Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
rmckenna's avatar
rmckenna
Brass Contributor
Mar 25, 2026

Why on earth is this information not in the official Microsoft documentation. The certs on my NDES server expired this week, broke the server and I have been wracking my brain trying to figure out how the heck this works. A MS support rep sent me this blog post in lieu of official documentation.

  • richardhicks's avatar
    richardhicks
    Copper Contributor
    Mar 25, 2026

    NDES is rather poorly documented, for sure. :/ Hopefully you got it sorted out. If not, let me know, and I'd be happy to assist. And don't forget, if you go with the autoenrollment option (recommended), you'll need to automate the recycling of the SCEP application pool after the certificate renews. I can help you there, too.

    • rmckenna's avatar
      rmckenna
      Brass Contributor
      Apr 15, 2026

      Hi Richard,

      Thanks for your comment. Unfortunately, I tried following these directions but couldn't get it to work. I duplicated the cert templates, made the required changes and unpublished the old ones. On the NDES server, I just removed and re-added the NDES role to get it to request new certs and it failed. I tried a second time but instead I superseded the old templates with the new ones. This automatically re-published the old templates. Presumably because you have to publish templates that you want to be superseded. This time, the NDES role configuration did not fail but it still used the old templates somehow.

      I had a feeling this might happen going into this because I asked myself: how does the NDES server know to use the new templates? That wasn't clear from the post.

      Any help you're willing to give would be greatly appreciated.

      Thanks.

      DagmarHeidecker​ MMVader​ LegoVader​ would love to get your input on this as well.

      • MMVader's avatar
        MMVader
        MCT
        Apr 15, 2026

        When you install NDES, you cannot point it to use custom cert templates - it will always revert back to the default templates; this is hard coded! After NDES has been installed, you can shift to custom templates. When NDES is starting (or the application pool recycles), it won't look into template information. Instead, the service expect TWO valid certs with the OID 1.3.6.1.4.1.311.20.2.1, which corresponds to “Certificate Request Agent” in the local machine store. Which cert will be used for which purpose will be decided by the key usage ('Digital Signature' for the enrollment agent cert, and 'Encryption' for the CEP encryption cert).
        If NDES finds more valid and working certs in the local machine store, it will pick the ones which have been cached (the old ones) except those are not available anymore. In that case it will look for the most recent ones which meet the requirements.