Overview of Windows events generated by the Network Device Enrollment Service (NDES).

The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.

The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

Event Sources

Network device registration service events are written to the application log. The following sources contain NDES events:

  • NetworkDeviceEnrollmentService

Predefined view in the Windows Event Viewer

An appropriately filtered view is preconfigured in the Active Directory Certificate Services category on each system where the Network Device Registration Service is installed.

Event source NetworkDeviceEnrollmentService

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

IDTypeEvent text
1InformationThe Network Device Enrollment Service started successfully.
2ErrorThe Network Device Enrollment Service cannot be started (%1). %2
3InformationThe Network Device Enrollment Service has been stopped.
4ErrorThe Network Device Enrollment Service cannot be stopped (%1). %2
6ErrorThe Network Device Enrollment Service cannot provide its password because the user does not have enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template.
7ErrorThe Network Device Enrollment Service failed to return the certification authority certificate(s) to the caller (%1). %2
8ErrorThe Network Device Enrollment Service cannot retrieve information about the certification authority (%1). %2
9ErrorThe Network Device Enrollment Service cannot retrieve the certification authority certificate (%1). %2
10ErrorThe Network Device Enrollment Service cannot retrieve one of its required certificates (%1). %2
11ErrorThe Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.
12ErrorThe Network Device Enrollment Service received an http request without the "Message" tag (or request body for POSTPKIOperation).
13ErrorThe Network Device Enrollment Service cannot encrypt the response to a client request (%1). %2
14ErrorThe Network Device Enrollment Service cannot sign the response to a client request (%1). %2
15ErrorThe Network Device Enrollment Service cannot convert encoded portions of the client's http message (or request body for POSTPKIOperation), or the converted message (or request body for POSTPKIOperation) is larger than 64K (%1). %2
16ErrorThe Network Device Enrollment Service cannot decode the http message from the client (%1). %2
17ErrorThe Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client's PKCS7 message (%1). %2
18ErrorThe Network Device Enrollment Service cannot decrypt the client's PKCS7 message (%1). %2
19ErrorThe Network Device Enrollment Service failed trying to retrieve a certificate from the certification authority (CA). Verify that the CA service is running. Use the Certification Authority management console to verify that the Network Device Enrollment Service account has Read permissions on the CA service. Verify that the serial number specified in the GETCERT request is correct, and that the CA service has successfully created a certificate with the specified serial number. The error returned was (%1). %2
23ErrorThe Network Device Enrollment Service cannot complete the PKCS7 request (%1). %2
24ErrorThe Network Device Enrollment Service cannot find the issuer name or serial number in the client's PKCS7 message (%1). %2
25ErrorThe Network Device Enrollment Service cannot locate a valid certificate request ID that matches the transaction ID in the client's PKCS7 message (%1). %2
26ErrorThe Network Device Enrollment Service was not able to query the certification authority (CA) for a previously submitted device certificate request. Verify that the CA service is running and that the Network Device Enrollment Service account has Read permission on the CA service. Use the Certification Authority management console to verify the permissions on the CA service. The error returned was (%1). %2
28ErrorThe Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.
29ErrorThe password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.
30ErrorThe Network Device Enrollment Service cannot add an alternative subject name extension to the certificate request (%1). %2
31ErrorThe Network Device Enrollment Service cannot submit the certificate request (%1). %2
32ErrorThe Network Device Enrollment Service cannot retrieve the certificate identified by this request ID (%1). %2
33 ErrorThe Network Device Enrollment Service failed to cache this certificate ID and transaction ID (%1). %2
34ErrorAt least one of the certificates for the Network Device Enrollment Service has expired. Verify that both the encryption and signing certificates are valid and restart the service.
35ErrorAt least one of the certificates for the Network Device Enrollment Service will expire soon. Check the validity period for both the encryption and signing certificates. Renew any certificates that are nearing the end of their validity period and restart the service.
36ErrorThe Network Device Enrollment Service failed while attempting to write the header portion of an http response (%1). %2
37ErrorThe Network Device Enrollment Service failed while attempting to write the data portion of an http response (%1). %2
38ErrorThe Network Device Enrollment Service detected an invalid message type in the client's PKCS7 message.
39ErrorThe Network Device Enrollment Service cannot find key usage information in the certificate request and will use both the Signature and Exchange key usages.
41ErrorThe Network Device Enrollment Service cannot issue a password because the requester is not an administrator of this computer.
42ErrorThe Network Device Enrollment Service cannot decode an X509 certificate request.
43ErrorThis password has already been used to request a (%1) certificate. Only one signing certificate and one exchange certificate can be issued per password. Obtain a new password to use with this request, or create a new request with a different key usage and the same password, then try again.
44ErrorThe Network Device Enrollment Service cannot obtain the certificate revocation list (CRL) for key %1 from the certification authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permission on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority management console to verify the permissions on the CA service. Use the command: Certutil -config "%2" -cainfo crl %3 to verify that the CA service has created the latest CRL. The error returned was (%4). %5
45ErrorThe Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate. Verify that the device request contains the correct CA certificate information, then resubmit the request.
46ErrorThe Network Device Enrollment Service failed to load the hash algorithm specified at location %1. Use the command "certutil -v -csplist" to verify that the computer on which the Network Device Enrollment Service is installed supports the hash algorithm specified. Near the end of the command output, look for the section labeled "Hash Algorithms". If the algorithm specified in the registry is not listed, configure a different hash algorithm in the registry. The error returned was (%2). %3
47InformationThe Network Device Enrollment Service loaded the Registration Authority (RA) key exchange certificate with serial number %1 from the "%2" store.
48InformationThe Network Device Enrollment Service loaded the Registration Authority (RA) signature certificate with serial number %1 from the "%2" store.
49ErrorThe Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length does not match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry.
50InformationThe Network Device Enrollment Service is working in single password mode. The password can be used multiple times and will not expire.
51 ErrorThe Network Device Enrollment Service cannot create or modify the registry key "%1." Grant Read and Write permissions on the registry key "%2" to the account that the Network Device Enrollment Service is running as.
52InformationThe Network Device Enrollment Service policy module was started successfully.
53ErrorThe Network Device Enrollment Service policy module could not be started (%1). %2
54InformationThe Network Device Enrollment Service policy module was stopped successfully.
55ErrorThe Network Device Enrollment Service policy module could not be stopped (%1). %2

Related links:

External sources

en_USEnglish