Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Perform the following steps to configure the new installation of AD CS with Network Device Enrollment Service:
1
Select Start > Administrative Tools > Server Manager. Select the flag icon to the left of Manage.
2
Select [ Configure Active Directory Certificate Services ] on the destination.
3
On the Credentials page, ensure your login meets the displayed requirements. Select [ Next ].
4
On the Select Role Services page, select [ Network Device Enrollment Service ]. Select [ Next ].
5
On the Service Account for NDES page, select [ Select ] and log in using the Domain Administrator you have designated as your Service Account. Select [ OK ].
6
On the CA for NDES page, select [ CA Name ] and then [ Select ]. Select your ADCS Enterprise CA and select [ OK ].
7
On the RA Information page, you can either keep the suggested RA Name or change it. Enter the Optional Information required by your organization. Select [ Next ].
8
On the Cryptography for NDES page, select [ Microsoft Strong Cryptographic Provider ] for both the Signature Key Provider and the Encryption Key Provider. Select [ Next ].
9
On the Confirmation page, select [ Configure ].

Set the SPN

After configuring AD CS NDES, perform the following steps to set the SPN of the Service Account:
1
On the server that hosts the NDES service, run the following command in an elevated command prompt. This sets the SPN of the NDES service account:
PowerShell
setspn -s http/<DNS name of the computer that hosts the NDES service> <Domain name>\<NDES Service account name>
Example:
PowerShell
Setspn -s http/NDESINTUNE.intune.fx.com INTUNE\Administrator
2
Restart the NDES server.
3
After restarting, go to the following URL: http://<Server_FQDN>/certsrv/mscep/mscep.dll.
You should see a Network Device Enrollment Services page in your web browser.
For more information on installing and configuring Active Directory Certificate Services - NDES, refer to the Microsoft documentation: learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure