Option1:
Use an account which has been granted sufficient priveleges over the SCEP certificate template used in HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
(in most cases it is the IPSECIntermediateOffline template)
Option2:
You can leave the NDES credentials blank and use a challenge passphrase instead. On the NDES server go to localhost/certsrv/mscep_admin to view the challenge passphrase. Note: you may need to use HTTPS. If the challenge password is set to expire, use regedit to edit the following data:
HKLM \SOFTWARE\Microsoft\Cryptography\MSCEP\UseSinglePassword
Set UserSinglePassword to "1" and restart the server. This way you no longer need to use any kind of admin account to send SCEP requests. Enter the challenge password in the Altiris console:
For Mobile SP2.1 go to Home > Mobile Management > Device Management > Configuration Editor and edit the SCEP settings profile with the challenge password.
For Mobile SP3 go to Home > Mobile Management > Settings > SCEP Servers (Uncheck "Use unique challenge) and enter the password there. Once that is done got to the Configuration Editor and Select that SCEP server settings profile from the list.