Free Edition
What is MDM?
Enterprise Mobility Management
Mobile Device Management
Mobile Application Management
Mobile Security Management
Mobile Email Management
Mobile Content Management
BYOD
Compliance
- CJIS
- HIPAA
- ISO
- PCI
- GDPR
Awards & Reviews
Supported Platforms
- iOS
- Android
- Windows
- macOS
- Chrome OS
- Android Enterprise
- Samsung Knox
Related Products

How to Validate and Secure NDES Certificate Template Permissions?

Overview

When integrating ADCS certificate templates into MDM to deploy user certificates to mobile devices, it is important to review the PKI deployment and certificate template permissions to ensure that certificates are issued only for authorized purposes and through authorized sources. The following steps will help validate that your existing ADCS certificate templates are securely configured.

Identify the Template Used by NDES

Open Registry Editor (regedit.exe) and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP
Check the values for EncryptionTemplate, GeneralPurposeTemplate, and SignatureTemplate.
Note the template name listed under the Data column (e.g., ndestemp).

Configure SCEP for iOS Step 18

Open the Certificate Templates Console and Locate the Template

Open the Certification Authority console (certsrv.msc).
Right-click Certificate Templates and select Manage.
Locate the template name identified from the registry, right-click it, and choose Properties.

Configure SCEP for iOS Step 18

Validate Security Permissions

Open the Security tab.
Review all Group or user names and ensure:
- Only the NDES service account has Enroll permissions.
- Broad groups do not have Enroll permissions (e.g., Domain Users, Authenticated Users, or other large groups).
- Administrative groups have only the minimum required permissions (typically Read).
Remove or uncheck any unnecessary Enroll / Autoenroll permissions.

Configure SCEP for iOS Step 18

Apply the Updated Permissions

Click Apply, then OK.
Close the Certificate Templates management window.

Restart IIS to Apply Changes

Open Command Prompt or PowerShell as Administrator.
Wait for IIS to restart successfully, then verify that SCEP/NDES is accessible again.

For more information on securing NDES certificate templates, refer to the official Microsoft documentation .

Audit Issued Certificates for the NDES Templates

After confirming that the NDES template is correctly configured and restricted, audit the Certification Authority to ensure certificates are issued only to the NDES service account.

Open the Certification Authority Console

Launch certsrv.msc on the CA server.
Expand the Certificate Authority node.
Select Issued Certificates.

Configure SCEP for iOS Step 18

Validate the Requester Account

For each certificate issued using the NDES template:

Check the Requester Name column.
Ensure it matches the NDES service account (e.g., DOMAIN\ndes).

Configure SCEP for iOS Step 18

If certificates were requested by any users other than the intended NDES account, then the template permissions are overly permissive. Investigate and address immediately.

Revoke Unintended Certificates

If any unissued certificates are found:

Right-click the certificate entry.
Choose All Tasks → Revoke Certificate.
Select a revocation reason (e.g., Unspecified).
Confirm.

Configure SCEP for iOS Step 18

This prevents unauthorized certificates from being used for authentication or enrollment.