If you're looking for Enrollment Web Pages (hereinafter EWP) installation (or removal) without GUI — you're in correct place. At first I need to answer, why it necessary to script EWP installation. This may be very useful for CA administrator assistants, for example. In general, CA administrator will have to write a long step-by-step guide to install certain role. But using scripts, CA administrator may tell: "Take the script, run it with the XYZ parameters and get PROFIT" or something like this. It is common to script all (as possible) routine operations in the case of disaster recovery and so on, because it takes less time and easy to document. Feel free to think if CA role can be installed from the script — this is possible. In next post I'll show PowerShell code that will do that. But now we'll talk about web enrollment.

As a start stage we need to find appropriate API and here it is: ICertSrvSetup. This CryptoAPI COM interface is the base interface for CA and/or EWP role installation. The following code will instantiate COM object:

$EWPSetup = New-Object -ComObject CertOCM.CertSrvSetup.1

You must initialize the object to set required properties and install selected roles by invoking InitializeDefaults mthod. The method accepts two arguments:

1. whether CA role will be installed;
2. whether EWP role will be installed.

There are several rules for this method that are not covered in MSDN.

• If you wish to install both CA and EWP roles — pass (True, True) as a method arguments. Note that you cannot associate EWP with remote server, however. In that case EWP will be associated with local CA server.
• If you wish to install CA role only, without EWP — pass (True, False) as a method arguments;
• If you wish to install EWP role only, without CA — pass (False, True) as a method arguments. This is the only option to associate EWP with remote CA server. This option will be used in our case.

$EWPSetup.InitializeDefaults($false,$true)

We have initialized object to required state and we are ready to set required info — remote CA configuration string. As you should know, CA configuration string used in the following format: CAComputerName\CAName. To set remote CA config string we need to use SetWebCAInformation method as shown:

$EWPSetup.SetWebCAInformation("CA1\Company Issuing CA")

And now we can install the role:

$EWPSetup.Install()

In certain cases you may encounter an issue that you cannot instantiate COM object. This is because required binaries are not installed. In order to install them you should use ServerManager PowerShell module as shown:

PS C:\> Import-Module ServerManager
PS C:\> Get-WindowsFeature "ADCS*"

Display Name                                            Name
------------                                            ----
    [X] Certification Authority                         ADCS-Cert-Authority
    [ ] Certification Authority Web Enrollment          ADCS-Web-Enrollment
    [X] Online Responder                                ADCS-Online-Cert
    [ ] Network Device Enrollment Service               ADCS-Device-Enrollment
    [X] Certificate Enrollment Web Service              ADCS-Enroll-Web-Svc
    [X] Certificate Enrollment Policy Web Service       ADCS-Enroll-Web-Pol


PS C:\> Add-WindowsFeature "ADCS-Web-Enrollment"

Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True    No             Success   {Certification Authority Web Enrollment}


PS C:\>

you will need to add the check if binaries are installed at a start of script. Here is example script that will install EWP on local computer:

function Install-WebEnrollment {
[CmdletBinding()]
    param(
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
        [string]$CAConfig
    )
    # check if script running on Windows Server 2008 or Windows Server 2008 R2
    $OS = Get-WmiObject Win32_OperatingSystem | select Version, ProductType
    if ([int]$OS.Version[0] -ne 54 -and $OS.ProductType -ne 1) {
        Write-Warning "Windows XP, Windows Server 2003 and Windows Server 2003 R2 are not supported!"
        return
    }
    # check if web enrollment binaries are installed
    Import-Module ServerManager
    $status = (Get-WindowsFeature -Name ADCS-Web-Enrollment).Installed
    # if still no, install binaries, otherwise do nothing
    if (!$status) {$retn = Add-WindowsFeature -Name ADCS-Web-Enrollment
        if (!$retn.Success) {
            Write-Warning "Unable to install ADCS installation packages due of the following error:"
            Write-Warning $retn.ExitCode
            return
        }
    }
    # instantiate COM object
    try {
        $EWPSetup = New-Object -ComObject CertOCM.CertSrvSetup.1
    } catch {
        Write-Warning "Unable to load necessary interfaces. Your Windows Server operating system is not supported!"
        return
    }
    # initialize the object to install only web enrollment
    $EWPSetup.InitializeDefaults($false,$true)
    try {
        # set required information and install the role
        $EWPSetup.SetWebCAInformation($CAConfig)
        $EWPSetup.Install()
    }
    catch {$_; return}
    Write-Host "Successfully installed Enrollment Web Pages on local computer!" -ForegroundColor Green
}

And usage example:

Install-WebEnrollment "CA1\Company Issuing CA"

have a nice day with CryptoAPI scripting in PowerShell :)