Enable logging for automatic certificate request (autoenrollment)

The following is an overview of the Windows Event Viewer events generated for Windows certificate clients, their activation, and their identification.

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Configure logging

In order to log events beyond errors and warnings, a "LogLevel" directive must be set in the relevant section (depending on whether it is a user or computer certificate) (analogous to the Certification Authority) can be created with corresponding content.

The LogLevel directive replaces the previously used AEEventLogLevel directive.

PathDescription
HKCU\Software\Microsoft\Cryptography\AutoEnrollmentUser settings, locally configured
HKLM\Software\Microsoft\Cryptography\AutoEnrollmentComputer settings, locally configured

The following command line command can be used to configure the extended logging for the user context as well as the system context. All events of the types "Error", "Warning" and "Information" are output.

certutil -setreg Enroll\LogLevel 4

Increasing the logging level can generate a lot of events. Accordingly, it should be ensured that the event log can grow accordingly. Otherwise, earlier events will be overwritten. It is advisable to increase the logging level only temporarily.

The changes become active directly without a new login or restart.

Setting the key in the user context with the -user parameter has no effect.

The numerical values are translated into the following variables:

ValueMeaningNotes
0CERTLOG_MINIMAL
1CERTLOG_TERSE
2CERTLOG_ERROR
3CERTLOG_WARNINGAdditionally activates events of the "Warning" level
(default setting)
4CERTLOG_VERBOSEAdditionally activates events of the "Information" level
5CERTLOG_EXHAUSTIVE

Resetting the logging to the default values is achieved by deleting the previously created key.

certutil -delreg Enroll\LogLevel

Event Sources

  • Microsoft-Windows-CertificateServicesClient-AutoEnrollment
  • Microsoft-Windows-CertificateServicesClient
  • Microsoft-Windows-CertificateServicesClient-CertEnroll

Events

Microsoft-Windows-CertificateServicesClient-AutoEnrollment

The following Windows PowerShell command can be used to read out the events:

Get-WinEvent -FilterHashtable @{
  Logname='Application
  ProviderName='Microsoft-Windows-CertificateServicesClient-AutoEnrollment'
}
IDTypeEvent text
1InformationAutomatic certificate enrollment for %1 failed to download certificates for %2 store from %3 (%4). %5
2InformationAutomatic certificate enrollment for %1 started.
3InformationAutomatic certificate enrollment for %1 completed.
4InformationAutomatic certificate enrollment for %1 invoked the enrollment API.
5InformationAutomatic certificate enrollment for %1 returned from the enrollment API.
6ErrorAutomatic certificate enrollment for %1 failed (%2) %3.
15WarningAutomatic certificate enrollment for %1 failed to contact the active directory (%2). %3 enrollment will not be performed.
64WarningCertificate for %1 with Thumbprint %2 is about to expire or already expired.

Microsoft-Windows-CertificateServicesClient

The following Windows PowerShell command can be used to read out the events:

Get-WinEvent -FilterHashtable @{
  Logname='Application
  ProviderName='Microsoft-Windows-CertificateServicesClient'
}
IDTypeEvent text
1InformationCertificate Services Client has been started successfully.
2InformationCertificate Services Client has been stopped.
3InformationCertificate Services Client has detected network connectivity.
4InformationCertificate Services Client has detected network dis-connectivity.
501WarningCertificate Services Client is triggered with bad parameters: %1.
502WarningCertificate Services Client failed to register Group Policy notifications. Error code: %1.
1001ErrorCertificate Services Client failed to load Provider %1. Error code %2.
1002ErrorCertificate Services Client cannot find the required interface in Provider %1. Error code %2.
1003ErrorCertificate Services Client failed to invoke the Providers in response to event %1. Error code %2.
1004ErrorCertificate Services Client Provider %1 raised an exception. Exception code %2.

