Troubleshooting MDM Enrollment Issues

  • Article

2/9/2009

This section lists common issues encountered during System Center Mobile Device Manager enrollment. If MDM Enrollment Server Setup fails, check the Setup log files.

Enrollment Logging on Devices

In Control Panel on the managed device, the Domain Enroll application shows Enrollment status and allows the user to enroll if they are not already enrolled. The DeviceUpdate.log file records Open Mobile Alliance Device Management (OMA DM) sessions in a detailed manner. These files are particularly useful for troubleshooting and debugging.

If you experience any enrollment issues, enable client-side logging and reproduce the issue. To enable enrollment logging on the device by using the MDM Connect Now tool, follow these steps.

  1. On the Start screen, select Menu.
  2. Select Logging.
  3. Select Enable Enroll Log.

The location of the log file is \deviceupdate.log. For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.

Unable to Locate Enrollment Server

After you enter the uniform resource identifier (URI) for MDM Enrollment Server, the device displays the error message The enrollment server could not be located - please contact your Administrator for assistance.

Make sure that you entered the URI correctly. For example, make sure that you specify only the fully qualified domain name (FQDN), without any prefixes, such as the abbreviation for Hypertext Transfer Protocol (HTTP).

Device Enrollment Fails Before You Type a Password

Depending on the cause of the issue, the device might display various error messages, such as network connectivity, incorrect date and time, database connectivity, communication with the enrollment NT service, and issues accessing the Internet Information Services (IIS) metabase.

To resolve these enrollment issues, follow these steps:

  • Make sure that the data connection is functioning properly on the device; you should be able to browse the Internet with Internet Explorer Mobile.
  • Make sure that the date and time on the device are set correctly.
  • Verify connectivity with the Enrollment service:
    1. On the device, start Internet Explorer Mobile.
    2. Browse to the following site: https://<enrollmentservername>/enrollmentserver/service.asmx?op=ShouldEnroll.
    3. On the Certificate Check page, choose Continue.
    4. In the Version box, type 2.0.0.
    5. In the Owner Identity box, type your name.
    6. Choose Invoke.
      The Enrollment Web service should return a value of 0. If it returns a value of 1, the owner identity did not match the identity provided during pre-enrollment.
      If the Enrollment Web service returns any value other than 0 or 1, the Enrollment Web service cannot access the SQL database, communicate with the Enrollment NT service, or access the IIS metabase.

Device Enrollment Fails After You Type a Password

If enrollment fails but the device passes ShouldEnroll (see previous section above), a valid connection to MDM Enrollment Server has found the pre-enrollment record. Make sure that the password is correct and valid, the password has not expired, and that server settings are configured properly.

For widespread problems, enable enrollment logging in the DeviceUpdate.log file for more information. If you still experience problems, contact a Microsoft representative to help analyze the log file. In this scenario, failures are typically on the server side.

Unable to Enroll Device in Domain

If the device displays the error message Unable to enroll this device in the domain, contact your Administrator, make sure that the device has Internet connectivity through the appropriate Internet service provider (ISP), and that the date and time are set correctly. You can also check the following items:

  • Check Event Viewer on the server for enrollment issues that have SCMDM 2008 event log IDs between 2000 and 2999. These events can provide more details about what the system encountered during enrollment.

  • Use the Get-EnrollmentServiceLog cmdlet to export Enrollment service logs that provide more details about the completion of certain Enrollment services. The following shows the correct syntax to export Enrollment service log entries to a text file.

    Get-EnrollmentServiceLog > C:\enrollmentlog.txt

  • Check the IIS log file for more information about enrollment failures that return HTTP 200 errors.

  • Check whether the device Certificate Subject Name matches the host FQDN or server name in the MDM Enrollment Server IIS certificate. To view the certificates installed in the Personal, Intermediate, and Root stores, choose Settings, choose System, and then choose Certificates.

  • On MDM Device Management Server, or from MDM Console, run the following cmdlets and check for errors:

    • Get-EnrollmentConfig
    • Get-EnrollmentServiceLog

  • Test the connectivity of the Enrollment Web service:

    • From MDM Enrollment Server, start Internet Explorer and visit https://localhost. You should see an Under Construction message.
    • Visit https://localhost/enrollmentserver/service.asmx?op=ShouldEnroll. You may receive certificate warnings. A ShouldEnroll link will appear.
    • From an internally connected computer or server, start Internet Explorer and visit: https://<internalhostname>/enrollmentserver/service.asmx?op=ShouldEnroll
      You may receive certificate warnings. A ShouldEnroll link will appear.
      If you reference localhost in the URL instead of the name of the computer that is running MDM Enrollment Server, you can isolate whether this issue involves an incorrect IIS configuration. If you can view the ShouldEnroll link, you can successfully connect to the Enrollment Web service on MDM Enrollment Server.

