Starting NDES Services (Device Registration Service) Fails with “object does not exist”

I ran into this issue when configuring SCEP/NDES certificate registration for an Intune tenant.

Following all the best practice configuration steps, left me with an SCEP enrollment page returning Internal Server Error 500 instead of the expected 200.

image

I found that the Device Registration Service was not starting correctly. In the event logs I found it attempting to start and then stopping

image

The two most helpful event are the EventID 137

image

Failed to find the Device Registration Service object at DeviceRegistrationService.

Additional information
Error Message: The object does not exist..
Error Result code: NoSuchObject.

and EventID 157

image

An error occurred.

Additional information
Error: Failed to find the Device Registration Service object in the configuration naming context in domain contoso.com.

It’s essentially saying that the DeviceRegistrationService objects have not been successfully written to AD.

If I browse the Configuration partition of my Active Directory, I can see there is no Device Registration Configuration

image

And if I run the following Get-AdfsDeviceRegistration PowerShell cmdlet, I’ll get a configuration error

image

To fix this, run Initialize-ADDeviceRegistration

image

You’ll then find the Device Registration Configuration objects in your Active Directory

image

Start the Device Registration Service again, and all should start as expected.

image

Restart the NDES server just to be sure everything is talking correctly, and test the SCEP URL again. This time we should get a 200 instead of 500

image

Matt Shadbolt

Comments