CertificateStore CSP
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
Note
The CertificateStore configuration service provider does not support installing client certificates. The Microsoft protocol version of Open Mobile Alliance (OMA) is case insensitive.
For the CertificateStore CSP, you can't use the Replace command unless the node already exists.
The following list shows the CertificateStore configuration service provider nodes:
CA
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA
This cryptographic store contains intermediary certification authorities.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
CA/{CertHash}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}
The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Delete, Get |
| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
CA/{CertHash}/EncodedCertificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/EncodedCertificate
The base64 Encoded X.509 certificate.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Get, Replace |
CA/{CertHash}/IssuedBy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedBy
The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/{CertHash}/IssuedTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/IssuedTo
The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/{CertHash}/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/TemplateName
Returns the certificate template name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/{CertHash}/ValidFrom
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidFrom
The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/{CertHash}/ValidTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/{CertHash}/ValidTo
The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/System
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System
This store holds the System portion of the CA store.
Note
Use RootCATrustedCertificates CSP moving forward for installing CA certificates.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
CA/System/{CertHash}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}
The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Delete, Get |
| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
CA/System/{CertHash}/EncodedCertificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/EncodedCertificate
The base64 Encoded X.509 certificate.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Get, Replace |
CA/System/{CertHash}/IssuedBy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedBy
The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/System/{CertHash}/IssuedTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/IssuedTo
The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/System/{CertHash}/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/TemplateName
Returns the certificate template name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/System/{CertHash}/ValidFrom
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidFrom
The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
CA/System/{CertHash}/ValidTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/CA/System/{CertHash}/ValidTo
The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY
This store keeps all end-user personal certificates.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
MY/SCEP
Note
This policy is deprecated and may be removed in a future release.
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP
This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment.
Note
Use ClientCertificateInstall CSP to install SCEP certificates moving forward.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
MY/SCEP/{UniqueID}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}
The UniqueID for the SCEP enrollment request. Each client certificate should've different unique ID.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Add, Delete, Get |
MY/SCEP/{UniqueID}/CertThumbPrint
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/CertThumbPrint
Specify the current cert's thumbprint.
20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/SCEP/{UniqueID}/ErrorCode
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/ErrorCode
Specify the last hresult in case enroll action failed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |
MY/SCEP/{UniqueID}/Install
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install
The group to represent the install request.
Note
Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
MY/SCEP/{UniqueID}/Install/CAThumbPrint
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/CAThumbPrint
Specify root CA thumbprint.
20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it doesn't match, the authentication fails.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/Challenge
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Challenge
Enroll requester authentication shared secret.
The value must be base64 encoded. Challenge is deleted shortly after the Exec command is accepted.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/EKUMapping
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/EKUMapping
Specify extended key usages. The list of OIDs are separated by plus "+".
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/Enroll
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/Enroll
Start the cert enrollment.
The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node doesn't contain a value.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Exec |
MY/SCEP/{UniqueID}/Install/HashAlgrithm
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/HashAlgrithm
Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter.
Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/KeyLength
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyLength
Specify private key length (RSA).
Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/KeyProtection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyProtection
Specify where to keep the private key.
Although the private key is protected by TPM, it isn't protected with TPM PIN. SCEP enrolled certificate doesn't support TPM PIN protection. Supported values are one of the following values:
- 1: Private key is protected by device TPM.
- 2: Private key is protected by device TPM if the device supports TPM.
- 3 (default): Private key is only saved in the software KSP.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/KeyUsage
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/KeyUsage
Specify the key usage bits (0x80, 0x20, 0xA0) for the cert.
The value must be specified in decimal format and should at least have second (0x20) or fourth (0x80) or both bits set. If the value doesn't have those bits set, configuration will fail.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/RetryCount
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryCount
When the SCEP sends pending status, specify device retry times.
Default value is 3. Max value can't be larger than 30. If it's larger than 30, the device will use 30. The min value is 0, which means no retry.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/RetryDelay
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/RetryDelay
When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is 5 and the minimum value is 1.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/ServerURL
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ServerURL
Specify the cert enrollment server.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectAlternativeNames
Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma.
or example, multiple subject alternative names are presented in the format <nameformat1>+<actual name1>;<name format 2>+<actual name2>.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/SubjectName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/SubjectName
Specify the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (,, =, +, ;). For more information, see CertNameToStrA function.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/TemplateName
Certificate Template Name OID (As in AD used by PKI infrastructure.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
MY/SCEP/{UniqueID}/Install/ValidPeriod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriod
Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template.
Valid values are one of the following:
- Days (default)
- Months
- Years
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Install/ValidPeriodUnit
Specify valid period unit type.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Get |
Default is 0. The period is defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
Note
The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
MY/SCEP/{UniqueID}/Status
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/SCEP/{UniqueID}/Status
Specify the latest status for the certificate due to enroll request.
Valid values are one of the following values:
- 1: Finished successfully.
- 2: Pending. The device hasn't finished the action, but has received the SCEP server pending response.
- 16: Action failed.
- 32: Unknown.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |
MY/User
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User
This store holds the User portion of the MY store.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
MY/User/{CertHash}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}
The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Delete, Get |
| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
MY/User/{CertHash}/EncodedCertificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/EncodedCertificate
The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server can't purely rely on CertificateStore CSP to install a client certificate including private key.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Get, Replace |
MY/User/{CertHash}/IssuedBy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedBy
The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/User/{CertHash}/IssuedTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/IssuedTo
The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/User/{CertHash}/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/TemplateName
Returns the certificate template name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/User/{CertHash}/ValidFrom
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidFrom
The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/User/{CertHash}/ValidTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/User/{CertHash}/ValidTo
The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/WSTEP
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP
The parent node that hosts client certificate that's enrolled via WSTEP, e.g. the certificate that's enrolled during MDM enrollment.
The nodes under WSTEP are mostly for MDM client certificate renew requests.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
MY/WSTEP/CertThumprint
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/CertThumprint
The thumb print of enrolled MDM client certificate.
If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
MY/WSTEP/Renew
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew
The parent node to group renewal related settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
| Atomic Required | True |
MY/WSTEP/Renew/ErrorCode
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ErrorCode
If certificate renew fails, this node provide the last hresult code during renew process.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |
MY/WSTEP/Renew/LastRenewalAttemptTime
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/LastRenewalAttemptTime
Time of last attempted renew.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | time |
| Access Type | Get |
MY/WSTEP/Renew/RenewNow
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1607 [10.0.14393] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewNow
Initiate a renew now.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | null |
| Access Type | Exec |
MY/WSTEP/Renew/RenewPeriod
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RenewPeriod
Specify the number of days prior to the enrollment cert expiration to prompt the user to renew.
The MDM server can't set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It's recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1-1000.
Note
When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-1000] |
| Default Value | 42 |
MY/WSTEP/Renew/RetryAfterExpiryInterval
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1703 [10.0.15063] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryAfterExpiryInterval
How long after the enrollment cert has expiried to keep trying to renew.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | time |
| Access Type | Add, Get, Replace |
MY/WSTEP/Renew/RetryInterval
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/RetryInterval
Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. The default value is 7 and the valid values are 1 - 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer.
Note
When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [1-1000] |
| Default Value | 7 |
MY/WSTEP/Renew/ROBOSupport
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ROBOSupport
Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405.
Note
When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | bool |
| Access Type | Add, Delete, Get, Replace |
| Default Value | true |
Allowed values:
| Value | Description |
|---|---|
| true (Default) | True. |
| false | False. |
MY/WSTEP/Renew/ServerURL
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/ServerURL
Optional. Specifies the cert renewal server URL which is the discovery server.
If this node doesn't exist, the client uses the initial certificate enrollment URL.
Note
The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
MY/WSTEP/Renew/Status
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/MY/WSTEP/Renew/Status
Show the latest action status for this certificate. Supported values are one of the following: 0 - Not started. 1 - Renewal in progress. 2 - Renewal succeeded. 3 - Renewal failed.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |
ROOT
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT
This store holds only root (self-signed) certificates.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
ROOT/{CertHash}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}
The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Delete, Get |
| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
ROOT/{CertHash}/EncodedCertificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/EncodedCertificate
The base64 Encoded X.509 certificate.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Get, Replace |
ROOT/{CertHash}/IssuedBy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedBy
The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/{CertHash}/IssuedTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/IssuedTo
The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/{CertHash}/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/TemplateName
Returns the certificate template name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/{CertHash}/ValidFrom
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidFrom
The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/{CertHash}/ValidTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/{CertHash}/ValidTo
The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/System
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System
This store holds the System portion of the root store.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
ROOT/System/{CertHash}
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}
The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Delete, Get |
| Dynamic Node Naming | UniqueName: The SHA1 hash for the certificate. |
ROOT/System/{CertHash}/EncodedCertificate
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/EncodedCertificate
The base64 Encoded X.509 certificate.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Get, Replace |
ROOT/System/{CertHash}/IssuedBy
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedBy
The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/System/{CertHash}/IssuedTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/IssuedTo
The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/System/{CertHash}/TemplateName
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/TemplateName
Returns the certificate template name.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/System/{CertHash}/ValidFrom
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidFrom
The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
ROOT/System/{CertHash}/ValidTo
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1511 [10.0.10586] and later |
./Device/Vendor/MSFT/CertificateStore/ROOT/System/{CertHash}/ValidTo
The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Get |
Examples
Add a root certificate to the MDM server.
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedhere>/EncodedCertificate
</LocURI>
</Target>
<Data>B64EncodedCertInsertedHere</Data>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta>
</Item>
</Add>
Get all installed client certificates.
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/My/User?list=StructData
</LocURI>
</Target>
</Item>
</Get>
Delete a root certificate.
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedHere>
</LocURI>
</Target>
</Item>
</Delete>
Configure the device to enroll a client certificate through SCEP.
<Atomic>
<CmdID>100</CmdID>
<Add>
<CmdID>1</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=AnnaLee</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>11</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2</Data>
</Item>
</Add>
<Add>
<CmdID>12</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>13</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>https://contoso.com/certsrv/ctcep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>14</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ChallengeInsertedHere</Data>
</Item>
</Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CAThumbprintInsertedHere</Data>
</Item>
</Add>
<Exec>
<CmdID>16</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval.
<Atomic>
<CmdID>1</CmdID>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>60</Data>
</Item>
</Replace>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Replace>
</Atomic>