MDM_ClientCertificateInstall_System02_Install05 class
[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
The MDM_ClientCertificateInstall_System02_Install05 class enables the enterprise to set the installation of client certificates.Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request.
Format is node. Supported operation is Add, Delete.
Note Even though the child nodes under Install support Replace commands, after the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing child node values.
The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.
Syntax
[dynamic, provider("DMWmiBridgeProv"), AMENDMENT]class MDM_ClientCertificateInstall_System02_Install05
{
string InstanceID;
string ParentID;
string ServerURL;
string Challenge;
string EKUMapping;
sint32 KeyUsage;
string SubjectName;
sint32 KeyProtection;
sint32 RetryDelay;
sint32 RetryCount;
string TemplateName;
sint32 KeyLength;
string HashAlgorithm;
string CAThumbprint;
string SubjectAlternativeNames;
string ValidPeriod;
sint32 ValidPeriodUnits;
string ContainerName;
string CustomTextToShowInPinPrompt;
};
Members
The MDM_ClientCertificateInstall_System02_Install05 class has these types of members:
- Methods
- Properties
Methods
The MDM_ClientCertificateInstall_System02_Install05 class has these methods.
| Method | Description |
|---|---|
| EnrollMethod | Required. Triggers the device to start the certificate enrollment. |
Properties
The MDM_ClientCertificateInstall_System02_Install05 class has these properties.
CAThumbprint
Data type: string
Access type: Read-only
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
Data type format is a string.
Challenge
Data type: string
Access type: Read-only
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge.
Data type format is a string.
ContainerName
Data type: string
Access type: Read-only
Optional. Specifies the NGC container name (if NGC KSP is chosen for the node). If this node is not specified when NGC KSP is chosen, the enrollment will fail.
The data type format is a string.
CustomTextToShowInPinPrompt
Data type: string
Access type: Read-only
Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
The data type format is a string.
EKUMapping
Data type: string
Access type: Read-only
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.
Data type format is a string.
HashAlgorithm
Data type: string
Access type: Read-only
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
For NGC, only SHA256 is supported as the supported algorithm.
Data type format is a string.
InstanceID
Data type: string
Access type: Read-only
Qualifiers: key
TBD
KeyLength
Data type: sint32
Access type: Read-only
Required for enrollment. Specify private key length (RSA).
Data type format is an integer.
Valid values are 1024, 2048, and 4096.
For NGC, only 2048 is the supported key length.
KeyProtection
Data type: sint32
Access type: Read-only
Optional. Specifies where to keep the private key.
Note Even if the private key is protected by TPM, it is not protected with a TPM PIN.
The date type format is an integer corresponding to one of the following values:
| Value | Description |
|---|---|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by NGC. If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
KeyUsage
Data type: sint32
Access type: Read-only
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
Data type format is a string.
ParentID
Data type: string
Access type: Read-only
Qualifiers: key
Describes the full path to the parent node. For this class, the string is "./Vendor/MSFT/ClientCertificateInstall/My/System/SCEP/UniqueID"
RetryCount
Data type: sint32
Access type: Read-only
Optional. Unique to SCEP. Specifies the device retry times when the SCEP sever sends a pending status.
Data type format is an integer.
Default value is 3.
Maximum value is 30. If the value is larger than 30, the device will use 30.
Minimum value is 0, which indicates no retry.
RetryDelay
Data type: sint32
Access type: Read-only
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
Data type format is an integer.
The default value is 5.
The minimum value is 1.
ServerURL
Data type: string
Access type: Read-only
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
Data type format is a string.
SubjectAlternativeNames
Data type: string
Access type: Read-only
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
Each pair is separated by semicolon. For example, multiple SAN are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
Data type format is a string.
SubjectName
Data type: string
Access type: Read-only
Required. Specifies the subject name.
Data type format is a string.
TemplateName
Data type: string
Access type: Read-only
Optional. OID of certificate template name.
Note This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.
Data type format is a string.
ValidPeriod
Data type: string
Access type: Read-only
Optional. Specifies the units for the valid certificate period.
Valid values are:
- Days (Default)
- Months
- Years
Note The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server will decide how to use this valid period to create the certificate.
ValidPeriodUnits
Data type: sint32
Access type: Read-only
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
The data type format is a string.
Note The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server will decide how to use this valid period to create the certificate.
Requirements
Minimum supported client |
Windows 10 Insider Preview |
Minimum supported server |
None supported |
Namespace |
Root\CIMv2\MDM\DMMap |
MOF |
DMWmiBridgeProv.mof |
DLL |
DMWmiBridgeProv.dll |