The Network Device Enrollment Service (NDES) is one of the role services of the Active Directory Certificate Services (ADCS) role in Windows server. It implements the Simple Certificate Enrollment Protocol (SCEP). SCEP was originally designed to semi-automatically enroll certificates to Cisco network devices in a closed network where all endpoints are trusted, like routers or VPN concentrators.
SCEP does not include any mechanisms of verifying the certificate requestor’s identity, instead it relies on a Registration Authority (RA) to handle this sensitive task.
The Network Device Enrollment Service performs the following functions:
a) Generates and provides one-time enrollment passwords to administrators.
b) Submits enrollment requests to the CA.
c) Retrieves enrolled certificates from the CA and forwards them to the network device.
Refer to the Microsoft documentation, for more information about Microsoft NDES.