Creating a NDES Policy Module – A Programmers Guide

PKI Solutions Logo

Microsoft introduced a great security improvement in Windows Server 2012 R2 to alter the standard Network Device Enrollment Service (NDES) security process. If you are familiar with the whitepaper I wrote for Microsoft (Securing and Hardening NDES) you’ll know I wrote about the disadvantages of using NDES for BYOD and Internet accessible enrollment solutions. The Microsoft InTune product team has been the only product so far to write a Policy Module that improves on the security and issuance model for NDES.

While Microsoft wrote the Policy Module capabilities with an open platform, to-date no other solutions have written a policy module. That is a real shame. Whether it’s a lack of information or visibility, I constantly work with my clients to make sure they are aware of how to secure NDES in their environments. If poorly deployed, it can present a significant thread gateway to your environment and a threat to your PKI.

Thankfully, Tochi Ezebube, an Engineer at Microsoft has written a paper on how to interface to, and write your own Policy Module. The paper is available here:

While it is geared to developers, it goes a long way to bring light to the process and will certainly be a help to anyone looking to create an improved authentication mechanism for NDES.

About ThePKIGuy

President & Founder at PKI Solutions, Leading PKI Cybersecurity Subject Matter Expert, Author, Speaker, Trainer, Microsoft Certified Master.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.