Setting up the Network Device Enrollment Service involves the following tasks:

  • Add the account that will be the registration authority to the Internet Information Services (IIS) user group.

  • Set up and configure the Network Device Enrollment Service.

Membership in the Administrators group is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To add a designated registration authority to the IIS_IUSRS group

  1. Open the Local Users and Groups snap-in, and double-click the Groups folder.

  2. Click the IIS_IUSRS built-in group.

  3. On the Action menu, click Add to Group.

  4. Click Add, type the domain name of the account that will be the registration authority, and then click OK.

Membership in Enterprise Admins or Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To set up and configure the Network Device Enrollment Service

  1. On the server where you want to install the Network Device Enrollment Service, open Server Manager, and click Add Roles to start the Add Roles Wizard.

  2. On the Select Server Roles page, select the Active Directory Certificate Services check box, and then click Next two times.

  3. On the Select Role Services page, clear the Certification Authority check box, and then select the Network Device Enrollment Service check box.

    You are prompted to install IIS and Windows Activation Service.

  4. Click Add Required Role Services, and then click Next three times.

  5. On the Specify User Account page, click Select User, and type the user name and password for the account that the Network Device Enrollment Service will use to authorize certificate requests. Click OK, and then click Next.

  6. On the Specify CA page, if this computer does not host a CA, select either the CA name or Computer name check box, click Browse to locate the CA that will issue the Network Device Enrollment Service certificates, and then click Next.

  7. On the Specify Registry Authority Information page, type the name of the registration authority in the RA name box. Under Country/region, select the country/region you are in, and then click Next.

  8. On the Configure Cryptography page, accept the default values for the signature and encryption keys or configure your own values, and then click Next.

  9. Review the summary of configuration options, and then click Install.

For more information about the Simple Certificate Enrollment Protocol (SCEP), see the Internet Engineering Task Force Web site (https://go.microsoft.com/fwlink/?LinkId=71055).

For more information about the Network Device Enrollment Service, see AD CS: Network Device Enrollment Service (https://go.microsoft.com/fwlink/?LinkId=85475) and Microsoft SCEP Implementation Whitepaper (https://go.microsoft.com/fwlink/?LinkId=93875).

Additional references

Table Of Contents