@Aurelijus Daujotis, Thanks for posting in Q&A. Based as I know, the following registry key on the computer that hosts the NDES service determine which certificate template we can request.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\
For your issue, it can be that "SCEP certificate - Windows User" and "SCEP certificate - Windows Device" set with the same purpose and we only configure "SCEP certificate - Windows device" in the above registry key. So the device can only receive the certificate with "SCEP certificate - Windows Device"
You can update the registry key value with the certificate template "SCEP certificate - Windows User" to get the certificate.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.