Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AMT Provisioning hell

idata
Employee
4,681 Views

Hi all,

Am having major issues with getting clients to provision, with a couple of different error messages. I've read through a lot of the posts on this forum and have been pulling my hair out for days now (pulling hair doesn't fix it).

One client is AMT version 4.0.8 the other is 3.2.1. I am using an internally provisioned certificate as this is a proof of concept before purchasing a 3rd party cert later on. For the AMT 4.0.8 client, provisioning almost works, the client certificate is issued and the object is created in AD, but then the process fails. Here is the relevent portion of the log:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)<p> 

Provision target is indicated with SMS resource id. (MachineId = 3486 P57753.parldev.net) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=DEVSCCMMP1 SITE=APH PID=4828 TID=5304 GMTDATE=Wed Jun 17 06:31:55.335 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

Found valid basic machine property for machine id = 3486. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

The provision mode for device P57753.parldev.net is 1. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Warning: We don't have an provision certificate with old recorded hash. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Attempting to try all provision certificate to connect target device. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Create provisionHelper with (Hash: 1EE4C5863DC71989CE1F103654B44E0709EC41D8) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Try to use provisioning account to connect target machine P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

Succeed to connect target machine P57753.parldev.net and core version with 4.0.8 using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:00 PM 5436 (0x153C)

 

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:04 PM 5436 (0x153C)

 

Get device provisioning state is In Provisioning SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:04 PM 5436 (0x153C)

 

Passed OTP check on AMT device P57753.parldev.net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Machine P57753.parldev.net will be added and published to AD and OU is /OU=AMT LDAP://OU=AMT Managed Computers,OU=NexGen Computers,DC=parldev,DC=net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Send request to AMT proxy component to add machine P57753.parldev.net to AD. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Successfully created instruction file for AMT proxy task: D:\SMS\MP\OUTBOXES\amtproxy.box SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Processing provision on AMT device P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Found client certificate already being generated for AMT device P57753.parldev.net. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

Start 1st stage provision on AMT device P57753.parldev.net. (SOAP) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:08 PM 5436 (0x153C)

 

SecurityAdministration.ClearTLSCredentials finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:12 PM 5436 (0x153C)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:15 PM 5304 (0x14B8)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:15 PM 5304 (0x14B8)

 

NetworkTime.GetLowAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:16 PM 5436 (0x153C)

 

NetworkTime.SetHighAccuracyTimeSynch finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:18 PM 5436 (0x153C)

 

NetworkAdmin.SetHostName finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:23 PM 5436 (0x153C)

 

NetworkAdmin.SetDomainName finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:27 PM 5436 (0x153C)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5304 (0x14B8)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5304 (0x14B8)

 

SecurityAdministration.SetTLSCertificateWithKeyPair finished with HResult = 0x0, status = 0x0. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:35 PM 5436 (0x153C)

 

SecurityAdministration.SetTlsEnabled finished with HResult = 0x80004005, status = 0x0, clientError = 10. SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

 

Error: Failed to finish critical setup and configuration step. (pProvisionHelper->SetTlsEnabled) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

 

Error: Can't finish provision on AMT device P57753.parldev.net with configuration code (30)! SMS_AMT_OPERATION_MANAGER 17/06/2009 4:32:39 PM 5436 (0x153C)

My environment is server 2008 64 bit with the OOB management point on a seperate server to the primary site server. The other client the AMT 3.2.1 has a different issue, although the MEBx setting are the same. It doesn't get as far:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)<p> 

Provision target is indicated with SMS resource id. (MachineId = 3486 P57753.parldev.net) SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5436 (0x153C)

 

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=DEVSCCMMP1 SITE=APH PID=4828 TID=5304 GMTDATE=Wed Jun 17 06:31:55.335 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 17/06/2009 4:31:55 PM 5304 (0x14B8)

 

AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 17/06/20...
23 Replies
idata
Employee
1,179 Views

Hi Bob,

Before you go pulling out any more hair, let's take a look at a few things. I haven't personally tested AMT provisioning on Windows Server 2008 64-bit, but it does appear to be a supported configuration by Microsoft as long as it was installed fresh from SP1-based media, and not installed RTM, then upgraded to SP1. Can you validate that this is how the site server was installed?

