adding new articles to client-management and updating TOC accordingly

windows/client-management/TOC.md

@@ -11,5 +11,9 @@
 ## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)
 ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
 ## [Windows libraries](windows-libraries.md)
+## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md)
+### [Data collection for troubleshooting 802.1x Authentication](troubleshooting-802-authentication.md)
+### [Advanced troubleshooting 802.1x authentication](adcanced-troubleshooting-802-authentication.md)
+### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)

windows/client-management/advanced-troubleshooting-802-authentication.md

@@ -0,0 +1,87 @@
+---
+title: Advanced Troubleshooting 802.1x Authentication
+description: Learn how 802.1x Authentication works
+keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 10/26/2018
+---
+ 
+# Advanced Troubleshooting 802.1x Authentication
+ 
+## Overview
+This is a general troubleshooting of 802.1x wireless and wired clients. With 
+802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution.
+ 
+### Scenarios
+This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
+ 
+### Known Issues
+N/A
+ 
+### Data Collection
+Markdown - Advanced Troubleshooting 802.1x Authentication Data Collection
+ 
+### Troubleshooting
+Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications.
+
+NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default.
+Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts.
+ 
+In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it.
+ 
+![example of an audit failure](images/auditfailure.png)
+*Example: event ID 6273 (Audit Failure)*
+‎
+![example of an audit success](images/auditsuccess.png)
+*Example: event ID 6272 (Audit Success)*
+
+‎ 
+The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
+
+On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational).
+
+![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
+ 
+Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). 
+First, make sure which type of EAP method is being used.
+ 
+![eap authentication type comparison](images/comparisontable.png)
+
+ 
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below.
+
+![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
+ 
+The CAPI2 event log will be useful for troubleshooting certificate-related issues.
+This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu.
+
+![screenshot of event viewer](images/eventviewer.png)
+ 
+You can refer to this article about how to analyze CAPI2 event logs.
+[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29)
+For detailed troubleshooting 802.1X authentication issues, it's important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication.
+
+![aithenticatior flow chart](images/authenticator_flow_chart.png)
+ 
+If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side.
+ 
+> [!NOTE]
+> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied.
+ 
+
+![client-side packet capture data](clientsidepacket_cap_data.png)
+_Client-side packet capture data_
+
+![NPS-side packet capture data](NPS_sidepacket_capture_data.png) 
+_NPS-side packet capture data_
+‎ 
+## Additional references
+[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx)
+
+[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx)
+

windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md

@@ -0,0 +1,198 @@
+---
+title: Advanced Troubleshooting Wireless Network Connectivity
+description: Learn how troubleshooting of establishing Wi-Fi connections
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: 
+ms.date:
+---
+# Advanced Troubleshooting Wireless Network Connectivity
+
+> [!NOTE]
+> Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems).
+
+## Overview
+This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients.
+Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. From comparison of a known good flow it is easier to determine the starting point in a repro scenario in which a different behavior is found.
+This workflow involves knowledge and use of TextAnalysisTool, an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario.
+
+## Scenarios
+
+Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7.
+
+> [!NOTE]
+> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario.
+
+Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem.
+
+It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors.
+The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem.
+
+### Known Issues and fixes
+** **
+| **OS version** | **Fixed in** |
+| --- | --- |
+| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) |
+| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) |
+| **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) |
+
+Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system:
+- [Windows 10 version 1803](https://support.microsoft.com/help/4099479)
+- [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454)
+- [Windows 10 version 1703](https://support.microsoft.com/help/4018124)
+- [Windows 10 version 1607 and Windows Server 2016](https://support.microsoft.com/help/4000825)
+- [Windows 10 version 1511](https://support.microsoft.com/help/4000824)
+- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470)
+- [Windows Server 2012](https://support.microsoft.com/help/4009471)
+- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469)
+ 
+### Data Collection
+1. Network Capture with ETW. Use the following command:
+
+    **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl**
+
+2. Reproduce the issue if:
+    - There is a failure to establish connection, try to manually connect
+    - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures)
+    - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data.
+    - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop).
+
+Run this command to stop the trace: **netsh trace stop**
+
+To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl**
+ 
+### Troubleshooting
+The following is a high-level view of the main wifi components in Windows.
+ 
+![Wi-Fi stack components](images/wifistackcomponents.png)
+
+The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows:
+
+- Scanning for wireless networks in range
+- Managing connectivity of wireless networks
+
+The Media Specific Module (MSM) handles security aspects of connection being established.
+
+The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.
+
+Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
+The wifi connection state machine has the following states:
+- Reset
+- Ihv_Configuring
+- Configuring
+- Associating
+- Authenticating
+- Roaming
+- Wait_For_Disconnected
+- Disconnected
+
+Standard wifi connections tend to transition between states such as:
+
+**Connecting**
+
+Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected
+
+**Disconnecting**
+
+Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset
+
+Filtering the ETW trace with the provided TextAnalyisTool (TAT) filter is an easy first step to determine where a failed connection setup is breaking down:
+Use the **FSM transition** trace filter to see the connection state machine.
+Example of a good connection setup:
+
+```
+44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
+47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
+49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected
+```
+Example of a failed connection setup:
+```
+44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset
+45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring
+45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring
+46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating
+47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating
+49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming
+```
+By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components.
+In many cases the next component of interest will be the MSM, which lies just below Wlansvc.
+ 
+![MSM details](images/msmdetails.png)
+
+The important components of the MSM include:
+- Security Manager (SecMgr) - handles all pre and post-connection security operations.
+- Authentication Engine (AuthMgr) – Manages 802.1x auth requests
+Each of these components has their own individual state machines which follow specific transitions.
+Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
+Continuing with the example above, the combined filters look like this:
+
+```
+[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Reset to State: Ihv\_Configuring
+[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Ihv_Configuring to State: Configuring
+[1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Configuring to State: Associating
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --\> ACTIVE (2)
+[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --\> START AUTH (3)
+[4] 0EF8.0708::08/28/17-13:24:28.928[Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED --\> START\_AUTH
+[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Associating to State: Authenticating
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --\> WAIT FOR AUTH SUCCESS (4)
+[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START\_AUTH --\> AUTHENTICATING
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --\> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --\> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Authenticating to State: Roaming
+```
+> [!NOTE]
+> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation.
+
+Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition:
+
+```
+[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Associating to State: Authenticating
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --\> WAIT FOR AUTH SUCCESS (4)
+[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START\_AUTH --\> AUTHENTICATING
+[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY\_STATE\_CHANGE
+[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off )
+[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT\_DOWN
+[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall\_Port\_Down
+[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --\> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --\> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Authenticating to State: Roaming
+```
+The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication.
+Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it.
+Enable trace filter for **[Microsoft-Windows-NWifi]:**
+```
+[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Associating to State: Authenticating
+[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --\> WAIT FOR AUTH SUCCESS (4)
+[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START\_AUTH --\> AUTHENTICATING
+[0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4
+[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY\_STATE\_CHANGE
+[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off )
+[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT\_DOWN
+[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall\_Port\_Down
+[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2
+[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --\> DEACTIVATE (11)
+[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port\<13\> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --\> INACTIVE (1)
+[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State:
+Authenticating to State: Roaming
+```
+The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device.
+
+### **Resources**
+### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10))
+### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29)
+

