Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

You must install AD CS - Network Device Enrollment Service (NDES) on a server separate from your Enterprise CA.

Install the NDES

Perform the following steps to install the AD CS NDES:
1
Go to Start > Administrative Tools > Server Manager > Manage. Then, select [ Add roles and features ].
2
On the Before You Begin window, select [ Next ].
3
Choose the installation type: Role-based or feature-based installation. Select [ Next ].
4
On the Server Selection page, select the server from the domain (or local machine) on which to install AD CS. Select [ Next ].
5
On the Server Roles page, check the box next to Active Directory Certificate Services. Select [ Next ] and then select [ Add Features ].
6
On the Features page, select the following options and then select [ Next ].
  • Select .NET Framework 3.5 Features and include HTTP Activation
  • Select .NET Framework 4.8 Features and include HTTP Activation under WCF Services
7
On the AD CS page, select [ Next ].
8
On the Role Services page, select Network Device Enrollment Service. Select [ Next ].
9
On the Web Server Role (IIS) page, select [ Next ].
10
On the Role Services page, select the following:
  • Security
    • Request Filtering
  • Application development
    • Net Extensibility 4.8
    • ASP.NET 4.8
  • Management Tools
    • IIS Management Tools
    • IIS 6 Management Compatibility
      • IIS 6 Metabase Compatibility
      • IIS 6 WMI Compatibility
11
Select [ Next ] and then [ Install ].
12
After the installation completes, select [ Close ].

Set the IIS permissions

Before moving on to configuring AD CS NDES, you must first set the permissions for your Service Account and Application Pool account. Perform the following steps:
1
On the NDES server, use the Windows search bar and look for Local Users and Groups. Open it.
2
In the left-side meni, go to Groups.
3
Locate the IIS_ISURS group and right-click it. Select [ Properties ].
4
Select [ Add ] and add both your Service Account and your NDES Application Pool account.
5
Select [ Apply ] and then [ OK ].

Set the NDES service account

The Domain Administrator account you plan to use for NDES as the service account must have Logon as a Service enabled. To enable it, perform the following steps:
1
On the NDES server, use the Windows search bar and look for Local Security Policy. Open it.
2
Expand Local Policies and select [ User Rights Assignment ].
3
Locate and double-click [ Log on as a service ].
4
Select [ Add user or Group ].
5
Add your Domain Administrator account acting as the NDES Service Account. Select [ OK ].
For more information on installing and configuring Active Directory Certificate Services - NDES, refer to the Microsoft documentation: learn.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure