following list shows the CertificateStore configuration service provider nodes: - ./Device/Vendor/MSFT/CertificateStore - [CA](#ca) - [{CertHash}](#cacerthash) - [EncodedCertificate](#cacerthashencodedcertificate) - [IssuedBy](#cacerthashissuedby) - [IssuedTo](#cacerthashissuedto) - [TemplateName](#cacerthashtemplatename) - [ValidFrom](#cacerthashvalidfrom) - [ValidTo](#cacerthashvalidto) - [System](#casystem) - [{CertHash}](#casystemcerthash) - [EncodedCertificate](#casystemcerthashencodedcertificate) - [IssuedBy](#casystemcerthashissuedby) - [IssuedTo](#casystemcerthashissuedto) - [TemplateName](#casystemcerthashtemplatename) - [ValidFrom](#casystemcerthashvalidfrom) - [ValidTo](#casystemcerthashvalidto) - [MY](#my) - [SCEP](#myscep) - [{UniqueID}](#myscepuniqueid) - [CertThumbPrint](#myscepuniqueidcertthumbprint) - [ErrorCode](#myscepuniqueiderrorcode) - [Install](#myscepuniqueidinstall) - [CAThumbPrint](#myscepuniqueidinstallcathumbprint) - [Challenge](#myscepuniqueidinstallchallenge) - [EKUMapping](#myscepuniqueidinstallekumapping) - [Enroll](#myscepuniqueidinstallenroll) - [HashAlgrithm](#myscepuniqueidinstallhashalgrithm) - [KeyLength](#myscepuniqueidinstallkeylength) - [KeyProtection](#myscepuniqueidinstallkeyprotection) - [KeyUsage](#myscepuniqueidinstallkeyusage) - [RetryCount](#myscepuniqueidinstallretrycount) - [RetryDelay](#myscepuniqueidinstallretrydelay) - [ServerURL](#myscepuniqueidinstallserverurl) - [SubjectAlternativeNames](#myscepuniqueidinstallsubjectalternativenames) - [SubjectName](#myscepuniqueidinstallsubjectname) - [TemplateName](#myscepuniqueidinstalltemplatename) - [ValidPeriod](#myscepuniqueidinstallvalidperiod) - [ValidPeriodUnit](#myscepuniqueidinstallvalidperiodunit) - [Status](#myscepuniqueidstatus) - [User](#myuser) - [{CertHash}](#myusercerthash) - [EncodedCertificate](#myusercerthashencodedcertificate) - [IssuedBy](#myusercerthashissuedby) - [IssuedTo](#myusercerthashissuedto) - [TemplateName](#myusercerthashtemplatename) - [ValidFrom](#myusercerthashvalidfrom) - [ValidTo](#myusercerthashvalidto) - [WSTEP](#mywstep) - [CertThumprint](#mywstepcertthumprint) - [Renew](#mywsteprenew) - [ErrorCode](#mywsteprenewerrorcode) - [LastRenewalAttemptTime](#mywsteprenewlastrenewalattempttime) - [RenewNow](#mywsteprenewrenewnow) - [RenewPeriod](#mywsteprenewrenewperiod) - [RetryAfterExpiryInterval](#mywsteprenewretryafterexpiryinterval) - [RetryInterval](#mywsteprenewretryinterval) - [ROBOSupport](#mywsteprenewrobosupport) - [ServerURL](#mywsteprenewserverurl) - [Status](#mywsteprenewstatus) - [ROOT](#root) - [{CertHash}](#rootcerthash) - [EncodedCertificate](#rootcerthashencodedcertificate) - [IssuedBy](#rootcerthashissuedby) - [IssuedTo](#rootcerthashissuedto) - [TemplateName](#rootcerthashtemplatename) - [ValidFrom](#rootcerthashvalidfrom) - [ValidTo](#rootcerthashvalidto) - [System](#rootsystem) - [{CertHash}](#rootsystemcerthash) - [EncodedCertificate](#rootsystemcerthashencodedcertificate) - [IssuedBy](#rootsystemcerthashissuedby) - [IssuedTo](#rootsystemcerthashissuedto) - [TemplateName](#rootsystemcerthashtemplatename) - [ValidFrom](#rootsystemcerthashvalidfrom) - [ValidTo](#rootsystemcerthashvalidto) ## CA | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA ``` This cryptographic store contains intermediary certification authorities. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### CA/{CertHash} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash} ``` The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Delete, Get | | Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | #### CA/{CertHash}/EncodedCertificate | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/EncodedCertificate ``` The base64 Encoded X.509 certificate. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Get, Replace | #### CA/{CertHash}/IssuedBy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedBy ``` The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### CA/{CertHash}/IssuedTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedTo ``` The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### CA/{CertHash}/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/TemplateName ``` Returns the certificate template name. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### CA/{CertHash}/ValidFrom | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidFrom ``` The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### CA/{CertHash}/ValidTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidTo ``` The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ### CA/System | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System ``` This store holds the System portion of the CA store. > [!NOTE] > Use [RootCATrustedCertificates CSP](rootcacertificates-csp.md) moving forward for installing CA certificates. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | #### CA/System/{CertHash} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash} ``` The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Delete, Get | | Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | ##### CA/System/{CertHash}/EncodedCertificate | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/EncodedCertificate ``` The base64 Encoded X.509 certificate. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Get, Replace | ##### CA/System/{CertHash}/IssuedBy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedBy ``` The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### CA/System/{CertHash}/IssuedTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedTo ``` The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### CA/System/{CertHash}/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/TemplateName ``` Returns the certificate template name. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### CA/System/{CertHash}/ValidFrom | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidFrom ``` The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### CA/System/{CertHash}/ValidTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidTo ``` The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ## MY | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY ``` This store keeps all end-user personal certificates. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### MY/SCEP > [!NOTE] > This policy is deprecated and may be removed in a future release. | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP ``` This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. > [!NOTE] > Use [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) to install SCEP certificates moving forward. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | #### MY/SCEP/{UniqueID} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID} ``` The UniqueID for the SCEP enrollment request. Each client certificate should've different unique ID. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get | ##### MY/SCEP/{UniqueID}/CertThumbPrint | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/CertThumbPrint ``` Specify the current cert's thumbprint. 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### MY/SCEP/{UniqueID}/ErrorCode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/ErrorCode ``` Specify the last hresult in case enroll action failed. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Get | ##### MY/SCEP/{UniqueID}/Install | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install ``` The group to represent the install request. > [!NOTE] > Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ###### MY/SCEP/{UniqueID}/Install/CAThumbPrint | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/CAThumbPrint ``` Specify root CA thumbprint. 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/Challenge | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Challenge ``` Enroll requester authentication shared secret. The value must be base64 encoded. Challenge is deleted shortly after the Exec command is accepted. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/EKUMapping | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/EKUMapping ``` Specify extended key usages. The list of OIDs are separated by plus "+". **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/Enroll | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Enroll ``` Start the cert enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `null` | | Access Type | Exec | ###### MY/SCEP/{UniqueID}/Install/HashAlgrithm | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/HashAlgrithm ``` Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/KeyLength | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyLength ``` Specify private key length (RSA). Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/KeyProtection | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyProtection ``` Specify where to keep the private key. Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. Supported values are one of the following values: - 1: Private key is protected by device TPM. - 2: Private key is protected by device TPM if the device supports TPM. - 3 (default): Private key is only saved in the software KSP. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/KeyUsage | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyUsage ``` Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. The value must be specified in decimal format and should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/RetryCount | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryCount ``` When the SCEP sends pending status, specify device retry times. Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/RetryDelay | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryDelay ``` When the SCEP server sends pending status, specify device retry waiting time in minutes. Default value is 5 and the minimum value is 1. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/ServerURL | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ServerURL ``` Specify the cert enrollment server. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames ``` Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. or example, multiple subject alternative names are presented in the format `+;+`. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/SubjectName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectName ``` Specify the subject name. The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (`,`, `=`, `+`, `;`). For more information, see [CertNameToStrA function](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/TemplateName ``` Certificate Template Name OID (As in AD used by PKI infrastructure. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | ###### MY/SCEP/{UniqueID}/Install/ValidPeriod | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriod ``` Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. Valid values are one of the following: - Days (default) - Months - Years **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ###### MY/SCEP/{UniqueID}/Install/ValidPeriodUnit | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriodUnit ``` Specify valid period unit type. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Get | Default is 0. The period is defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. > [!NOTE] > The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. ##### MY/SCEP/{UniqueID}/Status | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Status ``` Specify the latest status for the certificate due to enroll request. Valid values are one of the following values: - 1: Finished successfully. - 2: Pending. The device hasn't finished the action, but has received the SCEP server pending response. - 16: Action failed. - 32: Unknown. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Get | ### MY/User | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User ``` This store holds the User portion of the MY store. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | #### MY/User/{CertHash} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash} ``` The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Delete, Get | | Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | ##### MY/User/{CertHash}/EncodedCertificate | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/EncodedCertificate ``` The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server can't purely rely on CertificateStore CSP to install a client certificate including private key. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Get, Replace | ##### MY/User/{CertHash}/IssuedBy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedBy ``` The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### MY/User/{CertHash}/IssuedTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedTo ``` The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### MY/User/{CertHash}/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/TemplateName ``` Returns the certificate template name. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### MY/User/{CertHash}/ValidFrom | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidFrom ``` The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### MY/User/{CertHash}/ValidTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidTo ``` The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ### MY/WSTEP | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP ``` The parent node that hosts client certificate that's enrolled via WSTEP, e.g. the certificate that's enrolled during MDM enrollment. The nodes under WSTEP are mostly for MDM client certificate renew requests. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | #### MY/WSTEP/CertThumprint | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/CertThumprint ``` The thumb print of enrolled MDM client certificate. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### MY/WSTEP/Renew | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew ``` The parent node to group renewal related settings. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | | Atomic Required | True | ##### MY/WSTEP/Renew/ErrorCode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ErrorCode ``` If certificate renew fails, this node provide the last hresult code during renew process. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Get | ##### MY/WSTEP/Renew/LastRenewalAttemptTime | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/LastRenewalAttemptTime ``` Time of last attempted renew. