Edit

Share via

Install-AdcsNetworkDeviceEnrollmentService

Module:
ADCSDeployment Module

Installs the NDES role service.

Syntax

DefaultParameterSet (Default) 

Install-AdcsNetworkDeviceEnrollmentService
    [-ApplicationPoolIdentity]
    [-RAName <String>]
    [-RAEmail <String>]
    [-RACompany <String>]
    [-RADepartment <String>]
    [-RACity <String>]
    [-RAState <String>]
    [-RACountry <String>]
    [-SigningProviderName <String>]
    [-SigningKeyLength <Int32>]
    [-EncryptionProviderName <String>]
    [-EncryptionKeyLength <Int32>]
    [-CAConfig <String>]
    [-Force]
    [-Credential <PSCredential>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

ServiceAccountParameterSet 

Install-AdcsNetworkDeviceEnrollmentService
    -ServiceAccountName <String>
    -ServiceAccountPassword <SecureString>
    [-RAName <String>]
    [-RAEmail <String>]
    [-RACompany <String>]
    [-RADepartment <String>]
    [-RACity <String>]
    [-RAState <String>]
    [-RACountry <String>]
    [-SigningProviderName <String>]
    [-SigningKeyLength <Int32>]
    [-EncryptionProviderName <String>]
    [-EncryptionKeyLength <Int32>]
    [-CAConfig <String>]
    [-Force]
    [-Credential <PSCredential>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

The Install-AdcsNetworkDeviceEnrollmentService cmdlet performs the configuration of the Network Device Enrollment Service (NDES) role service.

To remove the NDES role service, use the Uninstall-AdcsNetworkDeviceEnrollmentService cmdlet.

You can import the cmdlet by running the following commands from Windows PowerShell:

  • Import-Module ServerManager
  • Add-WindowsFeature Adcs-Device-Enrollment

Int is equivalent to Int32 in the .NET Framework.

Examples

Example 1: Display the default NDES settings

Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -WhatIf

This command displays the default NDES settings that will be configured if it is installed.

Example 2: Display the default NDES settings using a service account name and password

$params = @{
    ServiceAccountName     = "CONTOSO\svcNDES"
    ServiceAccountPassword = (Read-Host "Set user password" -AsSecureString)
    WhatIf                 = $true
}
Install-AdcsNetworkDeviceEnrollmentService @params

This command displays the default settings when NDES is using a service account without making any changes to the configuration. This command uses the service account named CONTOSO\svcNDES that is a member of the local computer's IIS_USRS group.

Example 3: Install NDES using the application pool identity

$params = @{
    ApplicationPoolIdentity = $true
    CAConfig                = "<CAComputerName>\<CACommonName>"
}
Install-AdcsNetworkDeviceEnrollmentService @params

This command installs NDES using the application pool identity to use a remote CA as specified by the CA computer <CAComputerName>\<CACommonName>. Substitute the appropriate CA computer name and common name for <CAComputerName> and <CACommonName>.

Example 4: Install NDES using a specific service account

$params = @{
    ServiceAccountName     = "CONTOSO\svcNDES"
    ServiceAccountPassword = (Read-Host "Set user password" -AsSecureString)
    CAConfig               = "CAComputerName\CAName"
    RAName                 = "Contoso-NDES-RA"
    RACountry              = "US"
    RACompany              = "Contoso"
    SigningProviderName    = "Microsoft Strong Cryptographic Provider"
    SigningKeyLength       = 4096
    EncryptionProviderName = "Microsoft Strong Cryptographic Provider"
    EncryptionKeyLength    = 4096
}
Install-AdcsNetworkDeviceEnrollmentService @params

This command installs the NDES using a service account named CONTOSO\svcNDES that is a member of the local computer's IIS_USRS group. The command also specifies several non-default parameters.

Parameters

-ApplicationPoolIdentity

Indicates the identity that the Network Device Enrollment Service (NDES) uses when communicating with the certification authority (CA). This parameter is only valid when NDES is using a remote CA. If the CA is local, the application pool identity account cannot be used.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

DefaultParameterSet
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-CAConfig

Specifies the remote certification authority (CA) that the Network Device Enrollment Service uses. This parameter is mandatory when used within the ApplicationPoolIdentity parameter. Do not use this parameter when a local CA is installed.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Credential

Specifies a PSCredential object that this cmdlet uses to connect to the NDES role service. To obtain a credential object, use the Get-Credential cmdlet. For more information, type Get-Help Get-Credential. The NDES must be installed on a server that is a member of an Active Directory Domain Services (AD DS) domain. If NDES is configured to use a Standalone CA, then an account that is a member of the local Administrators on the CA is required. If NDES is installed to use an Enterprise CA, then using an account that is a member of Domain Admins group is required.

Parameter properties

Type:PSCredential
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-EncryptionKeyLength

Specifies the encryption key length. This option is not valid if you use existing keys during installation.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-EncryptionProviderName

Specifies the name of the encryption provider, such as the name of cryptographic service provider (CSP).

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-Force

Forces the command to run without asking for user confirmation.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-RACity

Specifies the city of the registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RACompany

Specifies the organization or company that the registration authority represents.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RACountry

Specifies the country/region of the registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RADepartment

Specifies the department of the registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RAEmail

Specifies the email address of the registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RAName

Specifies the name of the NDES registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-RAState

Specifies the state or province (geographical political boundary), if applicable, of the registration authority.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ServiceAccountName

Specifies the name of the account that is used by the Network Device Enrollment Service.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ServiceAccountParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-ServiceAccountPassword

Specifies the password of the service account that is used by the Network Device Enrollment Service.

Parameter properties

Type:SecureString
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

ServiceAccountParameterSet
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-SigningKeyLength

Specifies the signing key length.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-SigningProviderName

Specifies the name of the signing device.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

SwitchParameter

String

SecureString

Int32

PSCredential

Outputs

Microsoft.CertificateServices.Deployment.Common.NDES.NetworkDeviceEnrollmentServiceResult

Notes

  • Ensure you run Windows PowerShell as an administrator. You can use the Force parameter to bypass the prompt for confirmation. To see parameters, run the following command:

    Install-AdcsNetworkDeviceEnrollmentService -?