Hello Venus
The option for using the On Box Certificate is somewhat different, but not by much. You can take a look at it here:
Just for clarification, you cannot use an enterprise root CA for authentication hardware devices using TPM/SUDI.
TPM is short for Trusted Platform Module. This is a standard used for secure cryptoprocessors, which are dedicated physical microcontrollers designed to secure hardware through integrated cryptographic keys. The term TPM is sometimes used to refer to the physical chip on the device itself.
SUDI is short for Secure Unique Device Identifier. When used in conjunction with TPM, it proves hardware origin and a hardware-derived secure boot process to prevent unauthorized code from running during the booting on a Cisco platform. The SUDI is an X.509v3 certificate that is actually stored in hardware on the device.
As such, when using an ISR4321 for example, which is a physical device with TPM/SUDI hardware, only the On Box Certificate option can be used.
Concerning the version numbers, when using hardware, it is best to use the recommended versions of controllers and IOS XE SD-WAN. The following documentation shows these recommendations:
You can see here that for versions 18.x, 19.x, and 20.x of the controllers, version 17.3.4 of the IOS XE SD-WAN is recommended. Note here that the version number of the controllers (which is a Viptella version number) and those of the IOS XE SD-WAN do not correspond. So there is no restriction beyond simply ensuring that compatibility is verified by Cisco.
I hope this has been helpful!
Laz