| Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
| Event ID: | 49 (0x31) |
| Event log: | Application |
| Event type: | Error |
| Symbolic Name: | EVENT_MSCEP_FAILED_DECRYPT_PASSWORD |
| Event text (English): | The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length does not match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry. |
| Event text (German): | The encrypted password could not be decrypted by the network device registry service, or the length of the decrypted password does not match the configuration in the registry. Remove the EncryptedPassword entry from the registry to resolve the issue. |
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Example events
The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length does not match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry.
Description
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
Occurs when the NDES server has been configured to use a static password and one of the following is true:
Possible cause: Static password cannot be read
The error occurs when the NDES service account cannot read the stored static password (anymore).
The password is stored in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword\EncryptedPassword
This can be the case, for example, if the service account was subsequently changed and the registration key now has the wrong owner.
The problem can be solved by assigning the correct permissions to the registry key. See the article "Configuring the Network Device Enrollment Service (NDES) to work with a static password.„.
Possible cause: Wrong address used
The error can also occur if NDES is called via the wrong address. In some documentation (e.g. Baramundi) the following syntax is suggested:
https://{address-of-NDES-server>/certsrv/mscep
Under certain circumstances, it may be useful to try the following notation as well:
https://{address-of-NDES-server>/certsrv/mscep/mscep.dll/pkiclient.exe
Safety assessment
The security assessment is based on the three dimensions of confidentiality, integrity and availability.
When this event occurs, availability is compromised, so an alert should be raised.
English 
Deutsch