  • Select ShouldEnroll to test the ShouldEnroll link.

    • In the Version box, type 2.0.0.
    • In the Owner Identity box, type the e-mail address for the issued enrollment.
    • Choose Invoke.
      The Enrollment Web service should return a value of 0. If it returns a value of 1, the owner identity did not match the identity provided during pre-enrollment.
      If the Enrollment Web service returns any value other than 0 or 1, the Enrollment Web service cannot access the SQL database, communicate with the Enrollment service, or access the IIS metabase.

  • To make sure that the Enrollment service is running, follow these steps to use the Services.msc MMC:

    • On the computer that is running MDM Enrollment Server, run the following command:

      Sc query SCMDMDeviceEnroll

      The return status should be Running.

  • In Event Viewer, check for Event ID 2001. This event indicates that the Enrollment service is running and that the global configuration has refreshed successfully. This event occurs when SCMDMDeviceEnroll starts or when the global configuration for MDM Enrollment Server changes.
    To log this event, at an MDM Shell command prompt, run the net stop SCMDMDeviceEnroll and net start SCMDMDeviceEnroll commands. If you do not see Event ID 2001 after MDM Enrollment Server starts, you should see warning events for Event ID 2002. Check Event ID 2002 for more information.

  • In Event Viewer, check for Event ID 2101. This event means that the Enrollment Web service cannot reach MDM Enrollment Server. To troubleshoot this issue, confirm that IIS is configured correctly and follow these steps:

    • At an MDM Shell command prompt, run the sc query w3svc command to view the return status.
    • At an MDM Shell command prompt, run the sc query iisadmin command to view the return status.
    • Make sure that IIS properties and services are set to start automatically.
    • Check the System and Application Event logs for IIS errors.
    • In the IIS log, find a DeviceEnroll entry and check the status.
    • Perform trace logging with the help of a Microsoft representative. A Microsoft representative has the resources to analyze the trace logs.

  • Check the MDM application and error logs for issues connecting to an SQL database. You can use SQLProfiler tracing to troubleshooting database access issues. To use the SQLProfiler tool, start the trace capture, and then select the ShouldEnroll link.

  • Enable tracing on MDM Enrollment Server by running the following command in MDM Console:

    Enable-MDMTrace -Server Enrollment -Components Everything -Level Debug

  • Database connection issues can occur if you do not create the MDM database login accounts during Setup. To check for suitable database login accounts, select Logins in SQL Server Enterprise Manager.

  • If you create a pre-enrollment request for a device in a different domain from MDM Enrollment Server, and the domain controller for that domain is not in the same site as MDM Enrollment Server, the device will not enroll until replication occurs. To resolve this issue, you must wait for replication to occur or initiate replication.

Invalid Controls and Empty Device Containers

When you use the Enrollment Wizard to create a pre-enrollment request, after you enter the device name and choose Next, you may receive the error message Some controls are not valid. Device container cannot be empty. This error occurs if you did not specify the name of an organizational unit (OU) that will host managed devices.

Management Console Cannot Create New Enrollment Request

After you create a new enrollment request and choose Finish, you may receive various error messages that state the enrollment request could not be created. These error messages may provide additional information that contains sufficient details to diagnose the problem.

To determine whether the problem is with MDM Console or the Enrollment Administration service, create an enrollment request by running the New-EnrollmentRequest cmdlet. If this command succeeds, the problem is with MDM Console. If the command fails with the same error, the problem is with the Enrollment Administration service.

If you encounter errors connecting to the Enrollment service, follow these steps:

  • Make sure that MDM Enrollment Server is running
  • Make sure that you installed the correct certificate for the Enrollment Administration service
  • To check the certificate, start IIS Manager, expand Web Sites, right-click EnrollmentAdmin, select Properties, choose the Directory Security tab, and then choose View Certificate.

Users Do Not Receive Enrollment E-Mail Message

After you create a new enrollment request and specify an e-mail address, the user does not receive the enrollment e-mail message. This e-mail message contains the URL for MDM Enrollment Server and the one-time password for device enrollment.

To resolve this issue, follow these steps:

  • From MDM Console, make sure that you select the Send e-mail check box

  • If you are creating the enrollment request by running the New-EnrollmentRequest cmdlet, use the -SendMail parameter

  • Make sure that the e-mail address for the device owner is correct

  • Specify a valid e-mail sender by running the Set-EnrollmentConfig cmdlet with the –EmailSender parameter. For example:

    Set-EnrollmentConfig –EmailSender administrator@contoso.com

    If the –EmailSender value is not a valid Microsoft Exchange Server 2007 e-mail account, or is otherwise not properly configured to send e-mail, then MDM has no way to send the enrollment e-mail message.

