The following is an overview of the events generated by the Network Devices Registration Service (NDES) in the Windows Event Viewer.
The events of the Network Devices Registration Service are not officially documented. The following list was generated using the Windows Event Log Messages (WELM) tool.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
Event Sources
Network device registration service events are written to the application log. The following sources contain NDES events:
- NetworkDeviceEnrollmentService
Predefined view in the Windows Event Viewer
An appropriately filtered view is preconfigured in the Active Directory Certificate Services category on each system where the Network Device Registration Service is installed.
Event source NetworkDeviceEnrollmentService
| ID | Type | Event text |
|---|---|---|
| 1 | Information | The Network Device Enrollment Service started successfully. |
| 2 | Error | The Network Device Enrollment Service cannot be started (%1). %2 |
| 3 | Information | The Network Device Enrollment Service has been stopped. |
| 4 | Error | The Network Device Enrollment Service cannot be stopped (%1). %2 |
| 6 | Error | The Network Device Enrollment Service cannot provide its password because the user does not have enroll permissions on the configured certificate template, or the certification authority is not enabled to issue certificates based on the configured certificate template. |
| 7 | Error | The Network Device Enrollment Service failed to return the certification authority certificate(s) to the caller (%1). %2 |
| 8 | Error | The Network Device Enrollment Service cannot retrieve information about the certification authority (%1). %2 |
| 9 | Error | The Network Device Enrollment Service cannot retrieve the certification authority certificate (%1). %2 |
| 10 | Error | The Network Device Enrollment Service cannot retrieve one of its required certificates (%1). %2 |
| 11 | Error | The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag. |
| 12 | Error | The Network Device Enrollment Service received an http request without the "Message" tag (or request body for POSTPKIOperation). |
| 13 | Error | The Network Device Enrollment Service cannot encrypt the response to a client request (%1). %2 |
| 14 | Error | The Network Device Enrollment Service cannot sign the response to a client request (%1). %2 |
| 15 | Error | The Network Device Enrollment Service cannot convert encoded portions of the client's http message (or request body for POSTPKIOperation), or the converted message (or request body for POSTPKIOperation) is larger than 64K (%1). %2 |
| 16 | Error | The Network Device Enrollment Service cannot decode the http message from the client (%1). %2 |
| 17 | Error | The Network Device Enrollment Service cannot retrieve required information, such as the transaction ID, message type, or signing certificate, from the client's PKCS7 message (%1). %2 |
| 18 | Error | The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (%1). %2 |
| 19 | Error | The Network Device Enrollment Service failed trying to retrieve a certificate from the certification authority (CA). Verify that the CA service is running. Use the Certification Authority management console to verify that the Network Device Enrollment Service account has Read permissions on the CA service. Verify that the serial number specified in the GETCERT request is correct, and that the CA service has successfully created a certificate with the specified serial number. The error returned was (%1). %2 |
| 23 | Error | The Network Device Enrollment Service cannot complete the PKCS7 request (%1). %2 |
| 24 | Error | The Network Device Enrollment Service cannot find the issuer name or serial number in the client's PKCS7 message (%1). %2 |
| 25 | Error | The Network Device Enrollment Service cannot locate a valid certificate request ID that matches the transaction ID in the client's PKCS7 message (%1). %2 |
| 26 | Error | The Network Device Enrollment Service was not able to query the certification authority (CA) for a previously submitted device certificate request. Verify that the CA service is running and that the Network Device Enrollment Service account has Read permission on the CA service. Use the Certification Authority management console to verify the permissions on the CA service. The error returned was (%1). %2 |
| 28 | Error | The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name. |
| 29 | Error | The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request. |
| 30 | Error | The Network Device Enrollment Service cannot add an alternative subject name extension to the certificate request (%1). %2 |
| 31 | Error | The Network Device Enrollment Service cannot submit the certificate request (%1). %2 |
| 32 | Error | The Network Device Enrollment Service cannot retrieve the certificate identified by this request ID (%1). %2 |
