The Network Device Enrollment Service allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).
You can read an overview and details about the service by reviewing Network
Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS).
NDES can also be used in conjunction with some Mobile Device Management (MDM) software to deploy certificates to mobile devices. For detailed steps about configuring the service, refer to
Configure the Network Device Enrollment Service
NDES does not perform any identity verification. The MDM solution extends NDES to additional functionalities that it was not made for. It is highly recommended to have additional identity verification methods.
Warning: SCEP was designed to be used in a closed network where all end-points are trusted. The warnings from CERT in the article "Simple
Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests" should be considered when implementing the NDES service. If an application utilizes SCEP, it should provide its own strong authentication.
return to top
This is not simple task, and there is not an option out of the box to support clustering or load balancing of the NDES. NDES creates a unique one-time passphrase used for enrollment, which doesn’t guarantee that a requesting
device will always contact the same enrollment NDES server that created the password.
In addition, NDES does not have a database; hence clustering using Microsoft Clustering Services is not an option. Furthermore, clustering and load balancing NDES are not currently supported by Microsoft
return to top
This solution can work so long as the active node is always on. However, if the active node generates the one time passphrase, and then failed, then devices will fail enrollment because the second node does not have the
Yes, however this is a non-secure solution and will make it easy for anyone to use the same passphrase to enroll any device for certificates. Doing so defeats using certificates to allow only approved devices on your network.
NDES allows the generation of 5 unique passwords every 60 minutes by default. Using the single password option also requires adding the SinglePassword registry key. Refer to
Configuring NDES for more information about the various NDES
Yes, but this solution makes your NDES deployment less secure because of the same reasons mentioned as the answer for Can I use a single password or passphrase for device enrollment?
In addition, this method is not supported by Microsoft
Yes. You can also install multiple NDES servers pointing to the same Clustered Certification Authority.
You can install it on any of the Certification Authority cluster nodes, and then point the NDES configuration to the Clustered Certification Authority to request certificates. This will not provide service high availability
or load balancing. It is recommended to install the Network Device Enrollment Service on a separate member server if you already have a clustered CA.
NDES generates 5 passwords that are cached for 60 minutes by default. This means that the device has to complete its enrollment process within 60 minutes of the password generation before the password expires.
NDES can’t generate more passwords after the fifth until at least one device completed the enrollment process. Consider the following scenario:
An administrator requests 5 passwords for 5 different devices. The 5 password are valid for 60 minutes, within the 60 minutes he was asked to generate a new password for a new device – 6th
device – The NDES service will fail to generate a password because none of the devices completed the enrollment process.
Consider the same scenario, where the administrator completed at least one device enrollment, then the NDES service can generate a new password for the 6th device.
The defaults can be changed using the PasswordValidity and PasswordMax registry which are documented in
No, you need to repeat the entire enrollment process.
You can use templates intended for computers only – user templates cannot be enrolled using NDES.
You can use Version 1 through Version 3 certificate templates. The template version used depends on the device supporting a Cryptographic Service Provider (CSP) or a Key Storage Provider (KSP). If the device supports a CSP,
then you can use Version 1 and 2 templates. If the device supports a KSP, then you can use version 3 templates. Consult your device’s vendor to know which provider is supported.
Active Directory UA Docs edited Revision 8. Comment: updated for clarity with regard to the statement about an application utilizing SCEP