Windows 10 Device Enrollment

Windows 10 Device Enrollment

Hello,

I am receiving the following error when trying to enroll a Windows 10 device into our test MobiControl environement

What should I do?

MDM Enroll: Server Returned Fault/Code/Subcode/Value=(a:InternalServiceFault) Fault/Reason/Text=(The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework SDK documentation and inspect the server trace logs.).

22 Answers

Order By:   Standard | Newest | Votes
DDMOD@SOTI | posted this 25 March 2020

Hi Evan,

 

Thank you for requesting a response from SOTI Support Staff.

 

Can you please confirm which type of device were you trying to enroll and which method did you approach for enrollment?

Also, please share the version of SOTI MobiControl you are currently on.

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Evan | posted this 25 March 2020

I am trying to enroll a Windows 10 laptop into our environment.

I have tried this in both version 14.1 and 15.1 and received the same result. 

I am using the built in Windows 10 functionality that has the option under "Access Work or School" that says "Enroll in Device Management Only"

  • 0
  • 0
DDMOD@SOTI | posted this 25 March 2020

Thanks Evan for your prompt reply, the Windows 10 devices can be enrolled only on MobiControl V14 or higher.

The device can be enrolled ban you please create a case with SOTI Support Team(click here) to assist you in step-by-step process of enrolling Windows 10 laptop? 

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Evan | posted this 26 March 2020

I've already tried working with the the support team to enroll the device based on certificate and we were not able to enroll the device. Is there any written out process or recommendations for troubleshooting this problem? 

  • 0
  • 0
DDMOD@SOTI | posted this 26 March 2020

Hi Evan,

The Windows 10 device you are trying to enroll should be running Windows 10 Update (build 1703) or later

 

Tools Required

  1. Windows Configuration Designer
  2. A self-signed certificate and key pair (along with the .pfx file)
  3. Windows 10 Mobile / Windows 10 Device(s)

 

SSL Certificates

Installing Internet Information Services (IIS)

Objective: Create a Self-Signed Certificate

 

  1. Write in the windows search bar “Turn Windows features on or off”

 

  1. Select Internet Information Services (IIS) and apply the changes


 

  1. Execute the Internet Information Service (IIS) Manager


 

IIS (Internet Information Server) is a web server from Microsoft that is used to host your Web application. IIS has it's own Process Engine to handle the request. When a request comes from a client to the server, IIS takes that request, processes it, and sends a response back to the clients.

 

Creating a Self-Signed Certificate

 

  1. Click on Server Certificates

 

 

  1. Click on “Create Self-Signed Certificate”

 

  1. Specifying a certificate name and type

 

 

  1. Checking details: Right-click on the certificate and click on View, then confirm Details 

Scroll to the bottom of the window and copy the “Thumbprint” in a notepad For this case was d********************************65d

Exporting the Self-Signed Certificate

 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
DDMOD@SOTI | posted this 26 March 2020

Exporting the Self-Signed Certificate

It will be necessary for our Self-Signed Certificate in two flavours or forms. As a .cer file to be uploaded at MobiControl Web Console enrollment rule for Windows and .pfx

 

Exporting as .cer

 

  1. Open the Manage User Certificates on the Mobicontrol Server

 

  1. Right-click over the Self-Signed Certificate > All Task > Export…

 

  

 

  1. Select “Do not export the private key”


 

 

 

 

  1. Select DER encoded binary X.509 (.CER)

 

 

Exporting the Self-Signed Certificate as .pfx to be used with the Windows Configuration Designer

 

 

  1. Export the self-signed certificate including the private key. Using the same instructions to export the certificate but this time exporting the private

 

  1. Select .PFX


 

  1. Select to use a Password. In this case, it was 123456 but could be anything else (more than 6 characters).



  1. The encryption method for password could be altered. Please note this encryption is different than what is used for the certificate signature algorithm (SHA256RSA, check 4)


 

 

Getting the Root Certificate

  1. Get the MobiControl Root Certificate from the web console.

 

Click on Global Settings > Right-click on “Cloud Link Agents”

 

Be sure to remember the location (folder) where you export both .cer and .pfx certificates and Root certificate. You will need it soon.

