If you saw my earlier blog on NDES for Intune, you might have noticed that I didn’t say much, if anything, about troubleshooting the process after it is set up. So, if things don’t seem to be working, what do you do? Well, read this post of course.
If you still want to learn more about how to issue SCEP certificates with Intune, check out the docs: Configure infrastructure to support SCEP with Intune.
There are a lot of really good NDES troubleshooting resources out there so I won’t be trying to duplicate any of that, but there are some quick tips I can share with you that might save you hours of searching for answers and tools. In fact, the reason I’m writing this is that it literally took me hours of web searching to find these tips and resources so, if nothing else, it’s a reminder to me of where this stuff lives.
Troubleshooting NDES configuration
The Microsoft support team has published a great guide on how to configure Network Device Enrollment Services (NDES) correctly to assign Simple Certificate Enrollment Protocol (SCEP) certificate profiles to Intune client devices. Obviously, you need NDES to be set up correctly to actually issue anything so it makes total sense to start there. I mean here: Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles.
Also, did you know that hidden in the GitHub repo for Intune Graph API sample scripts there is a PowerShell script you can run to validate your NDES configuration to ensure it aligns with the steps in the above link? Pretty cool eh?
After it runs, it even offers to collect troubleshooting logs that you can share with your friends at support or your friendly neighborhood PFE.
Speaking of server logs related to all this, you might want to know what those are. This table is from another support link I’ll give you later, but figured it’s nice to have as a quick reference here too:
|Microsoft Intune Connector log files|
|%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs||Logs communications between the NDES Intune connector and Intune cloud service. The related registry entry: HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus.||We recommend that you use Service Trace Viewer Tool to view the log files.|
|%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs||Logs NDES receiving and verifying certificate requests.||We recommend that you use Service Trace Viewer Tool to view the log files.|
|NDESPlugin.log||%programfiles%\Microsoft Intune\NDESPolicyModule\Logs\||Logs passing and the results of verifying certificate requests to the Certificate Registration Point.|
|IIS log files|
|u_ex<time stamp>.log (Example: u_ex180629.log)||%SystemDrive%\inetpub\logs\LogFiles\W3SVC1\||Logs mobile devices’ certificate requests to NDES.|
These are also the logs you’ll see when you export the troubleshooting logs after running the NDES validation script from GitHub (Validate-NDESConfiguration.ps1). The output will look something like this:
Of course, when you open up one of those .svclog log files, you aren’t exactly presented with something anyone wants, or can for that matter, easily read:
This is why you see “We recommend that you use Service Trace Viewer Tool to view the log files.” in the table above. So go ahead and open that up…I’ll wait.
Couldn’t find it? Keep reading.
Get the service trace viewer tool
The service trace viewer tool (SvcTraceViewer.exe) provides a way to easily merge, view, and filter trace messages in the log so that you can diagnose, repair, and verify WCF service issues, but it’s not installed or available to open .svclog files by default.
There’s not much worse than knowing what tool you need and not being able to find it. And finding the service trace viewer tool has stymied many an admin. Here’s an easy way to get it.
To quickly get the tool, just install the .NET Framework SDK, from whatever handy Windows SDK installation you choose, from the Windows SDK and emulator archive (I used the one for Windows 10, version 1903 in this example). Click INSTALL SDK at that link and then just select at least that one .NET Framework feature option to install:
When installation is complete, you’ll be rewarded with the highly sought after SvcTraceViewer.exe tool as part of the installation:
And now you can finally open and easily view the contents of those pesky .svclog log files:
Troubleshooting SCEP profile deployment to devices
Now that you’re sure that NDES is properly configured to issue SCEP certificates for Intune, you might need to double-check that all is well on the actual devices requesting certificates too.
The Microsoft support team once again makes this a breeze so all I feel compelled to do that this point is provide you links to their excellent guidance. Here you go:
- Troubleshooting SCEP certificate profile deployment to Android devices
- Troubleshooting SCEP certificate profile deployment to iOS devices
- Troubleshooting SCEP certificate profile deployment to Windows devices
That about wraps it up for NDES and this post. Hope it helps.
You’ve seen my blog; want to follow me on Twitter too? @JeffGilb