  • On the enrollment server, check Event Viewer for Event ID 2201

  • Run the following MDM Shell command to specify the SMTP server to send e-mail messages:

    Set-EnrollmentConfig -SmtpServer smtp.yourdomain.com

    By default, MDM uses localhost to send the e-mail message that contains the one-time enrollment password. When you run the Get-EnrollmentConfig cmdlet in MDM Shell, you can see that the SmptServer entry specifies localhost.
    The following shows you other parameters that you can modify:

    Set-EnrollmentConfig  -SmtpServer
Set-EnrollmentConfig  -EmailSubject
Set-EnrollmentConfig  -EmailBodyTemplate
Set-EnrollmentConfig  -EmailSender

  • If the enrollment request succeeds but the user does not receive the enrollment e-mail message, check the MDM section in Event Viewer for error message, Event 2201 - Error: System.Net.Mail.SmtpException: Syntax error, command unrecognized. The server response was: 5.7.3 Authentication unsuccessful.
    This error indicates that there was a problem in sending the enrollment e-mail message. This problem can occur if the e-mail system is running Microsoft Exchange Server 2007 with anonymous relay disabled.
    To resolve this issue, enable anonymous relay in Exchange Server 2007 by following the instructions at this Microsoft Web site:
    https://go.microsoft.com/fwlink/?LinkId=108241

General Access Denied Error When You Enroll a Device

When you enroll a device, you may receive the error message Unable to enroll this device in the company domain.

The following syntax shows the EnrollmentServiceLog file description.

System.UnauthorizedAccessException: General access denied errorat
System.DirectoryServices.Interop.UnsafeNativeMethods.IAds.SetInfo()at
System.DirectoryServices.DirectoryEntry.CommitChanges()at
Microsoft.Mobile.ManagementServices.EnrollmentServer.ADOperation.AddAccount(EnrollRequestrc)at
Microsoft.Mobile.ManagementServices.EnrollmentServer.ADLayer.AddAccount(RequestContext rc)at
Microsoft.Mobile.ManagementServices.EnrollmentServer.Controller.Execute(RequestContext rc)

This error message indicates that MDM Enrollment Server could not create a device account because of insufficient permissions to the organizational unit (OU) of the device.

To resolve this issue, in MDM Shell, run the following cmdlet:

Set-EnrollmentPermissions -container <device container>

This error might also occur if the MDM Enrollment Server is installed on a domain controller.

To resolve this issue, make sure that the NT AUTHORITY\Network Service on the domain controller has permissions to MDM. For more information, see Install MDM on a Certification Authority or Domain Controller.

Not Prompted to Restart After Enrollment

The device can enroll successfully. However, you do not receive a message to restart the device. The device is enrolled on the domain but the virtual private network (VPN) connection is never established. This issue occurs when the gateway uniform resource identifier (URI) for the mobile VPN connection is not set correctly.

To resolve this issue, follow these steps:

  • Run the Get-EnrollmentServiceLog MDM Shell cmdlet. Check for the ActivateVPN message value. If the value is set to True, run the Get-EnrollmentConfig cmdlet and verify that the MDM Gateway Server URL is in the output list.

  • If the ActivateVPN message value is set to False, delete the existing pre-enrollment request; use the cmdlet to configure the gateway URI, and then create a new pre-enrollment request by using the following command.

    Set-EnrollmentConfig –GatewayURI <PublicGatewayDNSName>

  • To export the enrollment service log entries, run the following command.

    Get-EnrollmentServiceLog > C:\enrollmentlog.txt

Enrolled Device Remains in Pending Enrollments

After you try to enroll a device, the device connection status shows that the device enrolled but the device remains in the Pending Enrollments list in MDM Console, and does not appear in the Managed Devices list. It can require the total expiration time of the enrollment password before MDM removes the device from the Pending Enrollments list.

Or, this issue indicates a problem with device connection to MDM Device Management Server. Until the device contacts MDM Device Management Server and becomes a managed device, it remains in the Pending Enrollments list. The device may not contact MDM Device Management Server for the following reasons:

  • Domain Name System (DNS) name resolution fails. To fix DNS issues, create a host file on the device that resolves the IP address and the host name of MDM Device Management Server.
  • A firewall is blocking the TCP port 8443 to MDM Device Management Server. Open this port to enable the device to contact MDM Device Management Server.
  • You must have a persistent route from MDM Gateway Server to the company network through the internal firewall. In addition, you must have another route on the firewall server to the MDM client network through MDM Gateway Server. For example:

    • Gateway route one: To add a route to the company network through the internal firewall, run the following command.

      route –p add <corporate subnet> mask 255.255.0.0 <Firewall IP>

    • Firewall route two: To add a route to the MDM client network through MDM Gateway Server, run the following command.

      route –p add <Client pool subnet> mask 255.255.0.0 <SCMDM 2008 GW IP>

To verify connectivity to MDM Device Management Server when a device connects to MDM Gateway Server successfully, install the MDM Connect Now Tool on the device. This tool is especially useful to force device-to-Device Management synchronization.

