diff --git a/kms/capi/capi.go b/kms/capi/capi.go
index 3a7ea50d..47e14ea5 100644
--- a/kms/capi/capi.go
+++ b/kms/capi/capi.go
@@ -43,6 +43,8 @@ const (
 	HashArg                      = "sha1"
 	StoreLocationArg             = "store-location" // 'machine', 'user', etc
 	StoreNameArg                 = "store"          // 'MY', 'CA', 'ROOT', etc
+	FriendlyNameArg              = "friendly-name"
+	DescriptionArg               = "description"
 	IntermediateStoreLocationArg = "intermediate-store-location"
 	IntermediateStoreNameArg     = "intermediate-store"
 	KeyIDArg                     = "key-id"
@@ -90,6 +92,8 @@ type uriAttributes struct {
 	subjectCN                 string
 	serialNumber              string
 	issuerName                string
+	friendlyName              string
+	description               string
 	keySpec                   string
 	skipFindCertificateKey    bool
 	pin                       string
@@ -126,6 +130,8 @@ func parseURI(rawuri string) (*uriAttributes, error) {
 		subjectCN:                 u.Get(SubjectCNArg),
 		serialNumber:              u.Get(SerialNumberArg),
 		issuerName:                u.Get(IssuerNameArg),
+		friendlyName:              u.Get(FriendlyNameArg),
+		description:               u.Get(DescriptionArg),
 		keySpec:                   u.Get(KeySpec),
 		skipFindCertificateKey:    u.GetBool(SkipFindCertificateKey),
 		pin:                       u.Pin(),
@@ -386,11 +392,17 @@ func (k *CAPIKMS) getCertContext(u *uriAttributes) (*windows.CertContext, error)
 		0,
 		0,
 		certStoreLocation,
-		uintptr(unsafe.Pointer(wide(u.storeName))))
+		uintptr(unsafe.Pointer(wide(u.storeName))),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("CertOpenStore for the %q store %q returned: %w", u.storeLocation, u.storeName, err)
 	}
 
+	// if issuer + any of the other fields in the list below is provided, then attempt a second certificate lookup when
+	// lookup by KeyID fails (not found). This fix an issue when looking up device certificates, as in that case the KeyID is
+	// derived from a randomly generate string each time agent runs, thus not being able to find certificates installed from
+	// a previous run.
+	canLookupByIssuer := u.issuerName != "" && (u.serialNumber != "" || u.subjectCN != "" || u.friendlyName != "" || u.description != "")
 	var handle *windows.CertContext
 
 	switch {
@@ -429,67 +441,91 @@ func (k *CAPIKMS) getCertContext(u *uriAttributes) (*windows.CertContext, error)
 		if err != nil {
 			return nil, fmt.Errorf("findCertificateInStore failed: %w", err)
 		}
+
+		if handle == nil && !canLookupByIssuer {
+			return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%s not found", KeyIDArg, u.keyID)}
+		}
+	}
+
+	if handle != nil {
+		return handle, err
+	}
+
+	if !canLookupByIssuer {
+		return nil, fmt.Errorf("%q, %q, or %q and one of %q or %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg, SubjectCNArg)
+	}
+
+	// lookup certificate by issuer + another field (serial, CN, friendlyName, description)
+	var prevCert *windows.CertContext
+	for {
+		handle, err = findCertificateInStore(st,
+			encodingX509ASN|encodingPKCS7,
+			0,
+			findIssuerStr,
+			uintptr(unsafe.Pointer(wide(u.issuerName))), prevCert)
+		if err != nil {
+			return nil, fmt.Errorf("findCertificateInStore failed: %w", err)
+		}
+
 		if handle == nil {
-			return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%x not found", KeyIDArg, u.keyID)}
+			return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%q not found", IssuerNameArg, u.issuerName)}
+		}
+
+		x509Cert, err := certContextToX509(handle)
+		if err != nil {
+			return nil, fmt.Errorf("could not unmarshal certificate to DER: %w", err)
 		}
-	case u.issuerName != "" && (u.serialNumber != "" || u.subjectCN != ""):
-		var prevCert *windows.CertContext
-		for {
-			handle, err = findCertificateInStore(st,
-				encodingX509ASN|encodingPKCS7,
-				0,
-				findIssuerStr,
-				uintptr(unsafe.Pointer(wide(u.issuerName))), prevCert)
-			if err != nil {
-				return nil, fmt.Errorf("findCertificateInStore failed: %w", err)
-			}
 
