Blog Post

Core Infrastructure and Security Blog
6 MIN READ

The Nightmare of renewing NDES Enrollment Agent Certificates

DagmarHeidecker's avatar
DagmarHeidecker
Icon for Microsoft rankMicrosoft
Mar 09, 2026

First introduced in Windows Server 2008, NDES spent many years as a niche technology. Over recent years, it has made an unexpected comeback driven by certificate enrollment on Intune-managed devices. Despite many articles describing its initial configuration, our daily professional experience shows that many NDES implementations are incorrectly or insecurely configured, or fail to work because of expired Enrollment Agent (EA) certificates. For this reason, this article explains how to design and configure custom EA certificate templates that enable secure automatic renewal.

NDES EA Certificates – Quick Recap By default, three version 1 certificate templates are assigned to your Certification Authority by the configuration routine of the NDES service: CEP Encryptio...
Updated Mar 09, 2026
Version 1.0
DagmarHeidecker
rmckenna's avatar
rmckenna
Brass Contributor
Apr 15, 2026

Hmmm that brings up several questions:

  1. Publising: You're saying the NDES server publishes the default certificate templates? I think that just happened after I set up 

    supersedence. The NDES service account has some permissions on the CA but I didn't think that would allow it to publish templates.

  2. Autoenroll: You say I could use autoenrollment to get the initial certs there. How do you accomplish that if it's not happening in the role configuration? Manually requesting a cert using certutil is easy enough and I was viewing autoenrollment as a solution to make sure that the certs get renewed automatically when they are close to expiring but not sure how to use autoenroll to get the initial certs. 
  3. Binding: I noticed that no instructions say to bind the RA certs to the NDES service like you would with the SSL cert in IIS. How does the NDES service know to use the new certs that I place there? Is it just a matter of deleting the old certs off the server and then it's using simple certificate selection or something similar to find the RA certs?\

Sorry if any of these are dumb questions at all. I'm a Systems Engineer that's really had to learn a lot about certificates in a short amount of time.

richardhicks's avatar
richardhicks
Copper Contributor
Apr 16, 2026

Yes. When you configure the NDES role (after installing it) it will automatically publish those three certificate templates (CEP Encryption, Exchange Enrollment Agent (Offline Request), and IPsec (Offline Request)) by default. It will also enroll for CEP encryption and Exchange Enrollment Agent certificates based on those templates. The NDES service account may not have permission to publish templates, but the user who installed and configured the NDES role requires it.

You can (optionally) autoenroll the CEP Encryption and Exchange Enrollment Agent certificates using AD certificate autoenrollment. The NDES computer account needs Autoenroll permission on both templates, and the server must also have the Autoenrollment group policy setting for the computer account as well.

Binding happens automatically. When the SCEP application pool starts, it looks for certificates with the Certificate Request Agent EKU (1.3.6.1.4.1.311.20.2.1). If there is more than one, I believe it selects the certificate with the longest validity period. When you enroll for your own certificates and delete the default ones, you must restart the SCEP application pool for the new certificates to take effect.

Feel free to reach out to me directly if you need more help. I know this is incredibly complicated. I'm happy to answer any other questions you might have. :)