windows/client-management/troubleshooting-802-authentication.md

@@ -0,0 +1,550 @@
+---
+title: Data Collection for Troubleshooting 802.1x Authentication
+description: Data needed for reviewing 802.1x Authentication issues
+keywords: troubleshooting, data collection, data, 802.1x authentication, authentication
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: kaushika
+ms.date: 10/26/2018
+---
+ 
+# Data Collection for Troubleshooting 802.1x Authentication
+ 
+ 
+## Steps to capture Wireless/Wired functionality logs
+ 
+1. Create C:\MSLOG on the client machine to store captured logs.
+2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log:
+
+**On Windows 7, Winodws 8 Wireless Client**
+```dos
+netsh ras set tracing * enabled
+```
+```dos
+netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
+```
+
+**On Windows 8.1, Windows 10 Wireless Client**
+
+```dos
+netsh ras set tracing * enabled
+```
+```dos
+netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_cli.etl
+```
+ 
+**On Wired network client**
+
+```dos
+netsh ras set tracing * enabled
+```
+```dos
+netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_cli.etl
+```
+ 
+3. Run the followind command to enable CAPI2 logging:
+ 
+```dos
+wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+```
+ 
+4. Create C:\MSLOG on the NPS to store captured logs.
+ 
+5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log:
+ 
+**On Windows Server 2008 R2, Winodws Server 2012 Wireless network**
+
+   ```dos
+    netsh ras set tracing * enabled
+   ```
+   ```dos
+    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+   ```
+ 
+**On Windows Server 2012 R2, Windows Server 2016 Wireless network**
+
+   ```dos
+    netsh ras set tracing * enabled
+   ```
+   ```dos
+    netsh trace start scenario=wlan,wlan\_wpp,wlan\_dbg,wireless\_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wireless\_nps.etl
+   ```
+ 
+**On wired network**
+
+   ```dos
+    netsh ras set tracing * enabled
+   ```
+   ```dos
+    netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%\_wired\_nps.etl
+   ```
+ 
+6. Run the followind command to enable CAPI2 logging:
+
+  ```dos
+    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true
+  ```
+ 
+7. Run the following command from the command prompt on the client machine and start PSR to capture screen images:
+
+ 
+> [!NOTE]
+> When the mouse button is clicked, the cursor will blink in red while capturing a screen image.
+
+   ```dos
+    psr /start /output c:\MSLOG\%computername%\_psr.zip /maxsc 100
+   ```
+ 
+8. Repro the issue.
+ 
+9. Run the following command on the client machine to stop the PSR capturing:
+
+  ```dos
+    psr /stop
+  ```
+ 
+10. Run the following commands from the command prompt on the NPS.
+ 
+**Stopping RAS trace log and Wireless scenario log**
+
+   ```dos
+    netsh trace stop
+   ```
+   ```dos
+    netsh ras set tracing * disabled
+   ```
+ 
+**Disabling and copying CAPI2 log**
+    
+   ```dos
+    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+   ```
+   ```dos
+    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
+   ```
+ 
+11. Run the following commands from the prompt on the client machine.
+ 
+**Stopping RAS trace log and Wireless scenario log**
+
+  ```dos
+    netsh trace stop
+   ```
+   ```dos
+    netsh ras set tracing * disabled
+   ```
+ 
+**Disabling and copying CAPI2 log**
+
+   ```dos
+    wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false
+   ```
+   ```dos
+    wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\CAPI2\_%COMPUTERNAME%.evtx
+   ```
+ 
+12. Save the following logs on the client and the NPS.
+ 
+**Client**
+ - C:\MSLOG\%computername%_psr.zip
+ - C:\MSLOG\CAPI2_%COMPUTERNAME%.evtx
+ - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl
+ - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab
+ - All log files and folders in %Systemroot%\Tracing
+ 
+**NPS**
+ - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx
+ - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario)
+ - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario)
+ - All log files and folders in %Systemroot%\Tracing
+ 
+ 
+### Steps to save environmental / configuration information
+ 
+**Client**
+1. Create C:\MSLOG to store captured logs.
+2. Launch a command prompt as an administrator.
+3. Run the following commands.
+    - Environmental information and Group Policies application status
+         ```dos                
+            gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.htm
+            
+            msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
+            
+            ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
+              
+            route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+         ```
+ 
+**Event logs**
+ 
+```dos
+wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+           
+wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+           
+wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+           
+wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+           
+wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx
+           
+wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%\_Microsoft-Windows-Wired-AutoConfig-Operational.evtx
+           
+wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+           
+wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+```
+            
+**Run the following command on Windows 8 and above **
+```dos
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+```
+ 
+**Certificates Store information**
+        
+```dos
+certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+            
+certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+    
+certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+            
+certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+            
+certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+            
+certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+            
+certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+            
+certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+            
+certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+```
+ 
+**Wireless LAN Client information**
+```dos
+netsh wlan show all > c:\MSLOG\%COMPUTERNAME%\_wlan\_show\_all.txt
+            
+netsh wlan export profile folder=c:\MSLOG\
+```
+ 
+**Wired LAN Client information**
+```dos
+netsh lan show all > c:\MSLOG\%COMPUTERNAME%\_lan\_show\_all.txt