-			if handle == nil {
-				return nil, apiv1.NotFoundError{Message: fmt.Sprintf("certificate with %s=%q not found", IssuerNameArg, u.issuerName)}
+		switch {
+		case len(u.serialNumber) > 0:
+			// TODO: Replace this search with a CERT_ID + CERT_ISSUER_SERIAL_NUMBER search instead
+			// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id
+			// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_issuer_serial_number
+			var bi *big.Int
+			if strings.HasPrefix(u.serialNumber, "0x") {
+				serialBytes, err := hex.DecodeString(strings.TrimPrefix(u.serialNumber, "0x"))
+				if err != nil {
+					return nil, fmt.Errorf("invalid hex format for %s: %w", SerialNumberArg, err)
+				}
+
+				bi = new(big.Int).SetBytes(serialBytes)
+			} else {
+				bi := new(big.Int)
+				bi, ok := bi.SetString(u.serialNumber, 10)
+				if !ok {
+					return nil, fmt.Errorf("invalid %s - must be in hex or integer format", SerialNumberArg)
+				}
 			}
 
-			x509Cert, err := certContextToX509(handle)
+			if x509Cert.SerialNumber.Cmp(bi) == 0 {
+				return handle, nil
+			}
+		case len(u.subjectCN) > 0:
+			if x509Cert.Subject.CommonName == u.subjectCN {
+				return handle, nil
+			}
+		case len(u.friendlyName) > 0:
+			val, err := cryptFindCertificateFriendlyName(handle)
 			if err != nil {
-				return nil, fmt.Errorf("could not unmarshal certificate to DER: %w", err)
+				return nil, fmt.Errorf("cryptFindCertificateFriendlyName failed: %w", err)
 			}
 
-			switch {
-			case len(u.serialNumber) > 0:
-				// TODO: Replace this search with a CERT_ID + CERT_ISSUER_SERIAL_NUMBER search instead
-				// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_id
-				// https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-cert_issuer_serial_number
-				var bi *big.Int
-				if strings.HasPrefix(u.serialNumber, "0x") {
-					serialBytes, err := hex.DecodeString(strings.TrimPrefix(u.serialNumber, "0x"))
-					if err != nil {
-						return nil, fmt.Errorf("invalid hex format for %s: %w", SerialNumberArg, err)
-					}
-
-					bi = new(big.Int).SetBytes(serialBytes)
-				} else {
-					bi := new(big.Int)
-					bi, ok := bi.SetString(u.serialNumber, 10)
-					if !ok {
-						return nil, fmt.Errorf("invalid %s - must be in hex or integer format", SerialNumberArg)
-					}
-				}
-
-				if x509Cert.SerialNumber.Cmp(bi) == 0 {
-					return handle, nil
-				}
-			case len(u.subjectCN) > 0:
-				if x509Cert.Subject.CommonName == u.subjectCN {
-					return handle, nil
-				}
+			if val == u.friendlyName {
+				return handle, nil
+			}
+		case len(u.description) > 0:
+			val, err := cryptFindCertificateDescription(handle)
+			if err != nil {
+				return nil, fmt.Errorf("cryptFindCertificateDescription failed: %w", err)
 			}
 
-			prevCert = handle
+			if val == u.description {
+				return handle, nil
+			}
 		}
-	default:
-		return nil, fmt.Errorf("%q, %q, or %q and one of %q or %q is required to find a certificate", HashArg, KeyIDArg, IssuerNameArg, SerialNumberArg, SubjectCNArg)
-	}
 
-	return handle, err
+		prevCert = handle
+	}
 }
 
 // CreateSigner returns a crypto.Signer that will sign using the key passed in via the URI.
@@ -827,6 +863,14 @@ func (k *CAPIKMS) StoreCertificate(req *apiv1.StoreCertificateRequest) error {
 		cryptFindCertificateKeyProvInfo(certContext)
 	}
 
+	if u.friendlyName != "" {
+		cryptSetCertificateFriendlyName(certContext, u.friendlyName)
+	}
+
+	if u.description != "" {
+		cryptSetCertificateDescription(certContext, u.description)
+	}
+
 	st, err := windows.CertOpenStore(
 		certStoreProvSystem,
 		0,
@@ -862,6 +906,8 @@ func (k *CAPIKMS) StoreCertificateChain(req *apiv1.StoreCertificateChainRequest)
 			HashArg:                []string{fp},
 			StoreLocationArg:       []string{u.storeLocation},
 			StoreNameArg:           []string{u.storeName},
+			FriendlyNameArg:        []string{u.friendlyName},
+			DescriptionArg:         []string{u.description},
 			SkipFindCertificateKey: []string{strconv.FormatBool(u.skipFindCertificateKey)},
 		}).String(),
 		Certificate: leaf,
diff --git a/kms/capi/ncrypt_windows.go b/kms/capi/ncrypt_windows.go
index 9366f08b..25dd37af 100644
--- a/kms/capi/ncrypt_windows.go
+++ b/kms/capi/ncrypt_windows.go
@@ -60,9 +60,11 @@ const (
 	compareShift            = 16                                              // CERT_COMPARE_SHIFT
 	compareSHA1Hash         = 1                                               // CERT_COMPARE_SHA1_HASH
 	compareCertID           = 16                                              // CERT_COMPARE_CERT_ID
+	compareProp             = 5                                               // CERT_COMPARE_CERT_ID
 	findIssuerStr           = compareNameStrW<<compareShift | infoIssuerFlag  // CERT_FIND_ISSUER_STR_W
 	findIssuerName          = compareName<<compareShift | infoIssuerFlag      // CERT_FIND_ISSUER_NAME
 	findHash                = compareSHA1Hash << compareShift                 // CERT_FIND_HASH
+	findProperty            = compareProp << compareShift                     // CERT_FIND_PROPERTY
 	findCertID              = compareCertID << compareShift                   // CERT_FIND_CERT_ID
 
