You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which of
the following also needs to be configured? (Select the best answer.)

A.
AD on the CA

B.
a root CA on the Cisco ISE

C.
a manually installed certificate on the connecting BYOD device

D.
NDES on a CA or domain member server

Explanation:
Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member server
also needs to be configured if you want to configure Cisco Identity Services Engine (ISE) as a Simple
Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA.
Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on
their own, without administrative overhead from the IT department.
You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates that
ISE communicates with the CA on the behalf of its client devices. However, the ISE does need to be configured
with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES serverregistration authority (RA) certificate in the Certificate Store. RAs verify requests for certificates and enable the
CA to issue them.
You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain
controllers, although member servers and workstations can connect to the AD domain.
You are not required to manually install a certificate on the connecting BYOD device. Manually installing a client
certificate on the BYOD device would defeat the purpose of configuring the ISE as a SCEP proxy, because
administrative intervention would be required.

Cisco: ISE SCEP Support for BYOD Configuration Example: Background Information