Based upon your log files, we can make the following assumptions:

  • TLS certificates are being generated by your internal CA properly
  • Client DNS records (A and PTR) are correct
  • DHCP option is configured correctly (or is overridden in the MEBx)

Have these AMT devices ever been provisioned in a different manner before? Did you perhaps test them out using one of the more basic provisioning methods? If so, you may want to factory reset the AMT firmware by pulling power and the CMOS battery. Doing a factory reset is a pretty good step to do anyway, just to make sure we're working with a "vanilla" system.

Something else I'd like to look at is the amtproxymgr.log file. I see that the request is being made from the amtopmgr component to create an Active Directory computer object on behalf of the AMT client, but I am concerned that it may not actually be getting created in the directory. Aside from the amtproxymgr.log file, can you validate that the computer accounts are being created in the OU you specified in your OOB Component Configuration for this ConfigMgr site?

Hope this helps!

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
William_Y_Intel
Employee
1,179 Views

Bob, you didn't mention the specific platform (or management console) you are running, but you may want to go to our OEM site and download the latest BIOS and AMT firmware (these are often bundled for some vendors) to ensure you are running the latest firmware for AMT. There has been a few fixes to address issues so I would start there and then report any chances of provisioning.

0 Kudos
idata
Employee
1,179 Views

Thanks for the replies Trevor and William. The clients are running Vista SP1 32 bit and the management console is SCCM SP1 (not upgraded from the RTM version). The client hardware is Dell 755 and Toshiba M10 (there are other hardware models we will support but these are the test examples). I have downloaded and installed the latest AMT firmware (inc in BIOS update) for the 755, this didn't make any difference.

I tried pulling the CMOS battery to reset the MEBx on one of the clients, but unfortunately this did not have any effect.

The 2 clients were behaving differently. The M10 was getting an object created in AD in the correct OU and a client certificate issued; whereas the 755 would not. Today, both clients have the same issue, with the server unable to make a connection to the client.

Try to use provisioning account to connect target machine P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:48 AM 5928 (0x1728)

 

Fail to connect and get core version of machine P57753.parldev.net using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:49 AM 5928 (0x1728)

 

Try to use default factory account to connect target machine P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:49 AM 5928 (0x1728)

 

Fail to connect and get core version of machine P57753.parldev.net using default factory account. SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:50 AM 5928 (0x1728)

 

Try to use provisioned account (random generated password) to connect target machine P57753.parldev.net... SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:50 AM 5928 (0x1728)

 

Fail to connect and get core version of machine P57753.parldev.net using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:51 AM 5928 (0x1728)

 

Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 3486) SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:51 AM 5928 (0x1728)

 

Error: Can NOT establish connection with target device. (MachineId = 3486) SMS_AMT_OPERATION_MANAGER 6/19/2009 10:45:51 AM 5928 (0x1728)

Now, as I am using an internally generated provisioning certificate, I have had to change the default MEBx password. I'm a little unsure if I have set this correctly in SCCM. What I have done is: in OOB management properties, Provisioning settings tab; I have added an account called 'admin' with the password that I have set in the MEBx of the clients. Is this correct? (it was connecting to the M10 yesterday, but is failing now)

Bob

0 Kudos
idata
Employee
1,179 Views

Update:

The M10 is now acting the same as it was yesterday. It looks like the server connects to it fine now:

Succeed to connect target machine P57753.parldev.net and core version with 4.0.8 using provisioning account

But then fails later on:

SecurityAdministration.SetTlsEnabled finished with HResult = 0x80004005, status = 0x0, clientError = 10. SMS_AMT_OPERATION_MANAGER 6/19/2009 11:49:49 AM 5184 (0x1440)

 

Error: Failed to finish critical setup and configuration step. (pProvisionHelper->SetTlsEnabled) SMS_AMT_OPERATION_MANAGER 6/19/2009 11:49:49 AM 5184 (0x1440)

 

Error: Can't finish provision on AMT device P57753.parldev.net with configuration code (30)! SMS_AMT_OPERATION_MANAGER 6/19/2009 11:49:49 AM 5184 (0x1440)

I had deleted the object in AD, and this was recreated. Could this be a client certificate issue?