Microsoft-Windows-CertificateServicesClient-CertEnroll

The following Windows PowerShell command can be used to read out the events:

Get-WinEvent -FilterHashtable @{
  Logname='Application
  ProviderName='Microsoft-Windows-CertificateServicesClient-CertEnroll'
}
IDTypeEvent text
4InformationCertificate enrollment for %1 could not access local resources or retrieve %2 certificate template information (%3). Enrollment was not performed.
5InformationCertificate enrollment for %1 could not find any valid certificate templates. Enrollment was not performed.
6ErrorCertificate enrollment for %1 could not find a valid certificate template to match %2. Enrollment was not performed.
9ErrorCertificate enrollment for %1 was denied by %3 when retrieving the pending request for a %2 certificate with request ID %4.
10InformationCertificate enrollment for %1 archived or deleted, from the Personal certificate store, certificates that have expired, or been revoked or superseded.
11WarningCertificate enrollment for %1 could not find a certification authority in the enterprise. Enrollment was not performed.
13ErrorCertificate enrollment for %1 failed to enroll for a %2 certificate with request ID %4 from %3 (%5).
14SuccessCertificate enrollment for %1 received a %2 certificate with request ID %4 from %3 when retrieving pending requests.
15WarningCertificate enrollment for %1 failed to retrieve certificate template information from the Policy Server. Enrollment was not performed.
16ErrorCertificate enrollment for %1 failed to renew a %2 certificate with request ID %4 from %3 (%6). The certificate which failed to renew is %5
17WarningCertificate enrollment for %1 failed to enroll for a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted.
18WarningCertificate enrollment for %1 failed to renew a %2 certificate from certification authority %3 (%4). Another certification authority will be contacted.
19InformationCertificate enrollment for %1 successfully received a %2 certificate with request ID %4 from certification authority %3.
20InformationCertificate enrollment for %1 successfully renewed a %2 certificate with request ID %4 from certification authority %3.
21SuccessCertificate enrollment for %1 attempted to enroll for a %2 certificate with request ID %4 from certification authority %3. The request is pending.
22SuccessCertificate enrollment for %1 attempted to renew a %2 certificate with request ID %4 from certification authority %3. The request is pending.
25InformationCertificate enrollment for %1 failed to update the %2 certificate in the Personal certificate store due to one of the following: Cannot find %2 certificate template from Active Directory. Enrollment access to this template is not allowed.
27InformationCertificate enrollment for %1 was canceled by the user.
30InformationCertificate enrollment for %1 was cancelled by the user when requesting a %2 certificate.
32InformationCertificate enrollment for %1 attempted to retrieve a %2 certificate from %3. The certificate request is still pending.
33InformationCertificate enrollment for %1 deleted certificates that have expired, or have been revoked or superseded from the user object in Active Directory.
35ErrorCertificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. A new enrollment for a %2 certificate will be attempted in %3 hours.
36ErrorCertificate enrollment for %1 detected that the DNS name in the %2 certificate does not match the DNS name of the local computer. No more enrollments for %2 certificates will be attempted until the current certificate is revoked or expires because the same error has occurred %3 times.
38WarningCertificate enrollment for %1 cannot enroll or renew %2 certificate because user interaction is required on the %2 template in Active Directory.
41InformationTo prevent simultaneous renewal or enrollment from another computer, certificate enrollment for %1 to renew or enroll for a %2 certificate has been skipped.
42WarningCertificate enrollment for %1 for the %2 template must be performed by using the machine context.
43WarningCertificate enrollment for %1 failed to find a smart card reader for the %2 template. Enrollment will not be performed.
44WarningCertificate enrollment for %1 failed to open the user interface (%2).
45ErrorCertificate enrollment for %1 failed to create an enrollment request for a %2 certificate (%3).
46WarningCertificate enrollment for %1 could not enroll for a %2 certificate. Read or enrollment access is not allowed for this template.
47WarningCertificate enrollment for %1 could not enroll for a %2 certificate. A valid certification authority cannot be found to issue this template.
48WarningCertificate enrollment for %1 could not enroll for a %2 certificate. Signature requirements for the certificate cannot be met.
50WarningCertificate enrollment for %1 failed to install the certificate response for a %2 certificate with request ID %3 (%4).
51WarningCertificate enrollment for %1 for the %2 certificate must be performed under the user context.
52WarningThe CA certificate for %3 is not trusted. Certificate enrollment for %1 for a %2 certificate failed.
