Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
richardhicks's avatar
richardhicks
Copper Contributor
Mar 25, 2026

NDES is rather poorly documented, for sure. :/ Hopefully you got it sorted out. If not, let me know, and I'd be happy to assist. And don't forget, if you go with the autoenrollment option (recommended), you'll need to automate the recycling of the SCEP application pool after the certificate renews. I can help you there, too.

rmckenna's avatar
rmckenna
Brass Contributor
Apr 15, 2026

Hi Richard,

Thanks for your comment. Unfortunately, I tried following these directions but couldn't get it to work. I duplicated the cert templates, made the required changes and unpublished the old ones. On the NDES server, I just removed and re-added the NDES role to get it to request new certs and it failed. I tried a second time but instead I superseded the old templates with the new ones. This automatically re-published the old templates. Presumably because you have to publish templates that you want to be superseded. This time, the NDES role configuration did not fail but it still used the old templates somehow.

I had a feeling this might happen going into this because I asked myself: how does the NDES server know to use the new templates? That wasn't clear from the post.

Any help you're willing to give would be greatly appreciated.

Thanks.

DagmarHeidecker​ MMVader​ LegoVader​ would love to get your input on this as well.

  • MMVader's avatar
    MMVader
    MCT
    Apr 15, 2026

    When you install NDES, you cannot point it to use custom cert templates - it will always revert back to the default templates; this is hard coded! After NDES has been installed, you can shift to custom templates. When NDES is starting (or the application pool recycles), it won't look into template information. Instead, the service expect TWO valid certs with the OID 1.3.6.1.4.1.311.20.2.1, which corresponds to “Certificate Request Agent” in the local machine store. Which cert will be used for which purpose will be decided by the key usage ('Digital Signature' for the enrollment agent cert, and 'Encryption' for the CEP encryption cert).
    If NDES finds more valid and working certs in the local machine store, it will pick the ones which have been cached (the old ones) except those are not available anymore. In that case it will look for the most recent ones which meet the requirements.

  • richardhicks's avatar
    richardhicks
    Copper Contributor
    Apr 15, 2026

    When you configure the NDES role, it will always publish the default certificate templates and automatically enroll for them. There's nothing you can do about that. After you configure the role you should unpublish them, then enroll for the new ones (or use autoenrollment). Once the new certificates are in place, you can restart the SCEP application pool (or restart the server), and it should work just fine. 

    • rmckenna's avatar
      rmckenna
      Brass Contributor
      Apr 15, 2026

      Hmmm that brings up several questions:

      1. Publising: You're saying the NDES server publishes the default certificate templates? I think that just happened after I set up 

        supersedence. The NDES service account has some permissions on the CA but I didn't think that would allow it to publish templates.

      2. Autoenroll: You say I could use autoenrollment to get the initial certs there. How do you accomplish that if it's not happening in the role configuration? Manually requesting a cert using certutil is easy enough and I was viewing autoenrollment as a solution to make sure that the certs get renewed automatically when they are close to expiring but not sure how to use autoenroll to get the initial certs. 
      3. Binding: I noticed that no instructions say to bind the RA certs to the NDES service like you would with the SSL cert in IIS. How does the NDES service know to use the new certs that I place there? Is it just a matter of deleting the old certs off the server and then it's using simple certificate selection or something similar to find the RA certs?\

      Sorry if any of these are dumb questions at all. I'm a Systems Engineer that's really had to learn a lot about certificates in a short amount of time.

      • rmckenna's avatar
        rmckenna
        Brass Contributor
        Apr 16, 2026

        richardhicks​ MMVader​ thank you both this all makes sense now!! I got it everything working properly. Cheers.