Setup NDES with Intune and SCCM

We are planning to issue certificate to clients over the Internet, thus we need to setup NDES Infrastructure.


Steps to configurate NDES:

1. NDES Service Account(Just default regular account is fine)

2.NDES Server Certificate Template

  • Server Authentication and Workstation Authentication
  • 10 Years Validity
  • Subject Name is supplied within the request
  • Set the NDES Servers to allow enroll this template

3.NDES Certificate Template(This template is used to issue certificates to the clients.)

  • On Request Handling:
    Include symmetric algorithms allowed by the subject
    Enroll subject without requiring any user input
  • Cryptography:
    Only select “Microsoft Enhanced Cryptographic Provider v1.0”
  • The NDES service account has enroll and read access to this template

4. Create an Azure AD Application proxy in

  • Internal URL is the FQDN to your internal NDES server
  • Pre Authentication: Passthrough

5. Get a certificate for NDES Server using the template created in step 2

  • Common Name: internal FQDN
  • Subject Alternative Name(DNS):
    internal FQDN
    external Azure AD App Proxy FQDN

6. Run Powershell script to Install NDES

  • Please make sure you have at least Powershell 5.1 Installed;
  • There should be only one client authentication certificate in the NDES Server;
  • .Net 3.5 is required

This command is working on both win10 and Windows servers, please be advised that the server version must must the ISO source

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:\\server_path\OSD\Win2019\sources\sxs

.\NDES.ps1 -CertificateAuthorityConfig “ca.corp.lan\caname” -NDESTemplateName “The_template_name_to_issue_client_cert” -NDESExternalFQDN “” -RegistrationAuthorityName “NDESRegistrationAuthority” -RegistrationAuthorityCompany “Company_Name” -RegistrationAuthorityDepartment “Dept_Name” -RegistrationAuthorityCity “City_Name” -Verbose

7.Verify newly created NDES

You should able to see the page of “Network Device Enrollment Service”


If you are under co-management with SCCM and Intune, depends on the workload you setup – clients managed by Configuration Manager or Intune, you need an Intune connector or SCCM Policy Module.



Some References:

Setup NDES

Verify NDES configuration on-premises for SCEP certificates in Intune



Install Certificate Registration Point with SCCM—-install-the-configuration-manager-policy-module-for-scep-certificates-only


Troubleshooting Cloud Management Gateway: Quick & effectively /w CMG Connector Analyzer

Leave a Comment