| 33 | Error | The Network Device Enrollment Service failed to cache this certificate ID and transaction ID (%1). %2 |
| 34 | Error | At least one of the certificates for the Network Device Enrollment Service has expired. Verify that both the encryption and signing certificates are valid and restart the service. |
| 35 | Error | At least one of the certificates for the Network Device Enrollment Service will expire soon. Check the validity period for both the encryption and signing certificates. Renew any certificates that are nearing the end of their validity period and restart the service. |
| 36 | Error | The Network Device Enrollment Service failed while attempting to write the header portion of an http response (%1). %2 |
| 37 | Error | The Network Device Enrollment Service failed while attempting to write the data portion of an http response (%1). %2 |
| 38 | Error | The Network Device Enrollment Service detected an invalid message type in the client's PKCS7 message. |
| 39 | Error | The Network Device Enrollment Service cannot find key usage information in the certificate request and will use both the Signature and Exchange key usages. |
| 41 | Error | The Network Device Enrollment Service cannot issue a password because the requester is not an administrator of this computer. |
| 42 | Error | The Network Device Enrollment Service cannot decode an X509 certificate request. |
| 43 | Error | This password has already been used to request a (%1) certificate. Only one signing certificate and one exchange certificate can be issued per password. Obtain a new password to use with this request, or create a new request with a different key usage and the same password, then try again. |
| 44 | Error | The Network Device Enrollment Service cannot obtain the certificate revocation list (CRL) for key %1 from the certification authority. Verify that the CA service is running, the Network Device Enrollment Service account has Read permission on the CA service, and the CA service has successfully created the latest CRL. Use the Certification Authority management console to verify the permissions on the CA service. Use the command: Certutil -config "%2" -cainfo crl %3 to verify that the CA service has created the latest CRL. The error returned was (%4). %5 |
| 45 | Error | The Network Device Enrollment Service cannot match the issuer name and serial number in the device request to any certification authority (CA) certificate. Verify that the device request contains the correct CA certificate information, then resubmit the request. |
| 46 | Error | The Network Device Enrollment Service failed to load the hash algorithm specified at location %1. Use the command "certutil -v -csplist" to verify that the computer on which the Network Device Enrollment Service is installed supports the hash algorithm specified. Near the end of the command output, look for the section labeled "Hash Algorithms". If the algorithm specified in the registry is not listed, configure a different hash algorithm in the registry. The error returned was (%2). %3 |
| 47 | Information | The Network Device Enrollment Service loaded the Registration Authority (RA) key exchange certificate with serial number %1 from the "%2" store. |
| 48 | Information | The Network Device Enrollment Service loaded the Registration Authority (RA) signature certificate with serial number %1 from the "%2" store. |
| 49 | Error | The Network Device Enrollment Service has failed to decrypt the encrypted password or the decrypted password's length does not match the one configured in the registry. To fix this, delete the EncryptedPassword entry in the registry. |
| 50 | Information | The Network Device Enrollment Service is working in single password mode. The password can be used multiple times and will not expire. |
| 51 | Error | The Network Device Enrollment Service cannot create or modify the registry key "%1." Grant Read and Write permissions on the registry key "%2" to the account that the Network Device Enrollment Service is running as. |
| 52 | Information | The Network Device Enrollment Service policy module was started successfully. |
| 53 | Error | The Network Device Enrollment Service policy module could not be started (%1). %2 |
| 54 | Information | The Network Device Enrollment Service policy module was stopped successfully. |
| 55 | Error | The Network Device Enrollment Service policy module could not be stopped (%1). %2 |
Related links:
- Overview of Windows events generated by the certification authority
- Overview of Windows events generated by the online responder (OCSP)
- Overview of Windows events generated by the Certificate Enrollment Policy (CEP) service
- Overview of Windows events generated by the Certificate Enrollment Web Service (CES).
External sources
- Windows Event Log Messages (WELM) (GitHub)
English 
Deutsch
5 thoughts on “Übersicht über die vom Registrierungsdienst für Netzwerkgeräte (NDES) generierten Windows-Ereignisse”
Comments are closed.