0 Kudos
idata
Employee
1,179 Views

When provisioning, this line appears in the log:

Found client certificate already being generated for AMT device P57753.parldev.net. SMS_AMT_OPERATION_MANAGER 6/19/2009 12:16:38 PM 4876 (0x130C)

0 Kudos
idata
Employee
1,179 Views

Hi Bob,

Having done a little bit of research, I found out that the SetTlsEnabled function is actually deprecated in AMT 2.0 and later. It was originally used in the AMT 1.0 platform, and starting with the 4.0 platform, is not supported at all. With this fact in mind, I would have to first ask you ... have you installed the http://support.microsoft.com/default.aspx?scid=kb;en-us;960804 Microsoft KB960804 hotfix? This ConfigMgr hotfix enables support for the AMT 4.0 and 5.0 platforms, and also includes some other hotfixes that resolves issues with the 2.2, 2.6 and 3.2 firmware versions as well. If you have already applied this hotfix, please try re-installing it, and then rebooting your site server, to see if this clears up the issue.

FYI, I was able to find the information about the SetTlsEnabled function in the http://software.intel.com/en-us/articles/intel-active-management-technology-software-development-kit/ Intel AMT SDK 5.1 documentation. There is a document titled "Network Interface Guide.pdf" which is the programmer's documentation on how to access an AMT device using its remote (only) network administration interface. The SetTlsEnabled function has been replaced by the SetTlsOptions function on the AMT 4.0 (and greater) platforms.

I have not had a lot of experience provisioning AMT 4.0 devices, but I do know that I have been able to provision AMT 4.0 devices previously using our Configuration Manager infrastructure.

----------------------

What operating system is your ConfigMgr site server running, and what service pack? Is your site server fully patched with security and non-security patches?

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,179 Views

Hi Trevor,

Well, I have attempted to install that hotfix rollup, but the installer errored and refused to install. I had a look at the individual hotfixes included and most of them do not have installers for a server 2008 x64 system (even though I have some of the same issues, such as the sms executive crashing). Also the OOB management point is not installed on the primary site server. The hotfix installer refuses to install on the server running the OOB management point, and fails with an error on the primary site server. All SCCM servers are 2008 x64 patched to current levels.

So the short answer is 'no'.

I will try each hotfix individually and post back the results, hopefully this helps, thanks for the advice.

Bob

0 Kudos
idata
Employee
1,179 Views

Bob,

There is a 64-bit version of the KB960804 hotfix. You may need to contact Microsoft in order to obtain it, however.

Let me know if you have trouble getting it.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,179 Views

Thanks for all the help so far Trevor, I now have 1 provisioned machine, which is working very well.

The hotfix rollup would continue to error and refuse to install (64 bit version), so I downloaded the individual hotfixes and installed them seperately. I didn't install all of them, but hotfix 957183 was the problem patch and still refused to install, other hotfixes installed correctly. After installing the patches, performing a site reset and rebooting the OOB management point server, I was able to successfully provision the Toshiba M10 client running AMT 4.0.8.

Unfortunately, the other systems are having issues. Here is the relevant log section:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)<p> 

Provision target is indicated with SMS resource id. (MachineId = 3518 P57238.parldev.net) SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Found valid basic machine property for machine id = 3518. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

The provision mode for device P57238.parldev.net is 1. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Warning: We don't have an provision certificate with old recorded hash. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Attempting to try all provision certificate to connect target device. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Create provisionHelper with (Hash: 1EE4C5863DC71989CE1F103654B44E0709EC41D8) SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Try to use provisioning account to connect target machine P57238.parldev.net... SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

AMT Provision Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 2228 (0x08B4)

 

AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 2228 (0x08B4)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

**** Error 0x3bcb2f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Fail to connect and get core version of machine P57238.parldev.net using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Try to use default factory account to connect target machine P57238.parldev.net... SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

**** Error 0x3bcb2f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Fail to connect and get core version of machine P57238.parldev.net using default factory account. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Try to use provisioned account (random generated password) to connect target machine P57238.parldev.net... SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

**** Error 0x3bcb2f0 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Fail to connect and get core version of machine P57238.parldev.net using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 3518) SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

Error: Can NOT establish connection with target device. (MachineId = 3518) SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

 

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 22/06/2009 10:47:27 AM 5012 (0x1394)

I have again removed the CMOS battery to reset the MEBx, but no change. The client does get a provisioning record at this time, but can't be managed. The settings in the BIOS are the same as the provisioned device and they are on the same subnet etc. Any ideas as to the cause of this one?

0 Kudos
idata
Employee
1,179 Views

Bob,

I'm glad to hear you're making progress!

The first things I'd check with the problem clients are:

  • DHCP option 15
  • DNS (A and PTR client records) - validate these using nslookup from the site server

If these are correct, please validate the root CA hash of your provisioning certificate, and ensure that it appears correctly in the MEBx. Have you tried performing a factory reset on the problem clients as well? It may be beneficial to run the http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html meinfowin.exe tool, just to see what the client's provisioning status is.

