PKI Insights Webinar - Emerging PKI Threats for 2025 Jan 23rd - Register Today!

PowerShell PKI Module Documentation

Documentation Home

This command requires installed Remote Server Administration Tools (RSAT)

Disable-PolicyModuleFlag

Synopsis

Disables policy module flags.

Syntax

Disable-PolicyModuleFlag [-InputObject] <EditFlag[]> [-Flag] <PolicyModuleFlagEnum> [-RestartCA] [<CommonParameters>]

Description

Disables policy module flags. These flags are processed by the policy module during certificate request processing.

Parameters

-InputObject <EditFlag[]>

Specifies the object that contains existing EditFlags object to process. The object can be retrieved by running Get-PolicyModuleFlag command.

Required?True
Position?0
Default value
Accept pipeline input?true (ByValue, ByPropertyName)
Accept wildcard characters?False

-Flag <PolicyModuleFlagEnum>

Specifies flag to disable for processing by CA policy module. This parameter accepts the following value or values:

EnableRequestExtensions — Enables ‘Enabled Request Extensions’ list processing.
RequestExtensionList — Instructs CA server to process RequestExtensionList property.
DisableExtensionList — Enables ‘Disabled Request Extensions’ list processing. If the flag is enabled and certificate request contains one or more extemsions from this list, extensions will be discarded.
AddOldKeyUsage — N/A
AddOldCertType — N/A
AttributeEndDate — Allows to specify certificate’s validity end date. While certificate’s validity on Enterprise CAs is (mainly) determined by certificate template settings, Standalone CAs determines this value by ValidityPeriod and ValidityPeriodUnits settings only. This flag allows to override ValidityPeriod and ValidityPeriodUnits settings to set certificate’s validity.
BasicConstraintsCritical — Marks Basic Constraints extension as critical.
BasicConstraintsCA — Enables Basic Constraints extension for CA certificates.
EnableAKIKeyID — Enables KeyID (issuer’s public key hash) value to appear in Authority Key Identifier (AKI) extension.
AttributeCA — N/A
IgnoreRequestGroup — N/A
EnableAKIIssuerName — Enables issuer name value to appear in Authority Key Identifier (AKI) extension.
EnableAKIIssuerSerial — Enables issuer certificate’s serial number to appear in Authority Key Identifier (AKI) extension.
EnableAKICritical — Marks Authority Key Identifier (AKI) extension as critical.
ServerUpgraded — N/A
AttributeEKU — Enables Enhanced Key Usages (EKU) extensions passing as unauthenticated request attribute (rather than including EKU extension as authenticated extension in the request).
EnableDefaultSMIME — N/A
EmailOptional — N/A
AttributeSubjectAlternativeName — Enables Subject Alternative Name (SAN) extensions passing as unauthenticated request attribute (rather than including SAN extension as authenticated extension in the request).
Note: Do not enable this flag on Enterprise CAs. Instead, inclue SAN extension directly in the request.
EnableLDAPReferrals — Allows Certification Authority (CA) to chase a referral for user or computer information in a trusted forest. When referrals are not chased and the user information is not available, the request will be denied if the user is enrolling from another forest. Referral chasing is not enabled by default as unintended template enumeration and enrollment may occur in some scenarios.
This flag is necessary only for Cross-Forest Enrollment scenarios.
EnableChaseClientDC — N/A
AuditCertTemplateLoad — Enables template list load from Active Directory audit.
DisableOldOSCNUPN — N/A
DisableLDAPPackageList — N/A
EnableUPNMap — N/A
EnableOCSPRevNoCheck — Enables id-pkix-ocsp-nocheck extension in the request.
EnableRenewOnBehalfOf — Enables certificate renewel on behalf of other user or computer.

Required?True
Position?1
Default value
Accept pipeline input?false
Accept wildcard characters?False

-RestartCA <SwitchParameter>

Restarts CA service on the specified CA server to immediately apply changes.

Required?False
Position?named
Default value
Accept pipeline input?false
Accept wildcard characters?False

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, InformationAction, InformationVariable,
WarningAction, WarningVariable, OutBuffer, PipelineVariable and OutVariable.
For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

Inputs

PKI.CertificateServices.PolicyModule.EditFlag

Outputs

PKI.CertificateServices.PolicyModule.EditFlag

Notes

Examples

Example 1

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag AttributeSubjectAlternativeName -RestartCA

Disables ‘Subject Alternative Name’ attribute in a submitted certificate request and restarts certificate services. In order to issue a certificate with SAN extension, it must be a part of certificate request extensions. After command completion Company-CA CA server will be restarted to immediately apply changes.

Example 2

PS C:\> Get-CertificationAuthority -Name Company-CA | Get-PolicyModuleFlag | Disable-PolicyModuleFlag EnableOCSPRevNoCheck, DisableExtensionList -RestartCA

Disables ‘OCSP No Revocation Checking’ extension and disables Disabled Certificate Extension list processing. This will prevent CA to issue OCSP Response Signing certificate and any previously disabled extension (see Add-ExtensionList) will be populated in the issued certificates. After command completion Company-CA CA server will be restarted to immediately apply changes.

Related links

Get-CertificationAuthority
Connect-CertificationAuthority
Get-PolicyModuleFlag
Enable-PolicyModuleFlag
Restore-PolicyModuleFlagDefault

Minimum PowerShell version support

  • Windows PowerShell 3.0

Operating System Support

  • Windows 7
  • Windows 8
  • Windows 8.1
  • Windows 10
  • Windows 11
  • Windows Server 2008 R2 all editions
  • Windows Server 2012 all editions
  • Windows Server 2012 R2 all editions
  • Windows Server 2016 all editions
  • Windows Server 2019 all editions
  • Windows Server 2022 all editions