Documentation says:
it is incomplete, because it doesn't include Enterprise CA scenario which is defined in CAINFO structure ([MS-WCCE] §2.2.2.3). Proper description would be:If the CA signing certificate that is stored in the Signing_Cert_Certificate column is a root certificate, the CA MUST return 0x00000003. Otherwise, the CA MUST return 0x00000004.
If the CA signing certificate that is stored in the Signing_Cert_Certificate column is a root certificate, the CA MUST return 0x00000000 or 0x00000003. Otherwise, the CA MUST return 0x00000001 or 0x00000004.