P2 · PKI & Certificate Management

Windows NDES/SCEP Certificate Enrollment Failing for Mobile Devices

Q: What causes Windows NDES/SCEP Certificate Enrollment Failing for Mobile Devices?

NDES service account password expired or account locked • SCEP certificate template permissions — NDES service account lacks Enroll permission on template • IIS Application Pool identity mismatch for NDES • NDES registration authority (RA) certificates expired • Connector (Intune Certificate Connector) outdated or service stopped • Network path from Intune infrastructure to NDES FQDN blocked

Intune or JAMF-managed devices fail to receive certificates via SCEP (Simple Certificate Enrollment Protocol) through Windows NDES (Network Device Enrollment Service). Devices show certificate deployment errors in MDM console; NDES IIS logs show 403 or 500 errors.

Indicators

Intune: Device configuration profile shows 'Failed' for SCEP certificate deployment
NDES server IIS logs show HTTP 403 or 500 on /certsrv/mscep/mscep.dll requests
Windows Event Log on NDES server: Event ID 26 (MSCEP) 'The password provided does not match'
NDES OTP challenge URL returns blank page or 503
Devices enrolled but certificate missing from device cert store

Likely causes

NDES service account password expired or account locked
SCEP certificate template permissions — NDES service account lacks Enroll permission on template
IIS Application Pool identity mismatch for NDES
NDES registration authority (RA) certificates expired
Connector (Intune Certificate Connector) outdated or service stopped
Network path from Intune infrastructure to NDES FQDN blocked

Diagnostic steps

Test NDES connectivity from a device or proxy: GET https://<ndes-fqdn>/certsrv/mscep_admin/ — expect a challenge password page; error here means IIS/NDES not functional
Check NDES Application Pool in IIS Manager — verify it is started and using the correct service account identity; check Application Event Log for pool crashes
Verify NDES service account: not expired, not locked, has Log on as a service right; check NDES Application Pool uses this account
Check RA certs: certlm.msc on NDES server > Local Computer > Personal — look for 'CEP Encryption' and 'Exchange Enrollment Agent' certs; verify not expired
In CA certificate templates: verify NDES service account has Read + Enroll permissions on the SCEP template; verify template is published on the CA
If using Intune Certificate Connector: open Services.msc, verify 'Microsoft Intune Connector' service is running; check connector logs at C:\ProgramData\Microsoft\Intune Certificate Connector\

Resolution path

Reset NDES service account password and update IIS App Pool identity
Renew expired RA certificates: remove and re-enroll NDES on the CA
Fix template permissions: grant NDES service account Read + Enroll on the SCEP template
Restart Intune Certificate Connector service after any config changes
Test end-to-end with a new device enrollment after each fix before re-deploying to all devices

Prevention

Set service account password to never-expire or use a Group Managed Service Account (gMSA)
Monitor RA certificate expiry — set calendar alert at 60 days before expiry
Document NDES build: account name, template name, IIS pool name — NDES is fragile and poorly documented by default

Tools

IIS Manager — Application Pools, NDES site bindings
certlm.msc — Local Computer certificate store (RA certs)
certca.msc / certsrv.msc — CA certificate template permissions
Intune portal — Device configuration > Monitor > Assignment status
Windows Event Viewer — Application (MSCEP events), System

ndessceppkiintunemdmcertificatesiosandroidcertificate-enrollmentadcsiis