I have a Windows Server 2008 offline Root CA, 2008 Enterprise Subordinate CA, and another 2008 server with NDES installed. I believe everything is in working order, permissions are all set on templates and CA for SCEP Service account etc. NOTE - This is my first real-world experience with certificates and Microsoft's certificate services. I am learning as I go here. I am looking at the best practices and would like to implement Enrollment Agent Restrictions. One document I have is suggesting that I restrict the Exchange Enrollment Agent (Offline Request) cert template. I know how to do this, but am not sure what account needs to be an enrollment agent for this template? Is it the SCEP service account, device administrator account, or another? Also, SCEP seems to working correctly, but there were no sites created for the mscep and mscep_admin virtual directories. I can find the virtual directories by viewing applications on the SCEP app pool. Should I create sites/applications for these two virtual directories so I can setup SSL on the mscep_admin virtual directory? One last question for now. Our goal for NDES is to allow iPhones, iPads, etc. to connect to NDES and get a cert automatically. I don't believe NDES will do this by defaut. Do I need to add OCSP or Web Enrollment? Do I need to enable auto-enrollment? Thanks for the help. I really appreciate it. I am learning a lot, but also finding that documentation about NDES and some specifics within NDES are not easy to find online or are very general and are not much help. Dennis

If I enable password, how the auto enrollment and auto renewal is going to work? What is the best practices for stopping rouge routers to get a cert?