The Network Device Enrollment Service (NDES) logs the error message "The Network Device Enrollment Service cannot create or modify the registry key Software\Microsoft\Cryptography\MSCEP\EncryptedPassword."

Assume the following scenario:

  • An NDES server is configured on the network.
  • The NDES server is configured to work with a static password.
  • When accessing the NDES administration web page (certsrv/mscep_admin), users are repeatedly prompted for authentication despite having correct credentials.
  • The following event is stored in the application event log:
The Network Device Enrollment Service cannot create or modify the registry key "Software\Microsoft\Cryptography\MSCEP\EncryptedPassword". Grant Read and Write permissions on the registry key "Software\Microsoft\Cryptography\MSCEP" to the account that the Network Device Enrollment Service is running as.

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.


Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

The NDES service account must enter the static password into the registry, but is not authorized to do so. The registry for NDES is located within the following path:


The NDES service account requires read and write permissions to this registry key. They can be granted with the "Full Control" permission.

Provided that the NDES service runs with the identity of the IIS application pool, this can be entered with the following syntax:


Related links: