Install-Adcs Network Device Enrollment Service

Installs the NDES role service.

Syntax

Install-AdcsNetworkDeviceEnrollmentService
       [-ApplicationPoolIdentity]
       [-RAName <String>]
       [-RAEmail <String>]
       [-RACompany <String>]
       [-RADepartment <String>]
       [-RACity <String>]
       [-RAState <String>]
       [-RACountry <String>]
       [-SigningProviderName <String>]
       [-SigningKeyLength <Int32>]
       [-EncryptionProviderName <String>]
       [-EncryptionKeyLength <Int32>]
       [-CAConfig <String>]
       [-Force]
       [-Credential <PSCredential>]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]
Install-AdcsNetworkDeviceEnrollmentService
       -ServiceAccountName <String>
       -ServiceAccountPassword <SecureString>
       [-RAName <String>]
       [-RAEmail <String>]
       [-RACompany <String>]
       [-RADepartment <String>]
       [-RACity <String>]
       [-RAState <String>]
       [-RACountry <String>]
       [-SigningProviderName <String>]
       [-SigningKeyLength <Int32>]
       [-EncryptionProviderName <String>]
       [-EncryptionKeyLength <Int32>]
       [-CAConfig <String>]
       [-Force]
       [-Credential <PSCredential>]
       [-WhatIf]
       [-Confirm]
       [<CommonParameters>]

Description

The Install-AdcsNetworkDeviceEnrollmentService cmdlet performs the configuration of the Network Device Enrollment Service (NDES) role service.

To remove the NDES role service, use the Uninstall-AdcsNetworkDeviceEnrollmentService cmdlet.

You can import the cmdlet by running the following commands from Windows PowerShell:

  • Import-Module ServerManager
  • Add-WindowsFeature Adcs-Device-Enrollment

Int is equivalent to Int32 in the .NET Framework .

Examples

Example 1: Display the default NDES settings

PS C:\> Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -WhatIf

This command displays the default NDES settings when the service is running as the default application identity without making any changes to the configuration.

Example 2: Display the default NDES settings using a service account name and password

PS C:\> Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName "CONTOSO\PattiFul" -ServiceAccountPassword (read-host "Set user password" -assecurestring) -WhatIf

This command displays the default settings when NDES is using a service account without making any changes to the configuration. This command uses the service account named CONTOSO\PattiFul that is a member of the local computer's IIS_USRS group.

Example 3: Install NDES using the application pool identity

PS C:\> Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -CAConfig "<CAComputerName>\<CACommonName>"

This command installs NDES using the application pool identity to use a remote CA as specified by the CA computer <CAComputerName>\<CACommonName> . Substitute the appropriate CA computer name and common name for <CAComputerName> and <CACommonName> .

Example 4: Install NDES using a specific service account

PS C:\> Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName MyDomain\AccountName -ServiceAccountPassword (read-host "Set user password" -assecurestring) -CAConfig "CAComputerName\CAName" -RAName "Contoso-NDES-RA" -RACountry "US" -RACompany "Contoso" -SigningProviderName "Microsoft Strong Cryptographic Provider" -SigningKeyLength 4096 -EncryptionProviderName "Microsoft Strong Cryptographic Provider" -EncryptionKeyLength 4096

This command installs the NDES using a service account named CONTOSO\PattiFul that is a member of the local computer's IIS_USRS group. The command also specifies several non-default parameters.

Required Parameters

-ServiceAccountName

Specifies the name of the account that is used by the Network Device Enrollment Service.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-ServiceAccountPassword

Specifies the password of the service account that is used by the Network Device Enrollment Service.

Type: SecureString
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False

Optional Parameters

-ApplicationPoolIdentity

Indicates that the cmdlet the identity that the Network Device Enrollment Service (NDES) uses when communicating with the certification authority (CA). This parameter is only valid when NDES is using a remote CA. If the CA is local, the application pool identity account cannot be used.

Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-CAConfig

Specifies remote certification authority (CA) that the Network Device Enrollment Service uses. This parameter is mandatory when used within the ApplicationPoolIdentity parameter. Do not use this parameter when a local CA is installed.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Aliases: cf
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Credential

Specifies a PSCredential object that this cmdlet use to connect to the NDES role service. To obtain a credential object, use the Get-Credential cmdlet. For more information, type Get-Help Get-Credential . The NDES must be installed on a server that is a member of an Active Directory Domain Services (AD DS) domain. If NDES is configured to use a Standalone CA, then an account that is a member of the local Administrators on the CA is required. If NDES is installed to use an Enterprise CA, then using an account that is a member of Domain Admins group is required.

Type: PSCredential
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-EncryptionKeyLength

Specifies the encryption key length. This option is not valid if you use existing keys during installation.

Type: Int32
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-EncryptionProviderName

Specifies the name of the encryption provider, such as the name of cryptographic service provider (CSP).

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-Force

Forces the command to run without asking for user confirmation.

Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-RACity

Specifies the city of the registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RACompany

Specifies the organization or company that the registration authority represents.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RACountry

Specifies the country of the registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RADepartment

Specifies the department of the registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RAEmail

Specifies the email address of the registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RAName

Specifies the name of the NDES registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-RAState

Specifies the state or province (geographical political boundary), if applicable, of the registration authority.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-SigningKeyLength

Specifies the signing key length.

Type: Int32
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-SigningProviderName

Specifies the name of the signing device.

Type: String
Position: Named
Default value: None
Accept pipeline input: True (ByPropertyName)
Accept wildcard characters: False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Aliases: wi
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

Inputs

bool, int, string, string, string, string, string, string, string, string, string, SecurePassword, int, string

Outputs

Microsoft.CertificateServices.Deployment.Commands.NDES.NetworkDeviceEnrollmentServiceResult

Notes

  • Ensure you run Windows PowerShell as an administrator. You can use the Force parameter to bypass the prompt for confirmation. To see parameters, run the following command: Install-AdcsNetworkDeviceEnrollmentService -?