Set the Read and Enroll permissions on the certificate template for the NDES/SCEP/MSCEP Service Account and the Device Administrator.

  1. Launch the Certificate Templates Console by running certtmpl.msc from the Windows Desktop.
  2. Right-click the required template and select Properties. The example here is ‘MobileUser’ from the CA Setup Document.

  3. Select the Security tab.

  4. Click Add. The Select Users, Computers, Service Accounts, or Groups dialog box displays.

  5. Click within the Enter the object names to select field and type the name of the Service Account.

  6. Click OK. The Properties dialog box displays.

  7. Select the Service Account from the Group or user names: list.

  8. Select the Read permission Allow checkbox.

  9. Select the Enroll permission Allow checkbox.

  10. Click OK.