NDES AD certificate services Configuration error

While configuring NDES for my Win server 2019, i encountered the following error.

Failed to add the following certificate templates to the enterprise Active Directory Certificate Services or update security settings on those templates:
EnrollmentAgentOffline
CEPEncryption
IPSEC (Offline request)
Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)

I have added NdesService account to the local/domain iis_iusrs group, added read and enroll on the 3 required templates for my NdesAdmin & Service account. After re-installing multiple times, it still doesn't work. Can someone please help? Thanks!

The error listed can be caused by a couple different issues. The first are permissions to the default templates. The account installing NDES needs Enterprise Admin rights (for the install only). From the same account used to attempt the install, logon to the CA selected during NDES config and from Admin CMD or PowerShell manually publish the templates to the CA:

certutil -setcatemplates +CEPEncryption certutil -setcatemplates +EnrollmentAgentOffline certutil -setcatemplates +IPSECIntermediateOffline

If that fails it is permissions on default templates.

If successful validate the Certificate from the CA selected during NDES config is present in the NDES server trusted store. If your PKI is 2 tier, verify the Root is in trusted Roots and Issuing CA used for Config is in Intermediate Certification store.