 

 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
DDMOD@SOTI | posted this 26 March 2020

Bulk Enrollment Rule - Certificate Based Enrollment

Deactivation of WNS (Windows Notification Services)

  1. Select Global Setting, go to Global Settings > Right-Click on Windows Notification Services Configuration Tool

 

  1. Click on “Opt out of Windows Notification Service” to bypass this service

 

 

Creating the Bulk enrollment rule at MobiControl web Console

 

  1. Select Global Setting, click on Windows > Right-Click on Add Devices > Click on Create Add Devices

 

  1. Assign a rule name

 

 

  1. Choose Certificate Based Enrollment


 

  1. Importing the .cer self-signed certificate and add this certificate

 

 

  1. Select the target device group and add devices rule


 
 

 

 

 

  1. Finish the bulk enrollment rule


 

 

 

 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
DDMOD@SOTI | posted this 26 March 2020

 

Creating a Configuration Package

Objective: Create an enrollment package using Windows Configuration Designer.

 

Install the Windows Configuration Designer onto your computer from the Microsoft Store.

 

  1. Download and install it, then click on Advanced Provisioning

  

  1. Enter a project name and click
  2. Select All Windows editions, since Provisioning CSP is common to all Windows 10 editions, then click Next.
  3. Skip Import a provisioning package (optional) and click
  4. Expand Runtime settings > Workplace > Enrollments
  5. Enter a value in UPN, and then click Add. The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a valid MobiControl web console username with permissions to enroll a device. (for eg Administrator)
  6. On the left navigation pane, expand the UPN and then enter the information for the rest of the settings for the enrollment process. Here is the list of available settings:

 

a. AuthPolicy - Select

b. DiscoveryServiceFullUrl - specify the full URL for the discovery service. (You can get this from the Add Device Rule you created in MobiControl)

cEnrollmentServiceFullUrl - Optional and in most cases, it should be left

d. PolicyServiceFullUrl - Optional and in most cases, it should be left

e. Secret - Use Certificate thumbprint for the self-signed (See I Part. B. 4).

 

  1. Importing the Client Certificate (self-signed generated certificate)

 

Once the above Workplace settings are configured, the next step is to add ClientCertificate

 

Click on Certificates > ClientCertificates

 

  1. Assign a name for client certificate

 

 

 

  1. CertificatePassword, use the same password used to export the self-signed

 

  1. CertificatePath, Introduce the path of the .pfx certificate

 

  1. Choose the KeyLocation to be Software only. Final settings appearance:

 

Next step is to add the self-signed .cert file and the MobiControl Root CA for the DS the devices will be enrolled into.

 

  1. Importing the MobiControl Root CA Certificate from the Web

 

Go to Runtime settings > Certificates > RootCertificates and fill the certificate name.

 

 

And include the CertificatePath

 

  1. Importing the Self-Signed Certificate (.cer file) Add a new certificate named as selfsigned

 

And add the path for the self-signed .cer certificate

 

 

 

 

  1. When you are done adding all the settings, click on the File menu and click Save.

 

 

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
DDMOD@SOTI | posted this 26 March 2020

 

Exporting the provisioning Package for Bulk Enrollment

  1. On the top of the Windows Configuration Designer, click Export > Provisioning package

 

  1. Enter the values for your package and specify the package output

 

 

 

 

  1. There is no need to encrypt the package as the enrollment process should be seamless on the device

 

  1. Select the location where you want to save your provision package and click Build.

 

 

 

Networking Configurations

  1. Configure the other settings such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., Windows Configuration Designer >Runtime settings > ConnectivityProfiles

> WLANSetting)

 

  1. Check that port 443 is open on the firewall (default port for 443)

 

  1. Check connectivity between computers to be enrolled and MobiControl server (e.g. ping command)

 

 

Enrolling Devices

  1. Log in a Windows 10 device and copy the provisioning package (folder obtained with the steps about).

 

  1. Open that folder and double-click on the .ppkg file (for this case ppkg).

 

  1. Click on Yes!

 

  1. Confirm the success enrollment at the Windows 10 device looking at Windows Settings > Accounts > Access work

 

 

 

  1. Check-out on MobiControl Web Console the enrolled device

  

 

  1. Use the Legacy Option for device remote control

 

 

 

 Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
Evan | posted this 30 March 2020

Hello SOTI Support,

 

I've gone through all the steps that you have listed, and it is still not working.

