Thinos 10.x SCEP enrollment fails with "ROOT CERT IS MISSING OR WRONG" despite NDES working correctly

Hi all, pulling my hair out over this one and hoping someone has experience with Thinos thin clients and SCEP/NDES.

Environment:

• Windows Server with NDES (Network Device Enrollment Service)
• Thinos 10.x thin clients
• Root CA
• SCEP URL: ...certsrv/mscep/mscep.dll

Problem: Thinos devices fail SCEP enrollment with error "ROOT CERT IS MISSING OR WRONG" even though:

• Root CA certificate is loaded and trusted in Thinos (thumbprint matches)
• NDES is successfully creating certificates (visible in CA console)

What I've verified:

1. NDES service is running correctly with proper RA certificates
2. IIS logs show all SCEP operations completing successfully
3. The GetCACert response contains 3 certificates: Root CA + 2 RA certificates (signing & encryption)
4. Root CA certificate thumbprint in Thinos matches exactly what NDES returns
5. Network connectivity is fine (can curl the SCEP endpoints successfully)

Suspicion: The NDES GetCACert operation returns a PKCS#7 bundle with 3 certificates (Root CA + 2 RA certs). I suspect Thinos might be picking the wrong certificate from the bundle or can't handle the multi-certificate response properly.

Question: Has anyone successfully deployed Thinos devices with Windows NDES? Any known compatibility issues or specific configuration requirements for Thinos SCEP implementation?

Any suggestions for troubleshooting or workarounds would be greatly appreciated!