With Windows Server 2016 fast approaching end of life (EOL – January 2027) I’ve been helping many customers get their existing Network Device Enrollment Service (NDES) server upgraded to Windows Server 2025. In the past I’ve had few problems deploying NDES on Windows Server 2016, 2019, and 2022. However, NDES deployments on Windows Server 2025 have proven more challenging. Unlike previous releases, many installations fail during initial configuration with little indication of the underlying cause. The error described below is quite common, in my experience.

Unsupported Cert Type

When configuring the NDES role on Windows Server 2025, administrators may encounter an installation failure with the following error message.

Failed to enroll RA certificates. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

Investigation

Inspection of the issuing CA confirmed that the required NDES certificate templates had been published successfully and were visible on the target issuing CA server.

After confirming the templates were published, I validated connectivity between the NDEs server and the issuing CA to rule out communication issues.

certutil.exe -config <servername\commonname> -ping

Root Cause

Although the precise root cause remains unclear, the issue appears related to timing or object availability during NDES configuration. In many cases it behaves like a delay in template publication visibility, Active Directory replication latency, or another dependency timing issue encountered during setup.

Recovery

Fortunately, if you encounter this issue you can usually just remove the configuration using PowerShell and run it again.

Uninstall-AdccsNetworkDeviceEnrollmentService -Force

However, in my experience running the installer again results in another error, usually the 0x80070003 ‘Path Not Found’ error. If that happens, see my published guidance for recovering from this error here.

https://directaccess.richardhicks.com/2026/05/26/troubleshooting-ndes-error-0x80070003-path-not-found-on-windows-server-2025

While recovery is usually straightforward, preventing the issue entirely is preferable.

Recommendation

I recommend publishing the required templates on the target issuing CA before proceeding with the NDES configuration. Publishing these templates manually before running NDES configuration ensures they are already visible and available to the CA, potentially avoiding timing-related enrollment failures during setup. The following default templates are required for NDES configuration.

• IPsec (Offline request)
• CEP Encryption
• Exchange Enrollment Agent (Offline request)

Note: Best practice is to remove these templates after configuration because they are intended only for NDES registration authority enrollment and are not typically required for ongoing issuance.

Summary

When deploying NDES on Windows Server 2025, administrators may encounter the 0x80094800 CERTSRV_E_UNSUPPORTED_CERT_TYPE error even when the required templates appear correctly configured. Although the exact cause remains uncertain, the issue appears related to timing or template availability during setup. In most cases, removing and re-running the NDES configuration resolves the problem, while pre-publishing the default NDES templates before configuration can help prevent it entirely.

Additional Information

Troubleshooting NDES Error 0x80070003 Path Not Found on Windows Server 2025

Intune PKCS and SCEP Certificate Validity Period

TRAINING: Mastering Enterprise PKI Certificates with Microsoft Intune

When deploying enterprise PKI certificates with Microsoft Intune using SCEP, administrators must deploy one or more on-premises Network Device Enrollment Service (NDES) servers together with the Intune Certificate Connector. Installing and configuring NDES can be challenging because the solution includes multiple dependencies and has many moving parts. Troubleshooting installation failures can be difficult, particularly on Windows Server 2025 where I have observed installation issues more frequently than on earlier Windows Server releases.

Path Not Found

As I work with customers to migrate their existing NDES services to Windows Server 2025, I frequently encounter installation errors. Specifically, the ‘Path Not Found’ error is increasingly common. Using PowerShell or the Server Manager, administrators may encounter a failed NDES installation that returns the following error message.

CMSCEPSetup::Install: The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)

Investigation

Reviewing the NDES installation log at C:\Windows\certocm.log yields an important clue.

Microsoft Active Directory Certificate Services: Failed to add the web virtual directory. The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND): The system cannot find the path specified. 0x80070003 (WIN32: 3 ERROR_PATH_NOT_FOUND)

Root Cause

This error occurs after a failed installation attempt which corrupts the IIS configuration on the NDES server. This prevents the NDES installer from configuring applications in the default web site. Fortunately, the problem is easy to resolve.

Recovery Steps

To recover from this error, first uninstall the NDES service (not the role) by opening an elevated PowerShell command window and running the following command.

Uninstall-AdccsNetworkDeviceEnrollmentService -Force

Next, remove the corrupt IIS configuration file.

Remove-Item C:\Windows\System32\inetsrv\config\applicationHost.config -Force

Copy a known-good IIS configuration file from the WinSxS folder.

$WinSxSConfig = Get-ChildItem C:\Windows\WinSxS -Recurse -Filter applicationHost.config -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1
Copy-Item -Path $WinSxSConfig.FullName "C:\Windows\System32\inetsrv\config\applicationHost.config" -Force

And finally, recreate the default website.

& "$env:SystemRoot\System32\inetsrv\appcmd.exe" add site /name:"Default Web Site" /bindings:http/*:80: /physicalPath:"%SystemDrive%\inetpub\wwwroot"

Once complete, proceed with the NDES configuration.

Pro Tip

Because this issue occurs frequently enough in my experience, I recommend backing up the IIS configuration immediately after installing the NDES role and before beginning configuration. You can backup the IIS configuration by opening an elevated PowerShell command window and running the following command.

& "$env:SystemRoot\System32\inetsrv\appcmd.exe" add backup 'Backup Name'

If the NDES configuration subsequently fails, uninstall the configuration, then restore the backup using the following command.

& "$env:SystemRoot\System32\inetsrv\appcmd.exe" restore backup 'Backup Name'

Once complete, proceed with the NDES configuration once again.

Summary

NDES installation failures on Windows Server 2025 can leave IIS in an inconsistent state and trigger 0x80070003 ERROR_PATH_NOT_FOUND errors during configuration. Restoring a known-good IIS configuration and recreating the default web site resolves the issue quickly. Backing up the IIS configuration before beginning NDES configuration can significantly reduce recovery time if installation problems occur.

Additional Information

Troubleshooting NDES Error 0x80094800 Unsupported Cert Type on Windows Server 2025

Intune PKCS and SCEP Certificate Validity Period

TRAINING: Mastering Enterprise PKI Certificates with Microsoft Intune