Hi, I am trying to enable logging for Certificate Services Network Device Enrollment Service (NDES). I am following the instructions in the book "Windows Server 2008 PKI and Certificate Security" on page 694. As the instructions indicated, I logged in once as the service account we are using for NDES in order to create a local profile. Next, I logged in as myself (I am in the local administrators group) and opened a command prompt as an administrator and typed the following command: certutil -setreg debug 0xffffffe3 The output of the command was: CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2) CertUtil: The system cannot find the file specified. According to the book, this should have created a file named C:\Users\ServiceAccount\Mscep.log Can anyone advise?

Hi Mike, Can you try the following and report the results? Set the SCEP Application Pool in IIS to "Load User Profile". Here are the steps: 1. Call “iisreset” from an elevated prompt 2. Log in to the MSCEP server once as the Service Account and ensure a local profile is created under “%SystemDrive%\Users” 3. Log off of the Service Account and Log in as an admin 4. Open InetMgr.exe 5. Expand the Connection where the MSCEP Application is running 6. Select “Application Pools” 7. Right click the “SCEP” Application Pool and select “Advance Settings…” 8. Under the “Process Model” section, set the “Load User Profile” to “true” 9. Call “iisreset” from an elevated prompt 10. Try an MSCEP operation and check if the log has been created. 11. Verify “%SystemDrive%\Users\mscep.log” has been created. Thanks, John

John, Thanks for the recommendation. I won't be able to attempt an MSCEP operation until the mobility team has their pieces in place, but it seems like this will work.

I did the steps listed but I am not seeing a log file. I however ran the same command listed in the first posting and did not recieve an error. I'm trying to troubleshoot why I cannot get an iPad connected to our wifi through MS SCEP.