Configure Active Directory Certificate Services - NDES

you must install ad cs network device enrollment service on a server separate from your enterprise ca install the ad cs network device enrollment service (ndes) go to start > administrative tools > server manager > manage then, select \[ add roles and features ] on the before you begin window, select \[ next ] choose the installation type role based or feature based installation select \[ next ] on the server selection page, select the server from the domain (or local machine) on which to install ad cs select \[ next ] on the server roles page, check the box next to active directory certificate services select \[ next ] and then select \[ add features ] on the features page, select the following options and then select \[ next ] select net framework 3 5 features and include http activation select net framework 4 8 features and include http activation under wcf services on the ad cs page, select \[ next ] on the role services page, select network device enrollment service select \[ next ] on the web server role (iis) page, select \[ next ] on the role services page, select the following security request filtering application development net extensibility 4 8 asp net 4 8 management tools iis management tools iis 6 management compatibility iis 6 metabase compatibility iis 6 wmi compatibility select \[ next ] and then \[ install ] after the installation completes, select \[ close ] set the iis permissions for your ndes accounts before moving on to configuring ad cs ndes, you must first set the permissions for your service account and application pool account on the ndes server, use the windows search bar and look for local users and groups open it in the left toolbar, select \[ groups ] locate the iis isurs group and right click it select \[ properties ] select \[ add ] and add both your service account and your ndes application pool account select \[ apply ] and then \[ ok ] set the ndes service account to use logon as a service the domain administrator account you plan to use for ndes as the service account must have logon as a service enabled to enable it on the ndes server, use the windows search bar and look for local security policy open it expand local policies and select \[ user rights assignment ] locate and double click \[ log on as a service ] select \[ add user or group ] add your domain administrator account acting as the ndes service account select \[ ok ] for more information on installing and configuring active directory certificate services ndes, refer to the microsoft documentation