I receive the below error message when I attempt to deploy the provisioning package that I built

Any suggestions on what I can try next?

  • 0
  • 0
DDMOD@SOTI | posted this 31 March 2020

Hi Evan,

 

Can you please confirm the OS version of the device you are trying to enroll?

Also the OS version of the windows on which you generated the self-signed certificates?

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Evan | posted this 01 April 2020

I am trying to enroll a Windows 10 device with certificates generated on a server running Windows 2016 Datacenter

  • 0
  • 0
DDMOD@SOTI | posted this 01 April 2020

Hi Evan,

 

Looks like there is a mismatch of certificates. We need the DSE logs to troubleshoot further and check the certificates in the rule and the package. So, can you please raise a support ticket(Click here) or call +1 905.624.9828 to assist you on this, as we need more details to troubleshoot further?  

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Dani Fernandez | posted this 23 April 2020

Hi!

 

How finished this topic? I'm in same situation.

 

Thanks!!

  • 0
  • 0
DDMOD@SOTI | posted this 24 April 2020

Hi Dani Fernandez,

 

Can you please share the screen-print of the error message you got while enrolling the Windows 10 device?

Keeping in mind that you have followed the pre-requisites and the same steps mentioned in the above comments, where exactly are you stuck now?

 

Note: Certificate-Based Enrollment for Windows 10 Devices is available only on MobiControl Version 14 or higher. 

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
Dani Fernandez | posted this 05 May 2020

Hello.

I'm trying to enroll a Windows 10 (1909) device with certificates generated on my server running Windows Server 2016 Standard.

I follow step by step all the indications for two times without any error but when I execute the .ppkg, Windows reported me an error:




I'm using Mobicontrol 15.

 

In my Event Visor I can see the same information that Evan (the OP).

  • 0
  • 0
DDMOD@SOTI | posted this 05 May 2020

Hi Dani,

 

May I ask if you have removed the previously installed MobiControl agent from the Win10 device before you re-enroll it again? If you have not yet done it, can you do the following?

1. Go to MobiControl agent installation directory, find and execute the file called 'uninstall.bat'
2. Delete Mobicontrol folder in the installation directory
3. Go to MMC, add snap-in of 'Certificate', get into 'Personal' look for MobiControl agent entry and delete it
4. Reboot the PC and it should be ready to be re-enrolled again

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 1
  • 0
Dani Fernandez | posted this 06 May 2020

Hi.

 

Thanks for the answer. I follow this steps but the error persist.

 

Any idea about the problem or maybe you know a different solution?

 

I don't understand the situation, I have follow all the steps whitout errors for 3 times.

 

 

 

Regards.

 

 

 

  • 0
  • 0
DDMOD@SOTI | posted this 06 May 2020

Hi Dani,

 

SOTI Team should troubleshoot further on your environment to assist you better in enrolling the Windows 10 device. So, can you please raise a support case(click here) or call SOTI Support team(click here) and schedule a meeting to resolve it?

 

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net |

  • 0
  • 0
Jeff Burns | posted this 07 May 2020

I had the same issue. Here is how I resolved:

 

  • Open Regedit.
  • Navigate to "HKLM\Software\Microsoft\Enrollments".
  • Change the value of "ExternallyManaged" from 1 to 0.

Close Registry, remove any previous provisioning packages and attempt to install again.

  • 1
  • 0
Dani Fernandez | posted this 13 May 2020

Hello Jeff.

 

I don't see 'ExternallyManaged' in my Regedit. I searched this value but it isn't registered:

 

  • 0
  • 0
Jeff Burns | posted this 16 May 2020

Guessing that's not what is causing your issue than.

 

What is included in your ppkg file? Is it just the settings for enrollment?  If it's not I would recreate the provisioning package and keep it as minimum as possible, only settings for enrollment.  Some settings can only be applied during imaging the device and throw the provisioning error if just ran in the os and fails.

 

Always make sure you're removing the previous provisioning package before installing a new one.

 

Hope you have some luck. 

  • 0
  • 0

Give us your feedback
Give us your feedback
Feedback