- Reference
- Module:
- ADCSDeployment
Installs the NDES role service.
Syntax
Install-AdcsNetworkDeviceEnrollmentService [-ApplicationPoolIdentity] [-RAName <String>] [-RAEmail <String>] [-RACompany <String>] [-RADepartment <String>] [-RACity <String>] [-RAState <String>] [-RACountry <String>] [-SigningProviderName <String>] [-SigningKeyLength <Int32>] [-EncryptionProviderName <String>] [-EncryptionKeyLength <Int32>] [-CAConfig <String>] [-Force] [-Credential <PSCredential>] [-WhatIf] [-Confirm] [<CommonParameters>] Install-AdcsNetworkDeviceEnrollmentService -ServiceAccountName <String> -ServiceAccountPassword <SecureString> [-RAName <String>] [-RAEmail <String>] [-RACompany <String>] [-RADepartment <String>] [-RACity <String>] [-RAState <String>] [-RACountry <String>] [-SigningProviderName <String>] [-SigningKeyLength <Int32>] [-EncryptionProviderName <String>] [-EncryptionKeyLength <Int32>] [-CAConfig <String>] [-Force] [-Credential <PSCredential>] [-WhatIf] [-Confirm] [<CommonParameters>] Description
The Install-AdcsNetworkDeviceEnrollmentService cmdlet performs the configuration of the NetworkDevice Enrollment Service (NDES) role service.
To remove the NDES role service, use the Uninstall-AdcsNetworkDeviceEnrollmentService cmdlet.
You can import the cmdlet by running the following commands from Windows PowerShell:
Import-Module ServerManagerAdd-WindowsFeature Adcs-Device-Enrollment
Int is equivalent to Int32 in the .NET Framework.
Examples
Example 1: Display the default NDES settings
Install-AdcsNetworkDeviceEnrollmentService -ApplicationPoolIdentity -WhatIfThis command displays the default NDES settings that will be configured if it is installed.
Example 2: Display the default NDES settings using a service account name and password
$params = @{ ServiceAccountName = "CONTOSO\svcNDES" ServiceAccountPassword = (Read-Host "Set user password" -AsSecureString) WhatIf = $true}Install-AdcsNetworkDeviceEnrollmentService @paramsThis command displays the default settings when NDES is using a service account without making anychanges to the configuration. This command uses the service account named CONTOSO\svcNDES thatis a member of the local computer's IIS_USRS group.
Example 3: Install NDES using the application pool identity
$params = @{ ApplicationPoolIdentity = $true CAConfig = "<CAComputerName>\<CACommonName>"}Install-AdcsNetworkDeviceEnrollmentService @paramsThis command installs NDES using the application pool identity to use a remote CA as specified bythe CA computer <CAComputerName>\<CACommonName>. Substitute the appropriate CA computer name andcommon name for <CAComputerName> and <CACommonName>.
Example 4: Install NDES using a specific service account
$params = @{ ServiceAccountName = "CONTOSO\svcNDES" ServiceAccountPassword = (Read-Host "Set user password" -AsSecureString) CAConfig = "CAComputerName\CAName" RAName = "Contoso-NDES-RA" RACountry = "US" RACompany = "Contoso" SigningProviderName = "Microsoft Strong Cryptographic Provider" SigningKeyLength = 4096 EncryptionProviderName = "Microsoft Strong Cryptographic Provider" EncryptionKeyLength = 4096}Install-AdcsNetworkDeviceEnrollmentService @paramsThis command installs the NDES using a service account named CONTOSO\svcNDES that is a member ofthe local computer's IIS_USRS group. The command also specifies several non-default parameters.
Parameters
-ApplicationPoolIdentity
Indicates the identity that the Network Device Enrollment Service (NDES) uses when communicatingwith the certification authority (CA). This parameter is only valid when NDES is usinga remote CA. If the CA is local, the application pool identity account cannot be used.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-CAConfig
Specifies the remote certification authority (CA) that the Network Device Enrollment Service uses. Thisparameter is mandatory when used within the ApplicationPoolIdentity parameter. Do not use thisparameter when a local CA is installed.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Credential
Specifies a PSCredential object that this cmdlet uses to connect to the NDES role service. Toobtain a credential object, use the Get-Credential cmdlet. For more information, typeGet-Help Get-Credential. The NDES must be installed on a server that is a member of an ActiveDirectory Domain Services (AD DS) domain. If NDES is configured to use a Standalone CA, then anaccount that is a member of the local Administrators on the CA is required. If NDES is installed touse an Enterprise CA, then using an account that is a member of Domain Admins group is required.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-EncryptionKeyLength
Specifies the encryption key length.This option is not valid if you use existing keys during installation.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-EncryptionProviderName
Specifies the name of the encryption provider, such as the name of cryptographic service provider(CSP).
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Force
Forces the command to run without asking for user confirmation.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RACity
Specifies the city of the registration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RACompany
Specifies the organization or company that the registration authority represents.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RACountry
Specifies the country/region of the registration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RADepartment
Specifies the department of the registration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RAEmail
Specifies the email address of the registration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RAName
Specifies the name of the NDES registration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-RAState
Specifies the state or province (geographical political boundary), if applicable, of theregistration authority.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServiceAccountName
Specifies the name of the account that is used by the Network Device Enrollment Service.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-ServiceAccountPassword
Specifies the password of the service account that is used by the Network Device Enrollment Service.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SigningKeyLength
Specifies the signing key length.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SigningProviderName
Specifies the name of the signing device.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
SwitchParameter
String
SecureString
Int32
PSCredential
Outputs
Microsoft.CertificateServices.Deployment.Common.NDES.NetworkDeviceEnrollmentServiceResult
Notes
Ensure you run Windows PowerShell as an administrator. You can use the Force parameter to bypassthe prompt for confirmation. To see parameters, run the following command:
Install-AdcsNetworkDeviceEnrollmentService -?
- Uninstall-AdcsNetworkDeviceEnrollmentService
- Get-Credential
