Diagnostic logging for troubleshooting Workplace Join issues
This article describes how to collect diagnostic logs for troubleshooting Workplace Join issues.
Applies to: Windows 10 – all editions, Windows Server 2012 R2
Original KB number: 3045377
Enable Workplace Join Debug logging by using Event Viewer
To enable administrative logging in Windows 7 and later versions of Windows, follow these steps:
Start Event Viewer.
Go to one of the following locations, as appropriate for your operating system:
- Windows 7: Applications and Services Logs\Microsoft-WorkPlace Join
- Windows 8.x: Applications and Service Logs\Microsoft\Windows\Workplace Join\Admin
- Windows 10: Applications and Service Logs\Microsoft\Windows\Workplace Join\Admin
Right-click the administrative log, and then click either the Enable Log or Disable Log value, as needed.
To enable Debug logging in Windows 7 only, follow these steps:
Start Event Viewer.
Click View, and then click Show Analytic and Debug Logs.
Browse to the following location in Windows 7:
Applications and Services Logs\Microsoft-WorkPlace Join
Right-click the Debug log, and then select either the Enable Log or Disable Log value, as needed.
Start Network Capture, and then reproduce the issue.
Enable Capi2 logging
For information about how to enable Capi2 logging, go to the following website:
This enables verbose logging in Applications and Services Logs/Microsoft/Windows/Capi2 in Event Viewer.
SSL certificate troubleshooting
To verify the Revocation Status against the certification authority (CA) database, run the following command:
Certutil.exe -isvalid <Serialnumber>
The <Serialnumber> placeholder is the serial number of the certificate that you want to verify, in hexadecimal format.
Verify that a certificate was issued by a specific CA
You can use the Certutil.exe tool to determine whether a certificate was issued by a specific CA. To verify the certificate, you must have the certificate that you want to verify and the CA certificate that you want to verify against as parameters. Use the following command syntax:
Certutil.exe -verify CertFile CaCertFile
This command requires that both the CA certificate and the issued certificate be PKCS#10 export files, not PKCS#7 certificate chains. When the command is run, it also verifies the revocation status of the end certificate. An error is returned if the certificate file doesn't contain CDP information, or if the URLs indicated in the CDP extension are unavailable.
If you don't include the CACertFile parameter, the Certutil tool will construct a certificate chain by using all available certificates that are installed on the computer.
Validate the validity and Revocation Status of a certificate
You can manually validate all aspects of a certificate's validity, including the AIA and CDP extensions for a specific certificate, by using the following Certutil syntax:
Certutil.exe -verify -urlfetch CertFile.crt
To run this command, you must have an exported version of the certificate in a DER-encoded format. Certutil will verify only the basic certificate location pointer and the CRL(s) for the AIA and CDP locations. The Windows Server 2003 version of Certutil.exe in the Windows Server 2003 administration tools pack supports this functionality.