Suppose you are running a Network Device Enrollment Service (NDES), which relies on is configured to use a static password. In this case, unlike the default configuration, the password for the Requesting certificates via NDES clients never.
However, one may aim for an intermediate way, for example, a daily change of the password. The following describes a way to automate the change of the password.
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
To obtain a password change, the current password must be deleted from the registry. It is located in the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword\EncryptedPassword
Then the SCEP application pool must be restarted so that a new password is generated.
Please note that as of the changes, all certificate requests using the previous password will no longer be accepted.
The process can be automated with the following three PowerShell commands. Likewise, a call to the NDES server is made directly, so that a new password is generated directly.
Remove-ItemProperty ` -Path HKLM:\SOFTWARE\Microsoft\Cryptography\MSCEP\EncryptedPassword ` -Name EncryptedPassword Restart-WebAppPool -Name SCEP Start-Sleep -Seconds 15 [void](Invoke-WebRequest -Uri "http://localhost/certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACaps")
English 
Deutsch
6 thoughts on “Regelmäßige Passwortänderung bei Konfiguration des Registrierungsdienstes für Netzwerkgeräte (NDES) mit einem statischen Passwort”
Comments are closed.