PowerShell PKI Module Documentation
Documentation HomeDisable-InterfaceFlag
Synopsis
Disables Active Directory Certificate Services (AD CS) management or request interface settings.
Syntax
Disable-InterfaceFlag [-InputObject] <InterfaceFlag[]> [-Flag] <InterfaceFlagEnum> [-RestartCA] [<CommonParameters>]
Description
Disables Active Directory Certificate Services (AD CS) management or request interface settings.
Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.
Parameters
-InputObject <InterfaceFlag[]>
Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.
Required? | True |
Position? | 0 |
Default value | |
Accept pipeline input? | true (ByValue, ByPropertyName) |
Accept wildcard characters? | False |
-Flag <InterfaceFlagEnum>
Specifies the flag (or multiple flags) to disable. The following flags can be used:
LockICertRequest – the behavior for this flag is not defined and it should not be used.
NoRemoteICertRequest – the CA will not issue any certificates or hold pending any requests for remote users.
NoLocalICertRequest – the CA will not issue any certificates or hold pending any requests for local users.
NoRPCICertRequest – the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface.
NoRemoteICertAdmin – no access to Certificate Services Remote Administration Protocol methods for remote callers.
NoLocalICertAdmin – no access to Certificate Services Remote Administration Protocol methods for local callers.
NoRemoteICertAdminBackup – the CA restricts access to the backup-related methods of this protocol for remote callers.
NoLocalICertAdminBackup – the CA restricts access to the backup-related methods of this protocol for local callers.
NoSnapshotBackup – the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface.
EnforceEncryptICertRequest – a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations.
EnforceEncryptICertAdmin – a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface).
EnableExitKeyRetrieval – enables an exit algorithm to retrieve the Encrypted private-Key Blob.
EnableAdminAsAuditor – only CA administrators can update the CA audit filter settings.
Required? | True |
Position? | 1 |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
-RestartCA <SwitchParameter>
Restarts CertSvc service on the specified CA server to immediately apply changes.
Required? | False |
Position? | named |
Default value | |
Accept pipeline input? | false |
Accept wildcard characters? | False |
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).
Inputs
PKI.CertificateServices.Flags.InterfaceFlag
Outputs
PKI.CertificateServices.Flags.InterfaceFlag
Notes
Examples
Example 1
PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA
This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.
Example 2
PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA
This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.
Related links
Get-CertificationAuthority
Connect-CertificationAuthority
Get-InterfaceFlag
Enable-InterfaceFlag
Restore-InterfaceFlagDefault
Minimum PowerShell version support
- Windows PowerShell 3.0
Operating System Support
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008 R2 all editions
- Windows Server 2012 all editions
- Windows Server 2012 R2 all editions
- Windows Server 2016 all editions
- Windows Server 2019 all editions
- Windows Server 2022 all editions