From MDM Device Management Server, at a command prompt, run the netstat -a command. This command retrieves the device name and port number for all active connections, listed by TCP or UDP port number.

For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.

HTTP 401 Unauthorized Logon Failed

You may receive the following error message when you try to enroll:

HTTP 401.1 - Unauthorized: Logon Failed.

This issue can occur if the fully qualified domain name (FQDN) or custom host header does not match the local computer name. It can also occur if you install the Windows Server 2003 operating system with Service Pack 1 (SP1) because this operating system includes a loopback-check security-related feature that helps prevent malicious attacks on your computer.

This issue occurs when the Web site uses Integrated Authentication and has a name that maps to the local loopback address. In a load-balanced array, a server running MDM Console or MDM Shell accesses the Web services on itself through the load balancer.

To resolve this issue, disable loopback checking or specify host names for any computers that are running MDM Enrollment Server. For more information about this issue, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109943.

Device Cannot Enroll Because of DCOM Permissions

When you enroll a device, it may return an error message that states it cannot enroll the device on the domain. For example:

Missing Configuration: CCertRequest::GetCAProperty Access is denied. 0x80070005 (WIN32: 5)

A possible cause could be a problem with DCOM permissions on the certification authority server. If you are running Windows Server 2003 Enterprise Edition with Service Pack 2 (SP2), follow these steps:

  1. Verify that the security group CERTSVC_DCOM_ACCESS was created on the local server. The certification authority creates this group in the CN=Users container.
  2. If the CERTSVC_DCOM_ACCESS group exists, verify that the following groups are members: Domain Users and Domain Computers.
    If you installed the certification authority on a domain controller, and the enterprise has multiple domains, Certificate Services cannot automatically update the DCOM security settings for users and computers from outside the domain of the certification authority. Therefore, you must manually add them to the CERTSVC_DCOM_ACCESS group. If there are users or computers in other domains that also have to enroll together with the certification authority, you must add those users and computers to the CERTSVC_DCOM_ACCESS group.
    If these errors occur on a domain controller, add the DOMAIN CONTROLLERS group to the CERTSVC_DCOM_ACCESS group.
    By default, domain controllers are not members of the Domain Computers global group. Therefore, they do not have sufficient DCOM permissions. Changes that affect the group membership of the certification authority server itself may require a restart before the changes take effect.
  3. Follow these steps to verify that the CERTSVC_DCOM_ACCESS group was added to the DCOM Security Limits group on the certification authority.
    1. On the Start menu, choose Programs, choose Administrative Tools, and then choose Component Services.
    2. Expand Component Services.
    3. Expand Computers.
    4. Right-click My Computer and choose Properties.
    5. On the COM Security tab, under Access Permissions, choose Edit Limits.
    6. In the Access Permission dialog box, on the Security Limits tab, verify that CERTSVC_DCOM_ACCESS is a member of the Groups or user names list.
    7. In the Groups or user names list, select Everyone, and then in the Permissions for everyone list, verify that Local Access and Remote Access are allowed, and then choose OK.
    8. Under Launch and Activation Permissions, choose Edit Limits.
    9. In the Launch Permission dialog box, on the Security Limits tab, in the Groups or user names list, select Everyone, and then in the Permissions for everyone list, verify that Local Activation and Remote Activation are allowed, and then choose OK.
    10. In the My Computer Properties dialog box, choose OK.
    11. Close Component Services.

If the previous steps do not resolve the problem, type the following command at a command prompt to reset the DCOM permissions on the certification authority server:

certutil -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG
net stop certsvc
net start certsvc

VPN Icon Does Not Display on a Device After Enrollment

If VPN is not active, the icon and VPN program do not display on the device.

If you run Set-EnrollmentConfig -ActivateVPNbyDefault:$false in the MDM Shell and then enroll a device, the device has the following behavior after it is reset:

  • The device does not connect to the MDM Gateway Server.
  • The "V" icon and Mobile VPN program do not display on the device.
  • You cannot enable VPN with MDMVPNDiag.

This is expected behavior. Setting -ActivateVPNbyDefault:$false means that VPN will not be configured and activated on the device, and the VPN icon and user interface are hidden.

To display the VPN icon on the device, you must activate VPN.

You can activate VPN only during the enrollment process. To activate VPN, you would run the following commands:

  • Set-EnrollmentConfig ActivateVPNbyDefault:$true
  • Set-EnrollmentConfig –GatewayUri: <gatewayURIName>

You must then wipe the device and enroll it again.