NDESmanualInstallation

Some files that are helpful when installing NDES without Enterprise Administrator Permission (which isn't officially supported, but may be the only way in restrictive Active Directory Environments).

The sample files are from a Windows Server 2019 Installation using the Built-In Application Pool Identity. It is possible to change all Settings after the initial Setup.

How to manually install NDES without Enterprise Administrator Permissions

The Steps are:

Install prerequisites

Add-WindowsFeature Web-Server -IncludeManagementTools
Add-WindowsFeature ADCS-Device-Enrollment -IncludeManagementTools

This will ensure the required binary files are present under C:\Windows\System32\certsrv\mscep.

Replace this file with the one from the Repo

C:\Windows\System32\inetsrv\Config\applicationHost.config

The Original Version is included as applicationHost.config.original so that you can compare them if desired.

Import Registry

• MSCEP.reg sets the default Registry Values for the NDES Service. It contains the CA Config which must be adapted to your Environment. Further Changes as needed.
• ConfigurationStatus.reg will tell Server Manager that the Role has been configured.

Request RA Certificates

• Create Custom Certificate Templates based on "CEP Encryption" and "Enrollment Agent (Computer)", and issue the to the Computer Certificate Store.
• NDESAppPoolKeyPermissions.ps1 will set Read Permissions on the Certificates Private Keys for the SCEP IIS Application Pool.

Reload config

iisreset

Update Target CA Configuration

certutil -setreg CA\SubjectTemplate +UnstructuredName
certutil -setreg CA\SubjectTemplate +UnstructuredAddress
certutil -setreg CA\SubjectTemplate +DeviceSerialNumber
net stop certsvc
net start cetrsvc