Skip to main content

Configuring Windows SCEP (NDES) Authentication

  • Updated

Overview

The Simple Certificate Enrollment Protocol (SCEP) allows endpoints—such as Windows machines, mobile devices, and IoT hardware—to automatically request and renew digital certificates from a Certificate Authority (CA).

In a Windows ecosystem, SCEP authentication is fulfilled using the Network Device Enrollment Service (NDES) role acting as a Registration Authority (RA). This article outlines the architecture, step-by-step configuration, and deployment workflow for Windows SCEP authentication, typically paired with a Mobile Device Management (MDM) platform like Microsoft Intune.

Architecture & Authentication Workflow

[ Endpoint / Device ] <--- (Profile) --- [ MDM (e.g., Intune) ]
         |                                       ^
         | (1) Request Cert                      | (2) Validate Challenge
         v                                       v
[ NDES Server (IIS) ] <--------------------------+
         |
         | (3) Forward CSR
         v
[ Certificate Authority (CA) ]

  1. Profile Deployment: The MDM pushes a SCEP profile containing a unique challenge password, the NDES URL, and certificate attributes to the device.
  2. Certificate Request: The device generates a private/public key pair and sends a Certificate Signing Request (CSR) along with the challenge password to the NDES server.
  3. Validation: The NDES server (often via an MDM Certificate Connector) validates the challenge password against the MDM platform.
  4. Issuance: If valid, NDES forwards the CSR to the Active Directory Certificate Services (AD CS) CA. The CA issues the certificate and returns it to the device through NDES.

Prerequisites

Before beginning the configuration, ensure your environment meets these structural demands:

  • An operational Active Directory Enterprise Certificate Authority (Root or Subordinate).
  • A dedicated Windows Server instance to host the NDES (Network Device Enrollment Service) role.
  • A dedicated Active Directory domain account to act as the NDES Service Account.
  • Network line-of-sight between the NDES Server, the CA, and your MDM framework.

Step-by-Step Configuration

Step 1: Configure Certificate Templates on the CA

You must create a dedicated certificate template that the endpoints will request.

  1. Log in to your Issuing CA server and open the Certification Authority console (certsrv.msc).
  2. Right-click Certificate Templates and select Manage.
  3. Locate the User or Device template, right-click it, and select Duplicate Template.
  4. Configure the following tabs:
    • General: Provide a clear Display Name (e.g., MDM SCEP Certificate). Note the template name without spaces.
    • Subject Name: Select Supply in the request. (Security validation will be managed by NDES/MDM).
    • Extensions: Edit Application Policies and ensure Client Authentication is present. Remove any unnecessary extensions.
    • Cryptography: Set the minimum key size to 2048.
    • Security: Add your NDES Service Account and grant it Read and Enroll permissions.
  5. Save the template, return to the main CA console, right-click Certificate Templates -> New -> Certificate Template to Issue, and select your newly created template.

Step 2: Install and Configure NDES

  1. On your designated NDES server, open Server Manager and select Add Roles and Features.
  2. Select Active Directory Certificate Services and check Network Device Enrollment Service. (Accept the prompt to install IIS prerequisites).
  3. Once installed, click the notification flag in Server Manager and select Configure Active Directory Certificate Services on the destination server.
  4. On the Role Services page, check Network Device Enrollment Service.
  5. Specify the NDES Service Account created during the prerequisites phase. This user must belong to the local server's IIS_IUSRS group.
  6. Link the NDES service to your CA and complete the wizard.

Step 3: Map NDES Registry Keys to Your Template

By default, NDES uses built-in templates. You must redirect it to use your newly published custom SCEP template.

  1. Open the Registry Editor (regedit.exe) on the NDES server.
  2. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
  3. Locate the following three string keys (REG_SZ):
    • EncryptionTemplate
    • GeneralPurposeTemplate
    • SignatureTemplate
  4. Modify the value of all three keys to match the exact, space-free Template Name created in Step 1.
  5. Restart IIS by executing iisreset in an elevated command prompt.

Step 4: Deploy the SCEP Profile via MDM

To connect clients to this infrastructure, create a SCEP profile inside your MDM portal.

  1. Navigate to your MDM's configuration profiles (e.g., Microsoft Intune -> Devices -> Configuration).
  2. Create a new profile, selecting SCEP certificate as the profile type.
  3. Configure the profile settings:
    • Certificate type: Device or User.
    • Subject name format: e.g., CN={{DeviceName}} or CN={{UserPrincipalName}}.
    • Subject alternative name (SAN): Add a DNS attribute or UPN attribute as required.
    • Key storage provider (KSP): Enroll to TPM if available (Enroll to TPM KSP, otherwise Software KSP).
    • SCEP Server URLs: Input your NDES server’s public-facing URL (e.g., https://ndes.domain.com/certsrv/mscep/mscep.dll).

SCEP Security Best Practices

[!WARNING]

By design, the SCEP protocol lacks advanced identity-verification capabilities. Without proper defenses, it can expose your PKI to identity impersonation risks.

  • Rotate Challenge Passwords: Avoid using static or globally shared secrets. Use a Dynamic Challenge architecture via an MDM gateway plugin (like the Intune Certificate Connector) so that every single request utilizes a single-use, time-bound token.
  • Disable Static Passwords: If your MDM uses dynamic verification, enforce it in the registry on your NDES server by ensuring EnforcePassword is set to 1 under HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP\.
  • Isolate NDES Servers: Restrict inbound network access to your NDES servers. Ensure only authorized MDM cloud platforms or trusted network zones can communicate with the endpoint.
  • Enforce HTTPS: Secure your NDES IIS instances using valid SSL/TLS certificates matching the internal and external Fully Qualified Domain Names (FQDN).

Troubleshooting & Verification

Initial Availability Verification

To ensure NDES is running correctly, open a web browser on a client machine and navigate to the NDES URL:

https://<Your-NDES-FQDN>/certsrv/mscep/mscep.dll
  • Expected behavior (Static Challenge): If configured for simple access, it will prompt for credentials or display the MSCEP interface showing a thumbprint and a challenge password.
  • Expected behavior (Dynamic Challenge with MDM): If integrated with a connector (e.g., Intune), you may see an HTTP Error 403.0 - Forbidden or an authentication block when hitting the endpoint directly from an unmanaged browser. This indicates the gateway is properly blocking unauthenticated traffic.

Reviewing Server Logs

When troubleshooting failed certificate delivery, check the following server logs:

  • NDES Server Events: Open Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> NetworkDeviceEnrollmentService. Look for error codes related to template access permissions or password validation.
  • IIS Logs: Check C:\inetpub\logs\LogFiles\W3SVC1\ to see HTTP status codes generated by client enrollment attempts (e.g., looking for HTTP 401 Unauthorized or 500 Internal Server Error).
  • CA Request Failures: Open certsrv.msc on the CA and review the Failed Requests node to inspect why the certificate authority may have denied an NDES-forwarded request.

 

Related articles