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `time` | | Access Type | Get | ##### MY/WSTEP/Renew/RenewNow | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewNow ``` Initiate a renew now. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `null` | | Access Type | Exec | ##### MY/WSTEP/Renew/RenewPeriod | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewPeriod ``` Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. The default value is 42 and the valid values are 1-1000. > [!NOTE] > When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[1-1000]` | | Default Value | 42 | ##### MY/WSTEP/Renew/RetryAfterExpiryInterval | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1703 [10.0.15063] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryAfterExpiryInterval ``` How long after the enrollment cert has expiried to keep trying to renew. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `time` | | Access Type | Add, Get, Replace | ##### MY/WSTEP/Renew/RetryInterval | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryInterval ``` Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. The default value is 7 and the valid values are 1 - 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. > [!NOTE] > When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[1-1000]` | | Default Value | 7 | ##### MY/WSTEP/Renew/ROBOSupport | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ROBOSupport ``` Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. > [!NOTE] > When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `bool` | | Access Type | Add, Delete, Get, Replace | | Default Value | true | **Allowed values**: | Value | Description | |:--|:--| | true (Default) | True. | | false | False. | ##### MY/WSTEP/Renew/ServerURL | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ServerURL ``` Optional. Specifies the cert renewal server URL which is the discovery server. If this node doesn't exist, the client uses the initial certificate enrollment URL. > [!NOTE] > The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### MY/WSTEP/Renew/Status | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/Status ``` Show the latest action status for this certificate. Supported values are one of the following: 0 - Not started. 1 - Renewal in progress. 2 - Renewal succeeded. 3 - Renewal failed. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Get | ## ROOT | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT ``` This store holds only root (self-signed) certificates. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### ROOT/{CertHash} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash} ``` The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Delete, Get | | Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | #### ROOT/{CertHash}/EncodedCertificate | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/EncodedCertificate ``` The base64 Encoded X.509 certificate. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Get, Replace | #### ROOT/{CertHash}/IssuedBy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedBy ``` The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### ROOT/{CertHash}/IssuedTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedTo ``` The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### ROOT/{CertHash}/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/TemplateName ``` Returns the certificate template name. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### ROOT/{CertHash}/ValidFrom | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidFrom ``` The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | #### ROOT/{CertHash}/ValidTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidTo ``` The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ### ROOT/System | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System ``` This store holds the System portion of the root store. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | #### ROOT/System/{CertHash} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash} ``` The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Delete, Get | | Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. | ##### ROOT/System/{CertHash}/EncodedCertificate | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/EncodedCertificate ``` The base64 Encoded X.509 certificate. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Get, Replace | ##### ROOT/System/{CertHash}/IssuedBy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedBy ``` The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### ROOT/System/{CertHash}/IssuedTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedTo ``` The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### ROOT/System/{CertHash}/TemplateName | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/TemplateName ``` Returns the certificate template name. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### ROOT/System/{CertHash}/ValidFrom | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidFrom ``` The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ##### ROOT/System/{CertHash}/ValidTo | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidTo ``` The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get | ## Examples Add a root certificate to the MDM server. ```xml 1 ./Vendor/MSFT/CertificateStore/Root/System//EncodedCertificate B64EncodedCertInsertedHere b64 ``` Get all installed client certificates. ```xml 1 ./Vendor/MSFT/CertificateStore/My/User?list=StructData ``` Delete a root certificate. ```xml 1 ./Vendor/MSFT/CertificateStore/Root/System/ ``` Configure the device to enroll a client certificate through SCEP. ```xml 100 1 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1 node 2 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount int 1 3 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay int 1 4 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage int 160 5 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength int 1024 6 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm chr SHA-1 7 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName chr CN=AnnaLee 8 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames chr 11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com 9 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod chr Years 10 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits int 1 11 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping chr 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2 12 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection int 3 13 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL chr https://contoso.com/certsrv/ctcep.dll 14 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge chr ChallengeInsertedHere 15 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint chr CAThumbprintInsertedHere 16 ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll ``` Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval. ```xml 1 2 ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport bool true 3 ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod int 60 4 ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval int 4 ``` ## Related articles [Configuration service provider reference](configuration-service-provider-reference.md)