Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AMT Intel Vpro with Microsoft SCCM 2012 CU1 RTM

idata
Employee
1,096 Views

Hi all,

 

We have a problem with the Intel AMT VPRO function. This function has always functioned in SCCM 2007. We initiated a migration to SCCM 2012. We created models correpsondants certificate for SCCM 2012. However, impossible to provisionning a machines with AMT function with SCCM 2012, we have opened an incident with Microsoft. Manipulation by Microsoft to solve the problem was to modify the certificate template to use Web UPN. From this point, we actually managed to provision machines. The problem is, the template that was modified was the certificate template website used by SCCM 2007 and not the 2012 !

Result : 88 machines is still clinging to the old SCCM 2007 infrastructure. Impossible to de provisioning them from the console 2007 or impossible to provision for these machines from the console in 2012! Errors specified stipulate a connection problem related to web use certificate (TLS error).

 

Microsoft's explanation is: "The certificate housed in the "chip" AMT rejects us with a 401 (Unauthorized). Certificate is a priori wrong following the sharing of infrastructure between template ConfigMgr 2007/2012. Knows ConfigMgr 2007 not exceeded provisioned machines in this scenario "unexpected" as the template that was used was not consistent. this amounts to putting something in a box, which we do not have the key " The only solution found so far is removing the BIOS battery !!

 

Tools Intel UnprovisionEx.exe does not work! -> Error 401.

Even specifying a specific certificate in the command line !

# PSexec -i -s -d CMD.exe /k

# UnprovisionEx.exe -hostname Machine_Name -user admin -pass ******** -full -cert XXXXXXX

# ... (Failed 401)

Scenario : To simulate what SCCM tries to ...

When we try to log on to the web portal of AMT machines problematic using the correct login and password correctly, we rejected. If you check the certificate used by the AMT portal, we do seet hat it is still linked to the old server 2007. As web template for SCCM 2007 was amended and SCCM 2012 can not access this machine, It is unmanageable !!! If we trigger the provisioning for the SCCM 2012 HASH used is actually not the one expected by the target machine ; Idem from the SCCM console, 2007 model web certificate has been altered by the action of Microsoft (following the opening of the incident)

 

My question is : Do you have a method (Tools, Script, etc..) to clear the AMT informations and the certificate used by the chip VPRO and/or method to inject the correct certificate. A Method we avoid removing the BIOS battery, knowing that we are dealing with laptops, scattered in nature?

Thank you for your help,

Sincerely,

 

Mitchawkes
0 Kudos
0 Replies
Reply