53WarningCertificate enrollment for %1 failed to retrieve a %2 certificate from certification authority %3 with request ID %4, and the error returned from the server is %5. Another certification authority will be contacted.
54WarningCertificate enrollment for %1 failed to retrieve a pending %2 certificate with request ID %4 from certification authority %3 (%5). The enrollment process will be attempted again later.
55WarningCertificate enrollment for %1 for the %2 template could not find specified CSPs on the local machine. Enrollment will not be performed.
56InformationCertificate enrollment for %1 for the template %2 was not performed because this template has been superseded.
57WarningThe "%2" provider was not loaded because initialization failed.
58WarningThe "%3" algorithm for the "%2" provider was not loaded because initialization failed.
59WarningCould not determine the signature algorithm for %2 to sign an enrollment request.
60WarningCould not find a registered public key algorithm OID for %2 for an enrollment request.
61WarningCould not find a registered signature algorithm OID for %1 and %2 to sign an enrollment request.
62WarningCould not encode signature parameters for a %2 signature for an enrollment request.
63WarningEnrollment Policy Server %2 returned an error when retrieving templates for %1: %3
64WarningCertificate enrollment for %1 successfully load policy from policy server %2
65WarningCertificate enrollment for %1 is successfully authenticated by policy server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3
66WarningCertificate enrollment for %1 is successfully authenticated by enrollment server %2 using authentication mechanism %5 (Credential: %4). Policy Id: %3
67WarningCertificate enrollment for %1 failed to load policy from policy servers with ID %2 (%3)
68WarningCertificate enrollment for %1 failed in authentication to policy servers with ID %2 (%3)
70WarningCertificate enrollment for %1 failed because no valid policy can be obtained from policy servers with ID %2
71WarningCertificate enrollment for %1 failed in adding credential to Vault for %2 (%3)
72WarningCertificate enrollment for %1 failed because the loaded policy from the policy server %2 is invalid (%3)
73WarningCertificate auto enrollment for %1 cannot be done because the policy server %2 turns it off.
74WarningCertificate enrollment for %1 failed to load policy from policy server %2 with ID %3 (%4)
75WarningCertificate enrollment for %1 failed in authentication to policy server %2 with ID %3 (%6). Authentication mechanism was %5 (Credential: %4).
76WarningCertificate enrollment for %1 failed in authentication to enrollment server %2 (%6). Policy Id: %3. Authentication mechanism was %5 (Credential: %4).
77WarningCertificate enrollment for %1 cannot enroll from user configured enrollment policy server since it is disabled by group policy
78WarningCertificate enrollment for %1 sent a request for template %2 to a ROBO certificate enrollment server %3
79WarningCertificate enrollment for %1 sent a request for template %2 to an ANONYMOUS certificate enrollment server %3
80WarningCertificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ROBO and only renewal is supported
81WarningCertificate enrollment for %1 cannot enroll for a %2 certificate because the certificate enrollment server %3 is ANONYMOUS and only renewal is supported
82WarningCertificate enrollment for %1 failed in authentication to all urls for enrollment server associated with policy id: %2 (%4). Failed to enroll for template: %3
83WarningCertificate enrollment for %1 cannot find a credential that meets the selection criteria for url %2 with id %3 (%4)
84WarningThe credential for URL %2 has been updated from certificate (%4) to certificate (%3) in context %1
85WarningCertificate enrollment for %1 for the %2 template could not perform attestation due to an error with the cryptographic hardware using the provider: %3. Request Id: %4.%5
86ErrorSCEP Certificate enrollment initialization for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
87ErrorSCEP Certificate enrollment for %1 via %2 failed: %3 Method: %4 Stage: %5 %6
88InformationSCEP Certificate enrollment for %1 via %2 succeeded: %3 Method: %4 Stage: %5
89ErrorCould not find a Logon Certificate Template for %1 Template: %2 State: %3 Process: %4 %5
90ErrorFound multiple Logon Certificate Templates for %1 Templates: %2 State: %3 Process: %4 %5
91InformationSuccessfully found Logon Certificate Template for %1 Template: %2 State: %3 Process: %4
92ErrorLogon Certificate Request creation for %1 failed for the %2 template for key %3 %4 Process: %5 %6
93InformationLogon Certificate Request creation for %1 succeeded for the %2 template for key %3 Request thumbprint: %4 Process: %5
94ErrorFailed to install Logon Certificate for %1 failed Request thumbprint: %2 Thumbprint: %3 %4 Process: %5 %6
95InformationSuccessfully installed Logon Certificate for %1 Request thumbprint: %2 Thumbprint: %3 Process: %4
96ErrorFailed to remove Logon Certificate request for %1 Request thumbprint: %2 Process: %3 %4
97WarningSuccessfully removed Logon Certificate request for %1 Request thumbprint: %2 Process: %3
98ErrorFailed to import PFX Certificate for %1 Flags: %2 Provider: %3 Container: %4 Process: %5 %6

Related links:

External sources

en_USEnglish