Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
richardhicks's avatar
richardhicks
Copper Contributor
Mar 17, 2026

Great post, Dagmar! However, a crucial piece of information is missing here. If you go with the auto-enrollment option, the SCEP IIS application pool must be restarted for the updated certificate to take effect. I create a scheduled task that recycles the SCEP IIS application pool whenever a certificate renewal event occurs. I'd be happy to share that code with you if you are interested. :)

  • MMVader's avatar
    MMVader
    MCT
    Apr 09, 2026

    Hi Richard, great thanks for your comment! And you are absolutely right, the currently used certs (and corresponding keys) are cached in memory (in case of using a HSM, only the 'links' to the keys are cached) and the IIS worker process must be restarted to let NDES actively use the new certs and keys.
    However, the worker process will automatically been reset during normal operations (based on configured 'recycling' settings of the NDES IIS AppPool) and at least (as NDES should be treated as T0 system) with the next update appliance.
    For that reason, we did not mention this explicitly here. But if you want to have the new certs affective right after enrollment, an additional step is required (as you wrote) which could be attached to the 'Certificate Replace' event ID (1001) from the certificate lifecycle eventlog (Certificate Services Lifecycle Notifications | Microsoft Learn)!