See below for details on the CSP Enrollment Services support for MS-WSTEP.

MS-WSTEP version supported by CSP Enrollment Services

CSP Enrollment Services supports the 12.0+ version of the MS-WSTEP protocol described at:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea

MS-WSTEP requests supported by CSP Enrollment Services

CSP Enrollment Services supports the following MS-WSTEP types. 

Request type

Supported

New

(tick) 

Renewal

(tick) 

Enroll On Behalf Of

(error) 

Key Archival

(error) 

Key Attestation

(error) 

MS-WSTEP domain enrollments supported by CSP Enrollment Services

CSP Enrollment Services supports the following MS-WSTEP domain enrollments.

  • Domain and Sub-domain enrollments
  • Read-Only Domain Controllers,
  • Multiple Domains in the same Active Directory Forest and across trust-established forests.
  • Cross Forest support across established trusts between the forests. 

Non-domain enrollments are not supported.

Windows products supported for MS-WSTEP enrollment with CSP Enrollment Services

The CSP Enrollment Services support for MS-WSTEP enrollment has been tested in the following Windows products.

Windows product

Version

​Windows Domain Schema

​2012 R2+ or later, the latest cipher support required. 

Windows Server

2019 (IIS10 required for Certificate Enrollment Policy service)

Windows endpoints

10+, 2012 R2+

Load balancer support for MS-WSTEP enrollment with CSP Enrollment Services

MS-WSTEP enrollment with CSP Enrollment Services supports high availability with the following load-balancing layers.

Load balancing layer

Supported

​2

(tick) ​

3

(tick)

4

(tick)

7

(error)