First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.
NDES EA Certificates – Quick Recap
By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service:
- CEP Encryption - Used by the device to encrypt communication with NDES
- Exchange Enrollment Agent (Offline Request) - Used to request certificates on behalf of another subject
- IPSec (Offline request) - Default template to enroll certificates to devices
All certificate templates from the list above are version 1 certificate templates. Number 1 and 2 share the common characteristic of having the Extended Key Usage (EKU) extension set to include the OID 1.3.6.1.4.1.311.20.2.1, which corresponds to “Certificate Request Agent”. In this article template number 1 and 2 (from the list above) will be referred to as “NDES Enrollment Agent certificate(s) templates”.
|
Version 1 certificate templates originated with Windows 2000 and have functional and security limitations. Since the autoenrollment feature did not exist at that time, these templates do not support autoenrollment and instead rely on Automatic Certificate Request Settings, a legacy mechanism that is no longer recommended. Furthermore, the only property that can be modified on a version 1 template is the set of assigned permissions that controls access to the template. Find more details in Certificate Template Concepts. |
|
Certificate Enrollment (or Request) Agents were designed to enable trusted principals to perform certificate enrollment on behalf of other users or devices (aka Enroll-on-behalf). NDES is a concrete implementation of this concept as it enrolls certificates for entities other than itself. |
The enrollment of the NDES EA certificates based on certificate templates number 1 and 2 (see above) during NDES configuration is hard‑coded in the configuration routine. This design choice from many years ago introduces several challenges:
- Security: in case you misconfigure the default NDES certificate templates security settings, they are vulnerable to CVE-2024-49019. A detailed explanation of this vulnerability is out of scope here; however, as a general best practice, certificate templates version 1 should not be used.
- The default “Exchange Enrollment Agent (Offline request)” certificate template (default template number 2. as per above) is a user template and the installation routine “somehow magically” imports this certificate into the machine store. This makes automatic renewal challenging...
- Version 1 certificate templates have significant functional limitations, as they cannot be modified (except for security settings):
-
The validity period (2 years) cannot be changed. For NDES EA certificate templates the validity period is 2 years.
-
The template’s CSP[1] cannot be modified. As a result, NDES Enrollment Agent certificates cannot be enrolled in a Hardware Security Module (HSM).
-
Version 1 templates do not support Autoenrollment. Consequently, NDES service certificates therefore must be renewed manually. When the Enrollment Agent certificates expire, NDES stops working.
- Version 1 templates lack template-level access control and modern enrollment safeguards (e.g. Certificate Manager Approval).
-
[1] NDES does not support KSP for EA certificates.
As you can see, there are several reasonable arguments to replace the default NDES service certificate templates.
Configuring custom NDES Service Certificate Templates
Generally, there are two ways of creating some kind of “fire and forget” certificate templates for NDES:
- Common Windows Active Directory Autoenrollment can be used if there is no need for a custom name/subject in the request agent certificates.
- We can use key-based renewal (KBR) which allows us to create custom subjects in the certificates even together with automatic renewals.
The NDES service will not verify the certificates’ subject information. It will just verify that the certificates have “request Agent” EKU (1.3.6.1.4.1.311.20.2.1).
In a nutshell, you will need to duplicate two version 1 certificate templates and modify those to fit your needs. See table below for detailed description of settings.
In addition to that, there are a few more things to consider:
NDES service account
There are different options for creating the SCEP IIS App Pool identity. As Microsoft recommends using a hardened Tier 0 domain user account, this article will focus on this configuration. By default, domain user accounts do not have any permissions on private keys in the computer certificate store. Therefore, you must grant READ permissions to the NDES service certificate private keys either manually or in the certificate template configuration. This can be configured on the Request Handling tab as we will see later in this article.
(Source) Certificate Templates to duplicate
Certificate templates include a flag that is hidden from the GUI and determines whether a template is treated as a user or a computer certificate template. If you are curious, the command certutil -ds -v “CEPEncryption” will make it visible. Look out for CT_FLAG_MACHINE_TYPE in the output. This distinction is important in our scenario because the Exchange Enrollment Agent (Offline Request) template does not include this flag. As a result, certificates based on this template can only be enrolled into the user certificate store. To ensure the new template replacing the Exchange Enrollment Agent (Offline Request) template supports enrollment into the computer certificate store, we use the Enrollment Agent (Computer) default template as the source template.
Subject and SAN for NDES Service Certificates
Subject/SAN can either be built from Active Directory or provided in the request.
a) Build (subject) from this Active Directory information (option 1 from above – using common autoenrollment)
Using Common Name and DNS name is common practice. Subject and/or SAN will simply include the NDES computer account name.
As this may not be appropriate in all scenarios, we also have option...
b) Supply (subject) in the request (option 2 from above – using key-based renewal)
While this option gives you the freedom of choosing a proper Enrollment Agent subject information and SAN, it comes at the price of some additional configuration requirements to allow secure and automatic renewal of NDES service certificates. Using the key based renewal feature, we will have to initially enroll the NDES service certificates manually. Renewal will happen automatically. To implement this, both NDES service certificate templates must be configured as described below:
Subject Name tab
Issuance Requirements tab
Extensions tab
“Certificate Request Agent” is the only Application Policy required.
Please note that “Client Authentication” is required as an additional Application Policy in case you use CEP and CES for key based renewal.
Request Handling and Security tab
NDES EA Certificate Template Configuration Summary
| Default NDES service certificate template | CEP Encryption | Exchange Enrollment Agent (Offline Request) |
| Template to duplicate | CEP Encryption | Enrollment Agent (Computer) |
| Compatibility settings |
| |
| General |
Provide a name for the new certificate template. | |
| Request Handling |
In case the SCEP AppPool is configured to run in the security context of a domain account, you must grant READ access to the private key to the NDES service account. Otherwise, no changes are required on this tab. | |
| Cryptography |
If available, configure an HSM backed CSP or adjust the key length as required. Note that Key Storage Providers (KSPs) are not supported for NDES service certificates. | |
| Subject Name |
Either choose Build from this Active Directory information or choose Supply in the request + key-based renewal. | |
| Issuance Requirements |
Because of NDES’ Enroll-on-behalf capability described above, the NDES service certificates are very powerful. We therefore recommend enforcing CA certificate manager approval for enrollment. Please keep in mind that this will interrupt the automatic renewal process of the certificate if not using KBR. | |
| Extensions |
The default Application Policy is Certificate Request Agent. Do not change it. In case key based renewal is enabled, Client Authentication must be added as an Application Policy. | |
| Security |
Grant ENROLL and AUTOENROLL* permissions to the NDES Computer account only. | |
Housekeeping
After new EA certificates have been enrolled…
- Unassign version 1 certificate templates from all CAs
- Revoke all previously issued NDES EA certificates and remove them from NDES server.
- Restart NDES service (execute to reload the web service and certificates)
Final Thoughts
NDES Enrollment Agent certificates are highly privileged and should never rely on legacy version 1 templates. Replacing them with custom templates that support HSMs and secure automatic renewal significantly reduces outage risk and closes known security gaps.
Microsoft