The Microsoft Network Device Enrollment Service documentation seems pretty straight forward, but after installing and configuring it I was faced with a couple of different issues that took me way too long to figure out. Hopefully this will save someone some time.
Note: I installed this on a server that was an Enterprise CA and already had the Certificate Web Enrollment Service installed, configured and functioning.
Once NDES is set up to test it you need to go to: https://serverfqdn/certsrv/mscep_admin note that you should do this from a workstation and not the server itself as my understanding is that if you are an admin on the server it will error out from there.
The first problem: I was getting prompted for authentication when going to that URL as well as when going to https://serverfqdn/certsrv, which had previously worked fine. What fixed this was removing the SPN that I had set up for the NDES service account, restarting IIS and restarting Certificate Services. At least in my configuration I did not seem to need this.
The second problem: I was getting a 500 error when accessing the https://serverfqdn/certsrv/mscep_admin page. What ended up fixing this was adding the IIS_IUSRS group to the “Impersonate a Client After Authentication” setting via the Computer/Security settings in group policy, verify the server got the policy change, reset IIS and restart the Certificate Server services.