When deploying enterprise PKI certificates with Microsoft Intune using SCEP, administrators must deploy one or more on-premises Network Device Enrollment Service (NDES) servers together with the Intune Certificate Connector. Installing and configuring NDES can be challenging because the solution includes multiple dependencies and has many moving parts. Troubleshooting installation failures can be difficult, particularly on Windows Server 2025 where I have observed installation issues more frequently than on earlier Windows Server releases.
Path Not Found
As I work with customers to migrate their existing NDES services to Windows Server 2025, I frequently encounter installation errors. Specifically, the ‘Path Not Found’ error is increasingly common. Using PowerShell or the Server Manager, administrators may encounter a failed NDES installation that returns the following error message.
CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
Investigation
Reviewing the NDES installation log at C:\Windows\certocm.log yields an important clue.
Microsoft Active Directory Certificate Services: Failed to add the web virtual directory. The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND): The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)
Root Cause
This error occurs after a failed installation attempt which corrupts the IIS configuration on the NDES server. This prevents the NDES installer from configuring applications in the default web site. Fortunately, the problem is easy to resolve.
Recovery Steps
To recover from this error, first uninstall the NDES service (not the role) by opening an elevated PowerShell command window and running the following command.
Uninstall-AdccsNetworkDeviceEnrollmentService -Force
Next, remove the corrupt IIS configuration file.
Remove-Item C:\Windows\System32\inetsrv\config\applicationHost.config -Force
Copy a known-good IIS configuration file from the WinSxS folder.
$WinSxSConfig = Get-ChildItem C:\Windows\WinSxS -Recurse -Filter applicationHost.config -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1Copy-Item -Path $WinSxSConfig.FullName "C:\Windows\System32\inetsrv\config\applicationHost.config" -Force
And finally, recreate the default website.
& "$env:SystemRoot\System32\inetsrv\appcmd.exe" add site /name:"Default Web Site" /bindings:http/*:80: /physicalPath:"%SystemDrive%\inetpub\wwwroot"
Once complete, proceed with the NDES configuration.
Pro Tip
Because this issue occurs frequently enough in my experience, I recommend backing up the IIS configuration immediately after installing the NDES role and before beginning configuration. You can backup the IIS configuration by opening an elevated PowerShell command window and running the following command.
& "$env:SystemRoot\System32\inetsrv\appcmd.exe" add backup 'Backup Name'
If the NDES configuration subsequently fails, uninstall the configuration, then restore the backup using the following command.
& "$env:SystemRoot\System32\inetsrv\appcmd.exe" restore backup 'Backup Name'
Once complete, proceed with the NDES configuration once again.
Summary
NDES installation failures on Windows Server 2025 can leave IIS in an inconsistent state and trigger 0x80070003 ERROR_PATH_NOT_FOUND errors during configuration. Restoring a known-good IIS configuration and recreating the default web site resolves the issue quickly. Backing up the IIS configuration before beginning NDES configuration can significantly reduce recovery time if installation problems occur.
Additional Information
Troubleshooting NDES Error 0x80094800 Unsupported Cert Type on Windows Server 2025
Intune PKCS and SCEP Certificate Validity Period
TRAINING: Mastering Enterprise PKI Certificates with Microsoft Intune
