These two roles are used in the process of certificate enrollment for mobile devices and the provisioning and management of Intel AMT-based computers, probably the most common usage of which is for the management of Apple Mac computers. When we talk about certificate enrollment for mobile devices, this should not to be confused with Microsoft Intune. This functionality is only related to the traditional management of mobile devices with Configuration Manager natively. We are going to discuss these two roles together as they are undeniably linked; however, in most organizations, these are likely to be separated across servers in different networks with the proxy being in a demilitarized zone. As with many other roles, these two are also web applications that run on IIS and comply to standard HTTP error codes as guidance. The default installation location for these roles are as follows:
%ProgramFiles%SMS_CCMEnrollmentPoint%ProgramFiles%SMS_CCMEnrollmentProxyPoint
From the console, the only area specific to troubleshooting for these roles is the standard Monitoring workspace where we can locate the components from Overview | System Status | Component Status and look at the following components:
SMS_ENROLL_WEBSMS_ENROLL_SERVERSMS_DM_ENROLLMENTSERVICE
From here, we can check the status messages of each component and also get an indication of its current state. Using the Configuration Manager Service Manager, we can also query the current state of each service and stop or start it as required.
There are a number of log files that should be considered when trying to troubleshoot either the Enrollment point or Enrollment proxy point, and they are located in a few different folders.
By default, the %ProgramFiles%Microsoft Configuration ManagerLogs folder contains the following log files:
SMSENROLLSRVSetup.logenrollsrvMSI.logenrollsrv.logSMSENROLLWEBSetup.logenrollwebMSI.logenrollweb.log
The files named Setup and MSI will contain installation information and should be used when it is suspected that the roles have not completely installed or have been changed and are no longer functional. As always, the Setup log files will contain an overview of the installation activities and the MSI log files contain more detailed information. It should be used to identify the reason for a failed installation by verifying the return or error codes and matching them against one of the lists from the troubleshooting toolkit in Chapter 1, The Configuration Manager Troubleshooting Toolkit.
Then we have enrollsrv.log, which records the activities of Enrollment point or Enrollment service, as it is also known. This includes any changes to configuration, such as its SSL state and any related certificate maintenance. We will also see many references to the corresponding web.config file for this web application, which contains the configuration information for this role. It is not recommended to modify it directly, however; any changes to the role should be performed from within the console. This can be used as a reference though and even a comparison to a known working role in a development environment.
The log file, enrollweb.log, contains information on the activities of Enrollment proxy point, also known as the Enrollment web service. These logs should be used to confirm the availability and configuration of either of the previously mentioned site roles, and the information presented through status messages in the Configuration Manager console.
Additional to the logs already stated, there are two other log files which are by default in the following locations on the server with the roles installed:
%ProgramFiles%SMS_CCMEnrollmentPointLogsEnrollmentService.log%ProgramFiles%SMS_CCMEnrollmentProxyPointLogsEnrollmentWeb.log
Both of these log files will confirm the starting and stopping of the web service, which should also be seen in the status messages from the console, so should be used for confirmation of any frequent outages of the roles. Additionally, enrollmentweb.log is the point that all devices will communicate with and so there should be a record of all communications in here if you suspect any problems enrolling a device. enrollmentweb.log specifically records any activity from the device—an Apple Mac for example—to the enrollment proxy point as this is the first point of communication in the enrollment chain. The log file, enrollmentweb.log, will then contain detailed information of the communication between Enrollment proxy point and Enrollment point. This will contain such information as enrollment attempts to include successes and failures and also certificate information used in the enrollment process.
Additional to troubleshooting the actual installation and configuration of the roles involved in enrollment, we should also take note of the device's enrollment policy. In Configuration Manager's client settings, we can specify enrollment settings in either the default client settings policy or a custom user settings policy. Here, we specify which certificate template should be used to enroll a device, which certificate authority it comes from, and which site this enrollment profile is assigned to. Particularly in larger organizations this should be checked for changes and to ensure that the client settings' priorities are set as expected. Resultant client settings can be checked from the Configuration Manager console using the resultant client settings option from either the ribbon or the right-click menu. This is a particularly useful tool when troubleshooting application of policies and enrollment profiles for users:
