Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 16 (0x10) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAIL_TO_DECODE |
Event text (English): | The Network Device Enrollment Service cannot decode the http message from the client (%1). %2 |
Event text (German): | The coded HTTP message from the client (%1) cannot be decoded by the registration service for network devices. %2 |
Category: Network Device Registration Service (NDES)
Details of the event with ID 17 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 17 (0x11) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAIL_TO_RETRIEVE_INFO |
Event text (English): | The Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client's PKCS7 message (%1). %2 |
Event text (German): | Required information (such as transaction ID, message type, or signing certificate) cannot be retrieved from the client PKCS7 message (%1) by the network device registration service. %2 |
Details of the event with ID 18 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 18 (0x12) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAIL_TO_DECRYPT_INNER |
Event text (English): | The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (%1). %2 |
Event text (German): | The client's PKCS7 message (%1) cannot be decrypted by the network device registration service. %2 |
Details of the event with ID 19 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 19 (0x13) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAIL_TO_GET_CERT_FROM_NUMBER |
Event text (English): | The Network Device Enrollment Service failed trying to retrieve a certificate from the certification authority (CA). Verify that the CA service is running. Use the Certification Authority management console to verify that the Network Device Enrollment Service account has Read permissions on the CA service. Verify that the serial number specified in the GETCERT request is correct, and that the CA service has successfully created a certificate with the specified serial number. The error returned was (%1). %2 |
Event text (German): | An error has occurred in the registration service for network devices when retrieving a certificate from the certification authority (CA). Ensure that the CA service is running. Use the Certification Authority Management Console to verify that the Network Device Enrollment Service account has read access to the CA service. Verify that the serial number specified in the GETCERT request is correct and that the CA service has successfully created a certificate with the specified serial number. Error returned: (%1). %2 |
Details of the event with ID 3 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 3 (0x3) |
Event log: | Application |
Event type: | Information |
Event text (English): | The Network Device Enrollment Service has been stopped. |
Event text (German): | The network device registration service has been terminated. |
Details of the event with ID 4 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 4 (0x4) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAILED_TO_UNLOAD |
Event text (English): | The Network Device Enrollment Service cannot be stopped (%1). %2 |
Event text (German): | The registration service for network devices cannot be terminated (%1). %2 |
Details of the event with ID 6 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 6 (0x6) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_NO_PASSWORD_TEMPLATE |
Event text (English): | The Network Device Enrollment Service cannot provide its password because the user does not have enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template. |
Event text (German): | The registration service password for the network device cannot be specified because the user does not have the required registration permissions for the configured certificate template or the certification authority is not authorized to issue certificates based on the configured certificate template. |
Details of the event with ID 7 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 7 (0x7) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_GET_CA_CERT_FAILED |
Event text (English): | The Network Device Enrollment Service failed to return the certification authority certificate(s) to the caller (%1). %2 |
Event text (German): | The certificate authority certificate was not returned to the caller (%1) by the registration service for network devices. %2 |
Details of the event with ID 8 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 8 (0x8) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAILED_CA_INFO |
Event text (English): | The Network Device Enrollment Service cannot retrieve information about the certification authority (%1). %2 |
Event text (German): | The information on the certification authority (%1) cannot be retrieved by the registration service for network devices. %2 |
Details of the event with ID 9 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 9 (0x9) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAILED_CA_CERT |
Event text (English): | The Network Device Enrollment Service cannot retrieve the certification authority certificate (%1). %2 |
Event text (German): | The certification authority certificate (%1) cannot be retrieved by the registration service for network devices. %2 |
Details of the event with ID 10 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 10 (0xA) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAILED_RA_CERT |
Event text (English): | The Network Device Enrollment Service cannot retrieve one of its required certificates (%1). %2 |
Event text (German): | One of the required certificates (%1) cannot be retrieved by the network device registration service. %2 |
Details of the event with ID 2 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 2 (0x2) |
Event log: | Application |
Event type: | Error |
Symbolic Name: | EVENT_MSCEP_FAILED_TO_LOAD |
Event text (English): | The Network Device Enrollment Service cannot be started (%1). %2 |
Event text (German): | Unable to start network device registration service (%1). %2 |
Details of the event with ID 1 of the source Microsoft-Windows-NetworkDeviceEnrollmentService
Event Source: | Microsoft-Windows-NetworkDeviceEnrollmentService |
Event ID: | 1 (0x1) |
Event log: | Application |
Event type: | Information |
Event text (English): | The Network Device Enrollment Service started successfully. |
Event text (German): | The network device registration service has been started successfully. |
Which Cryptographic Service Provider (CSP) should be used for the Network Device Enrollment Service (NDES)?
When configuring a certificate template for the Registration Authority (RA) certificates for the Network Device Enrollment Service (NDES), the question arises, especially when using Hardware Security Modules (HSM), which Cryptographic Service Provider (CSP) of the HSM manufacturer should be used.

Requesting certificates through the Network Device Enrollment Service (NDES) fails with HTTP error code 503 and there are no entries in the Event Viewer
Assume the following scenario:
- A network device enrollment service (NDES) is implemented in the network.
- The NDES server uses a domain account or a Group Managed Service Account (gMSA) for the identity of the SCEP IIS application pool.
- Requesting certificates via NDES fails with HTTP error code 503 (Server Unavailable).
- Calling the mscep and mscep_admin pages also fails with HTTP error code 500.
- Even after an iisreset or restart of the NDES server, no event appears after calling the mscep or mscsp_admin page that the NDES service has started or that there were errors.