With Windows Server 2016 fast approaching end of life (EOL – January 2027) I’ve been helping many customers get their existing Network Device Enrollment Service (NDES) server upgraded to Windows Server 2025. In the past I’ve had few problems deploying NDES on Windows Server 2016, 2019, and 2022. However, NDES deployments on Windows Server 2025 have proven more challenging. Unlike previous releases, many installations fail during initial configuration with little indication of the underlying cause. The error described below is quite common, in my experience.
Unsupported Cert Type
When configuring the NDES role on Windows Server 2025, administrators may encounter an installation failure with the following error message.
Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Investigation
Inspection of the issuing CA confirmed that the required NDES certificate templates had been published successfully and were visible on the target issuing CA server.
After confirming the templates were published, I validated connectivity between the NDEs server and the issuing CA to rule out communication issues.
certutil.exe -config <servername\commonname> -ping
Root Cause
Although the precise root cause remains unclear, the issue appears related to timing or object availability during NDES configuration. In many cases it behaves like a delay in template publication visibility, Active Directory replication latency, or another dependency timing issue encountered during setup.
Recovery
Fortunately, if you encounter this issue you can usually just remove the configuration using PowerShell and run it again.
Uninstall-AdccsNetworkDeviceEnrollmentService -Force
However, in my experience running the installer again results in another error, usually the 0x80070003 ‘Path Not Found’ error. If that happens, see my published guidance for recovering from this error here.
While recovery is usually straightforward, preventing the issue entirely is preferable.
Recommendation
I recommend publishing the required templates on the target issuing CA before proceeding with the NDES configuration. Publishing these templates manually before running NDES configuration ensures they are already visible and available to the CA, potentially avoiding timing-related enrollment failures during setup. The following default templates are required for NDES configuration.
- IPsec (Offline request)
- CEP Encryption
- Exchange Enrollment Agent (Offline request)
Note: Best practice is to remove these templates after configuration because they are intended only for NDES registration authority enrollment and are not typically required for ongoing issuance.
Summary
When deploying NDES on Windows Server 2025, administrators may encounter the 0x80094800 CERTSRV_E_UNSUPPORTED_CERT_TYPE error even when the required templates appear correctly configured. Although the exact cause remains uncertain, the issue appears related to timing or template availability during setup. In most cases, removing and re-running the NDES configuration resolves the problem, while pre-publishing the default NDES templates before configuration can help prevent it entirely.
Additional Information
Troubleshooting NDES Error 0x80070003 Path Not Found on Windows Server 2025
Intune PKCS and SCEP Certificate Validity Period
TRAINING: Mastering Enterprise PKI Certificates with Microsoft Intune