+            
+netsh lan export profile folder=c:\MSLOG\
+```
+ 
+4. Save the logs stored in C:\MSLOG.
+ 
+ 
+**NPS**
+    1. Create C:\MSLOG to store captured logs.
+    2. Launch a command prompt as an administrator.
+    3. Run the following commands:
+
+   **Environmental information and Group Policies application status**
+
+   ```dos
+   gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
+            
+   msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
+            
+   ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
+            
+   route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+   ```
+ 
+**Event logs**
+```dos
+wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+            
+wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+            
+wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+            
+wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+```
+
+**Run the following 3 commands on Windows Server 2012 and above:**
+```dos
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+```
+ 
+**Certificates store information**
+```dos
+certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+            
+certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+            
+certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+            
+certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+            
+certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+            
+certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+            
+certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+            
+certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+```
+ 
+**NPS configuration information**
+```dos
+netsh nps show config > C:\MSLOG\%COMPUTERNAME%\_nps\_show\_config.txt
+            
+netsh nps export filename=C:\MSLOG\%COMPUTERNAME%\_nps\_export.xml exportPSK=YES
+```
+ 
+3. Take the following steps to save an NPS accounting log:
+4. Launch **Administrative tools** - **Network Policy Server**.
+    - On the Network Policy Server administration tool, select **Accounting** in the left pane.
+    - Click **Change Log File Properties** in the right pane.
+    - Click the **Log File** tab, note the log file naming convention shown as *Name* and the log file location shown in the **Directory** box.
+    - Copy the log file to C:\MSLOG.
+    - Save the logs stored in C:\MSLOG.
+ 
+ 
+**Certificate Authority (CA)** *Optional*
+
+1. On a CA, launch a command prompt as an administrator.
+2. Create C:\MSLOG to store captured logs.
+3. Run the following commands:
+
+Environmental information and Group Policies application status
+
+```dos
+gpresult /H C:\MSLOG\%COMPUTERNAME%\_gpresult.txt
+            
+msinfo32 /report c:\MSLOG\%COMPUTERNAME%\_msinfo32.txt
+            
+ipconfig /all > c:\MSLOG\%COMPUTERNAME%\_ipconfig.txt
+            
+route print > c:\MSLOG\%COMPUTERNAME%\_route\_print.txt
+```
+ 
+**Event logs**
+```dos
+wevtutil epl Application c:\MSLOG\%COMPUTERNAME%\_Application.evtx
+            
+wevtutil epl System c:\MSLOG\%COMPUTERNAME%\_System.evtx
+            
+wevtutil epl Security c:\MSLOG\%COMPUTERNAME%\_Security.evtx
+            
+wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%\_GroupPolicy\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-CredentialRoaming\_Operational.evtx
+            
+wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%\_CertPoleEng\_Operational.evtx
+```
+
+**Run the following 3 lines on Windows 2012 and up:**
+
+```dos
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-System\_Operational.evtx
+ 
+wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServicesClient-Lifecycle-User\_Operational.evtx
+ 
+wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%\_CertificateServices-Deployment\_Operational.evtx
+```
+            
+**Certificates store information**
+
+```dos
+certutil.exe -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-Personal-Registry.txt
+            
+certutil.exe -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-TrustedRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Reg.txt
+            
+certutil.exe -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-EnterpriseTrust-Enterprise.txt
+            
+certutil.exe -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%\_cert-Intermediate-Enterprise.txt
+            
+certutil.exe -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-3rdPartyRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-SmartCardRoot-Enterprise.txt
+            
+certutil.exe -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%\_cert-NtAuth-Enterprise.txt
+            
+certutil.exe -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%\_cert-User-Personal-Registry.txt
+            
+certutil.exe -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%\_cert-User-TrustedRootCA-Enterprise.txt
+            
+certutil.exe -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%\_cert-User-EnterpriseTrust-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%\_cert-User-IntermediateCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%\_cert-User-UntrustedCertificates-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-3rdPartyRootCA-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-Registry.txt
+            
+certutil.exe -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%\_cert-User-SmartCardRoot-GroupPolicy.txt
+            
+certutil.exe -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%\_cert-User-UserDS.txt
+```
+            
+**CA configuration information**
+```dos
+reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.hiv
+            
+reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%\_CertSvc.txt
+            
+reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.hiv
+            
+reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%\_Cryptography.tx
+```
+            
+4. Copy the following files, if exist, to C:\MSLOG. %windir%\CAPolicy.inf
+5. Log on to a domain controller and create C:\MSLOG to store captured logs.
+6. Launch Windows PowerShell as an administrator.
+7. Run the following PowerShell commandlets
+
+        \* Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain.
+```powershell
+Import-Module ActiveDirectory
+        
+Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject\_$Env:COMPUTERNAME.txt
+```
+8. Save the following logs:
+- All files in C:\MSLOG on the CA
+- All files in C:\MSLOG on the domain controller
+