Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
rmckenna's avatar
rmckenna
Brass Contributor
Apr 15, 2026

Hi Richard,

Thanks for your comment. Unfortunately, I tried following these directions but couldn't get it to work. I duplicated the cert templates, made the required changes and unpublished the old ones. On the NDES server, I just removed and re-added the NDES role to get it to request new certs and it failed. I tried a second time but instead I superseded the old templates with the new ones. This automatically re-published the old templates. Presumably because you have to publish templates that you want to be superseded. This time, the NDES role configuration did not fail but it still used the old templates somehow.

I had a feeling this might happen going into this because I asked myself: how does the NDES server know to use the new templates? That wasn't clear from the post.

Any help you're willing to give would be greatly appreciated.

Thanks.

DagmarHeidecker​ MMVader​ LegoVader​ would love to get your input on this as well.

richardhicks's avatar
richardhicks
Copper Contributor
Apr 15, 2026

When you configure the NDES role, it will always publish the default certificate templates and automatically enroll for them. There's nothing you can do about that. After you configure the role you should unpublish them, then enroll for the new ones (or use autoenrollment). Once the new certificates are in place, you can restart the SCEP application pool (or restart the server), and it should work just fine. 

  • rmckenna's avatar
    rmckenna
    Brass Contributor
    Apr 15, 2026

    Hmmm that brings up several questions:

    1. Publising: You're saying the NDES server publishes the default certificate templates? I think that just happened after I set up 

      supersedence. The NDES service account has some permissions on the CA but I didn't think that would allow it to publish templates.

    2. Autoenroll: You say I could use autoenrollment to get the initial certs there. How do you accomplish that if it's not happening in the role configuration? Manually requesting a cert using certutil is easy enough and I was viewing autoenrollment as a solution to make sure that the certs get renewed automatically when they are close to expiring but not sure how to use autoenroll to get the initial certs. 
    3. Binding: I noticed that no instructions say to bind the RA certs to the NDES service like you would with the SSL cert in IIS. How does the NDES service know to use the new certs that I place there? Is it just a matter of deleting the old certs off the server and then it's using simple certificate selection or something similar to find the RA certs?\

    Sorry if any of these are dumb questions at all. I'm a Systems Engineer that's really had to learn a lot about certificates in a short amount of time.

    • rmckenna's avatar
      rmckenna
      Brass Contributor
      Apr 16, 2026

      richardhicks​ MMVader​ thank you both this all makes sense now!! I got it everything working properly. Cheers.

    • richardhicks's avatar
      richardhicks
      Copper Contributor
      Apr 16, 2026

      Yes. When you configure the NDES role (after installing it) it will automatically publish those three certificate templates (CEP Encryption, Exchange Enrollment Agent (Offline Request), and IPsec (Offline Request)) by default. It will also enroll for CEP encryption and Exchange Enrollment Agent certificates based on those templates. The NDES service account may not have permission to publish templates, but the user who installed and configured the NDES role requires it.

      You can (optionally) autoenroll the CEP Encryption and Exchange Enrollment Agent certificates using AD certificate autoenrollment. The NDES computer account needs Autoenroll permission on both templates, and the server must also have the Autoenrollment group policy setting for the computer account as well.

      Binding happens automatically. When the SCEP application pool starts, it looks for certificates with the Certificate Request Agent EKU (1.3.6.1.4.1.311.20.2.1). If there is more than one, I believe it selects the certificate with the longest validity period. When you enroll for your own certificates and delete the default ones, you must restart the SCEP application pool for the new certificates to take effect.

      Feel free to reach out to me directly if you need more help. I know this is incredibly complicated. I'm happy to answer any other questions you might have. :)