 	signatureKeyUsage = 0x80       // CERT_DIGITAL_SIGNATURE_KEY_USAGE
@@ -82,6 +84,8 @@ const (
 	CERT_ID_SHA1_HASH            = uint32(3)
 
 	CERT_KEY_PROV_INFO_PROP_ID = uint32(2)
+	CERT_FRIENDLY_NAME_PROP_ID = uint32(11)
+	CERT_DESCRIPTION_PROP_ID   = uint32(13)
 
 	CERT_NAME_STR_COMMA_FLAG = uint32(0x04000000)
 	CERT_SIMPLE_NAME_STR     = uint32(1)
@@ -151,6 +155,7 @@ var (
 	procCertFindCertificateInStore        = crypt32.MustFindProc("CertFindCertificateInStore")
 	procCryptFindCertificateKeyProvInfo   = crypt32.MustFindProc("CryptFindCertificateKeyProvInfo")
 	procCertGetCertificateContextProperty = crypt32.MustFindProc("CertGetCertificateContextProperty")
+	procCertSetCertificateContextProperty = crypt32.MustFindProc("CertSetCertificateContextProperty")
 	procCertStrToName                     = crypt32.MustFindProc("CertStrToNameW")
 )
 
@@ -606,6 +611,102 @@ func cryptFindCertificateKeyContainerName(certContext *windows.CertContext) (str
 	return "", nil
 }
 
+func certSetCertificateContextProperty(certContext *windows.CertContext, propID uint32, pvData uintptr) error {
+	r0, _, err := procCertSetCertificateContextProperty.Call(
+		uintptr(unsafe.Pointer(certContext)),
+		uintptr(propID),
+		0,
+		pvData,
+	)
+
+	if r0 == 0 {
+		return err
+	}
+	return nil
+}
+
+func cryptSetCertificateFriendlyName(certContext *windows.CertContext, val string) error {
+	data := CRYPTOAPI_BLOB{
+		len: uint32(len(val)+1) * 2,
+		data: uintptr(unsafe.Pointer(wide(val))),
+	}
+
+	return certSetCertificateContextProperty(certContext, CERT_FRIENDLY_NAME_PROP_ID, uintptr(unsafe.Pointer(&data)))
+}
+
+func cryptSetCertificateDescription(certContext *windows.CertContext, val string) error {
+	data := CRYPTOAPI_BLOB{
+		len: uint32(len(val)+1) * 2,
+		data: uintptr(unsafe.Pointer(wide(val))),
+	}
+
+	return certSetCertificateContextProperty(certContext, CERT_DESCRIPTION_PROP_ID, uintptr(unsafe.Pointer(&data)))
+}
+
+func certGetCertificateContextProperty(certContext *windows.CertContext, propID uint32, pvData *byte, pcbData *uint32) error {
+	r0, _, err := procCertGetCertificateContextProperty.Call(
+		uintptr(unsafe.Pointer(certContext)),
+		uintptr(propID),
+		uintptr(unsafe.Pointer(pvData)),
+		uintptr(unsafe.Pointer(pcbData)),
+	)
+	if r0 == 0 {
+		return err
+	}
+	return nil
+}
+
+func cryptFindCertificateFriendlyName(certContext *windows.CertContext) (string, error) {
+	var size uint32
+
+	err := certGetCertificateContextProperty(certContext, CERT_FRIENDLY_NAME_PROP_ID, nil, &size)
+	if err != nil {
+		if errno, ok := err.(windows.Errno); ok && uint32(errno) == CRYPT_E_NOT_FOUND {
+			return "", nil
+		}
+
+		return "", err
+	}
+
+	if size == 0 {
+		return "", nil
+	}
+
+	buf := make([]byte, size)
+	err = certGetCertificateContextProperty(certContext, CERT_FRIENDLY_NAME_PROP_ID, &buf[0], &size)
+	if err != nil {
+		return "", err
+	}
+
+	uc := bytes.ReplaceAll(buf, []byte{0x00}, []byte(""))
+	return string(uc), nil
+}
+
+func cryptFindCertificateDescription(certContext *windows.CertContext) (string, error) {
+	var size uint32
+
+	err := certGetCertificateContextProperty(certContext, CERT_DESCRIPTION_PROP_ID, nil, &size)
+	if err != nil {
+		if errno, ok := err.(windows.Errno); ok && uint32(errno) == CRYPT_E_NOT_FOUND {
+			return "", nil
+		}
+
+		return "", err
+	}
+	if size == 0 {
+		return "", nil
+	}
+
+	buf := make([]byte, size)
+	err = certGetCertificateContextProperty(certContext, CERT_DESCRIPTION_PROP_ID, &buf[0], &size)
+	if err != nil {
+		return "", err
+	}
+
+	uc := bytes.ReplaceAll(buf, []byte{0x00}, []byte(""))
+	return string(uc), nil
+}
+
 func certStrToName(x500Str string) ([]byte, error) {
 	var size uint32
 
