Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
richardhicks's avatar
richardhicks
Copper Contributor
Mar 17, 2026

Great post, Dagmar! However, a crucial piece of information is missing here. If you go with the auto-enrollment option, the SCEP IIS application pool must be restarted for the updated certificate to take effect. I create a scheduled task that recycles the SCEP IIS application pool whenever a certificate renewal event occurs. I'd be happy to share that code with you if you are interested. :)