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,179 Views

Well, the PTR records were a complete mess with multiple entries for each device. After seeing this, I thought it could be the cause of the problem, but after I had these cleaned up, the problem persisted. Also, I checked, and DHCP option 15 is set.

I've tried this now on 3 seperate clients, and cannot get them to provision, getting the same error for each device. I have performed a factory reset of each of these devices also.

I have verified the certificate hash does match.

The status from meinfowin.exe shows as 'in provisioning' and a provisioning record is created on the client. The local client log also shows that the device has activated successfully, however it is shown as 'not supported' in the SCCM console, and cannot be managed.

Any other suggestions for things to try, or check?

0 Kudos
idata
Employee
1,179 Views

Bob,

Hmmm, that's not good that it's showing as "Not Supported" in Configuration Manager. Typically, this would indicate a communications problem between the ConfigMgr client, and the local HECI interface. If the client's oobmgmt.log isn't reporting a non-present AMT device, then this shouldn't be the case though.

On the problem client(s), could you go into Device Manager, expand the System Devices section, and find the Intel(R) Management Engine Interface? Open the Properties page on this device, and check the driver version / date. You may want to download the AMT software utility and re-install it just to be sure that it's functioning correctly.

Something else you could try is ... delete the ConfigMgr resource record from the ConfigMgr database, and allow a new resourceID to be created for the clients. Once it re-populates, re-attempt provisioning.

Cheers,

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,179 Views

OK, so I tried factory reset and remove the record from SCCM. No change. The system actually shows up as 'Detected' in SCCM now (I did a re-install of the AMT driver).

I had a look at the provisioning record in the bios, and the weird thing is the certificate hash is that of the Verisign one. Now, I am using an internally provisioned certificate, so I did not expect to see this. I had a look on the CA and the verisign certificate is there (from some other project I don't know about).

So I tried disabling the verisign cert in the BIOS and did a full un-provision. Then again attempted to provision the client, and again the verisign hash appears in the provisioing record in the machine BIOS. Not sure now if this is the root cause or not.

0 Kudos
idata
Employee
1,179 Views

Also, just to see what would happen, I did an un-provision on the client which is working and was able to again provision this client without any errors.

0 Kudos
William_Y_Intel
Employee
1,179 Views

Bob, what provisioning certificate did you load into SCCM? Is it your self generated SCCM cert that was produced from your internal CA? And did you load that internal Root CA hash into the MEBx before the provisioning process started? If you want to use your own internally developed cert, I would make sure all references to the VeriSign cert is removed from the CA (personal store and any other store possibly located) and remove it from SCCM (both in the OOB service point and the certificate stores on this site server. Than make sure your self generated cert is loaded on your SCCM service point (in the OOB config and personal store on SCCM with appropriate private keys). And make sure you load your internal Root CA hash (top level CA that produced your provisioning cert) into the MEBx. And see what happens when provisioning. From your thread below, it seems as you have multiple certs getting confussed and this is hard to diagnose. I hope this might clean it up a bit...

0 Kudos
William_Y_Intel
Employee
1,179 Views

Did you do a full unprovision or partial unprovision? And did you perform it from SCCM OOB console or did you perform it manually within the MEBx?

0 Kudos
idata
Employee
1,179 Views

Actually, in addition to what Bill York just mentioned, it might be worth going to the extent of removing and re-installing the OOB service point role on your site server, just to make sure things are "cleaned out."

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,179 Views

OK, I've done a full un-provision, from the BIOS and removed the object from AD. Then the M10 client could provision again fine (other clients still fail). I have removed the third party certificate from the certificate store on the oob management point server and deleted, then re-added the OOB service point role. I'm not sure how much 'cleaning' this does, as it still retained the settings I had. I did re-enter all the information anyway, just in case. No change.

The certificate is an internally provisioned one, and the correct certificate hash is in the BIOS of the client PCs. There is no difference in the BIOS settings between the client that does provision, and the ones that don't.

0 Kudos
idata
Employee
1,179 Views

Bob,

Are you still seeing the ApplyControlToken error? If so, can you double-check your DNS records (A and PTR) for these clients?

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
1,087 Views

Yes, still seeing that error. I have completely rebuilt the CA and performed a full unprovision on the clients. Still no change, the M10 client provisions fine, but the other one do not. I have checked DNS and the records are correct,

0 Kudos
Reply