diff --git a/kms/tpmkms/tpmkms.go b/kms/tpmkms/tpmkms.go
index 78438104..e8177916 100644
--- a/kms/tpmkms/tpmkms.go
+++ b/kms/tpmkms/tpmkms.go
@@ -869,6 +869,9 @@ func (k *TPMKMS) loadCertificateChainFromWindowsCertificateStore(req *apiv1.Load
 			"store":                       []string{store},
 			"intermediate-store-location": []string{intermediateCAStoreLocation},
 			"intermediate-store":          []string{intermediateCAStore},
+			"issuer":                      []string{o.issuer},
+			"friendly-name":               []string{o.friendlyName},
+			"description":                 []string{o.description},
 		}).String(),
 	})
 }
@@ -966,6 +969,8 @@ func (k *TPMKMS) storeCertificateChainToWindowsCertificateStore(req *apiv1.Store
 		Name: uri.New("capi", url.Values{
 			"store-location":              []string{location},
 			"store":                       []string{store},
+			"friendly-name":               []string{o.friendlyName},
+			"description":                 []string{o.description},
 			"skip-find-certificate-key":   []string{skipFindCertificateKey},
 			"intermediate-store-location": []string{intermediateCAStoreLocation},
 			"intermediate-store":          []string{intermediateCAStore},
@@ -1435,9 +1440,11 @@ type deletingCertificateChainManager interface {
 	DeleteCertificate(req *apiv1.DeleteCertificateRequest) error
 }
 
-var _ apiv1.KeyManager = (*TPMKMS)(nil)
-var _ apiv1.Attester = (*TPMKMS)(nil)
-var _ apiv1.CertificateManager = (*TPMKMS)(nil)
-var _ apiv1.CertificateChainManager = (*TPMKMS)(nil)
-var _ deletingCertificateChainManager = (*TPMKMS)(nil)
-var _ apiv1.AttestationClient = (*attestationClient)(nil)
+var (
+	_ apiv1.KeyManager                = (*TPMKMS)(nil)
+	_ apiv1.Attester                  = (*TPMKMS)(nil)
+	_ apiv1.CertificateManager        = (*TPMKMS)(nil)
+	_ apiv1.CertificateChainManager   = (*TPMKMS)(nil)
+	_ deletingCertificateChainManager = (*TPMKMS)(nil)
+	_ apiv1.AttestationClient         = (*attestationClient)(nil)
+)
diff --git a/kms/tpmkms/uri.go b/kms/tpmkms/uri.go
index c09696c3..567f1e1e 100644
--- a/kms/tpmkms/uri.go
+++ b/kms/tpmkms/uri.go
@@ -18,6 +18,8 @@ type objectProperties struct {
 	path                      string
 	storeLocation             string
 	store                     string
+	friendlyName              string
+	description               string
 	intermediateStoreLocation string
 	intermediateStore         string
 	skipFindCertificateKey    bool
@@ -59,8 +61,12 @@ func parseNameURI(nameURI string) (o objectProperties, err error) {
 
 		// store location and store options are used on Windows to override
 		// which store(s) are used for storing and loading (intermediate) certificates
+		// friendly-name and description are used on Windows to populate additional certificate
+		// context properties to aid in retrieval
 		o.storeLocation = u.Get("store-location")
 		o.store = u.Get("store")
+		o.friendlyName = u.Get("friendly-name")
+		o.description = u.Get("description")
 		o.intermediateStoreLocation = u.Get("intermediate-store-location")
 		o.intermediateStore = u.Get("intermediate-store")
 		o.skipFindCertificateKey = u.GetBool("skip-find-certificate-key")