Hello,
I think we can follow the steps in the link we provided on Windows server 2016.
1.Create inf file.
2.Request req file using inf file.
3.Request cer file or pfx file using req file.
Or we can request cer file for "EnrollmentAgentOffline" and "CEPEncryption" templates through MMC.
For more information, we can refer to the link below.
Active Directory Certificate Services (AD CS): Network Device Enrollment Service (NDES)
https://social.technet.microsoft.com/wiki/contents/articles/9063.active-directory-certificate-services-ad-cs-network-device-enrollment-service-ndes.aspx