PowerShell PKI Module Documentation

Documentation Home
This command requires installed Remote Server Administration Tools (RSAT)

Disable-InterfaceFlag

Synopsis

Disables Active Directory Certificate Services (AD CS) management or request interface settings.

Syntax

Disable-InterfaceFlag [-InputObject] <InterfaceFlag[]> [-Flag] <InterfaceFlagEnum> [-RestartCA] [<CommonParameters>]

Description

Disables Active Directory Certificate Services (AD CS) management or request interface settings.

Management interface is implemented in ICertAdmin and request interface is implemented in ICertRequest. By using this you can limit these interface usage. For example you can prevent AD CS remote management with ICertAdmin interface and allow AD CS management only locally.

Parameters

-InputObject <InterfaceFlag[]>

Specifies the InterfaceFlag object to process. This object can be retrieved by running Get-InterfaceFlag command.

Required? True
Position? 0
Default value
Accept pipeline input? true (ByValue, ByPropertyName)
Accept wildcard characters? False

-Flag <InterfaceFlagEnum>

Specifies the flag (or multiple flags) to disable. The following flags can be used:

LockICertRequest – the behavior for this flag is not defined and it should not be used.
NoRemoteICertRequest – the CA will not issue any certificates or hold pending any requests for remote users.
NoLocalICertRequest – the CA will not issue any certificates or hold pending any requests for local users.
NoRPCICertRequest – the CA will not issue any certificates or hold pending any requests for callers using the ICertPassage interface.
NoRemoteICertAdmin – no access to Certificate Services Remote Administration Protocol methods for remote callers.
NoLocalICertAdmin – no access to Certificate Services Remote Administration Protocol methods for local callers.
NoRemoteICertAdminBackup – the CA restricts access to the backup-related methods of this protocol for remote callers.
NoLocalICertAdminBackup – the CA restricts access to the backup-related methods of this protocol for local callers.
NoSnapshotBackup – the database files cannot be backed up using a mechanism other than the methods of the ICertAdmin2 interface.
EnforceEncryptICertRequest – a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate-request operations.
EnforceEncryptICertAdmin – a RPC security settings (defined in http://msdn.microsoft.com/library/cc243867(PROT.10).aspx ) should be defined for all RPC connections to the server for certificate administrative operations (the methods defined in the ICertAdmin2 interface).
EnableExitKeyRetrieval – enables an exit algorithm to retrieve the Encrypted private-Key Blob.
EnableAdminAsAuditor – only CA administrators can update the CA audit filter settings.

Required? True
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? False

-RestartCA <SwitchParameter>

Restarts CertSvc service on the specified CA server to immediately apply changes.

Required? False
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.Flags.InterfaceFlag

Outputs

PKI.CertificateServices.Flags.InterfaceFlag

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -name "company-CA01" | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoLocalIcertRequest" -RestartCA

This example removes local enrollment restriction for "company-CA01" CA server. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Example 2

PS C:\> Get-CertificationAuthority | Get-InterfaceFlag | Disable-InterfaceFlag -Flag "NoRemoteICertAdminBackup" -RestartCA

This example removes remote backup restrictions for all Enterprise CAs in the current Active Directory forest. After the configuration is changed, the command will restart certificate services to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-InterfaceFlag
Enable-InterfaceFlag
Restore-InterfaceFlagDefault

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions