- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SCCM SP1 (6221)
HP 2530p / ME firmware 4.1.1
We are currently setup with an internal certificate, and the hash has been inserted into the MEBx. ME password set a to mailto:P@ssw0rd P@ssw0rd and added as an AMT Provisioning and Discovery Account. The SCCM client is installed on the laptop and the AMT version is being reported. AMT Status is stuck at Detected, no matter how many times I do a partial or full unprovision, or even a AMT reset from the BIOS.
Everytime I attempt to discover OOB management controllers on this machine, the AMTOPMGR.LOG reports:
Auto-worker Thread Pool: Work thread 2592 started
CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.1.25.233:16992.
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
**** Error 0x2afb8a8 returned by ApplyControlToken
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
**** Error 0x2afb8a8 returned by ApplyControlToken
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
**** Error 0x2afb8a8 returned by ApplyControlToken
session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001
ERROR: Invoke(get) failed: 80020009argNum = 0
Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
Error: Failed to get AMT_SetupAndConfigurationService instance.
session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001
ERROR: Invoke(get) failed: 80020009argNum = 0
Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
Error: Failed to get AMT_SetupAndConfigurationService instance.
session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001
ERROR: Invoke(get) failed: 80020009argNum = 0
Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
Error: Failed to get AMT_SetupAndConfigurationService instance.
CSMSAMTDiscoveryTask::Execute - DDR written to D:\Microsoft Configuration Manager\inboxes\auth\ddm.box
Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.
Any suggestions appreciated. Thanks.
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm guessing it's going go to be one of two things, if we're dealing with the 4.x platform:
1. Can you please validate the forward/reverse DNS records for the client (using nslookup from the site server)? Please be sure to query the FQDN of the client (eg. amtclient.mydomain.com)
2. Have you configured option 15 on your DHCP scope to match your Active Directory domain name (eg. mydomain.com)?
If both of these are looking ok, can you run the MEinfowin tool on your machine and provide the output?
MEinfowin Download Link: http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html
Hope this helps!
-Trevor Sullivan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestions.
1. Have confirmed nslookup successful from both directions, from client and from SCCM.
2. Confirmed that option 15 configured for our test domain.
After a full unprovision, re-entering the internal cert hash, deleting the machine from SCCM, rediscovering, the machine now shows up in SCCM as Not Provisioned. The collection is set to perform an automatic Out of Band provisioning, but no progress.
I've initiated machine policy retrieval, and the logs now say:
Warning: AMT device 5DC865B1-F3D1-11DC-819D-7BAF9D3B0883 is a SMS client. Reject hello message to provision
meinfowin says:
Copyright(C) 2005-08 Intel Corporation. All Rights Reserved.
AMT SKU Found.
Intel(R) MEInfo Win Version: 4.1.0.1023
BIOS Version: 68PSU Ver. F.0D
Intel(R) AMT code versions:
Flash: 4.1.1
Netstack: 4.1.1
Apps: 4.1.1
Intel(R) AMT: 4.1.1
SKU: IAMT Tdt
VendorID: 8086
Build Number: 1028
Intel(R) AMT Mode:
Link status: Link up
Cryptography fuse: Enabled
Flash protection: Enabled
Last ME reset reason: Global system reset
Configuration state: In process
BIOS boot State: Post Boot
Host Mac Address: 00-23-5a-31-2a-92
Wireless MAC address: 00-00-00-00-00-00
FWU Override Counter: Always
FWU Override Qualifier: Always
Wireless Driver Version: Not Available
Wireless Hardware Version: Not Available
UNS Version: 4.0.5.1103
LMS Version: 4.0.6.1103
MEI Driver version: 4.0.1.1074
MEBx Version: 4.0.4.6
FT Version: 4.1
FT Build Number: 1028
Manageability Mode: AMT
Local FWUpdate: Enabled
Secure FWUpdate: Enabled
TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Disabled
FW behavior on Flash Descriptor Override Pin-Strap: Halt
TPM is disabled or The SKU does not support TPM..Hence TPM Values cannot be retrieved
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Glad to hear you got the "Detected" part sorted out
Try running the below PowerShell code against the AMT system. This should force the auto-provision policy to be enabled, and should trigger an immediate provisioning attempt. Let me know how it works! Just change the text in blue to the name of the target system, or just a period if you're running it locally.
-------------------------------------------------------------------------
Function Trigger-Provision ([string] $TargetSystem = ".")
{
if ($TargetSystem -gt "")
{
$ScheduleId = "{00000000-0000-0000-0000-000000000120}"
$SmsClient = [wmiclass]"\\$($TargetSystem)\root\ccm:SMS_Client"
Write-Host "Triggering provision attempt on $TargetSystem"
$SmsClient.TriggerSchedule($ScheduleId)
}
}
Function Set-AutoProvisionPolicy ([string] $TargetSystem = ".", [bool] $AutoProvision = $True)
{
if ($TargetSystem -le "") { return $null }
# $TargetSystem = "."
$WmiNs = "root\ccm\policy\machine\requestedconfig"
$WmiClass = "CCM_OutOfBandManagementSettings"
$WmiPath = "\\$TargetSystem\$WmiNs`:$WmiClass"
$WmiPath = "\\$TargetSystem\root\ccm\policy\machine\actualconfig:CCM_OutOfBandManagementSettings"
Write-Host "WMI Path is: $WmiPath"
$Global:OobSettings = [wmiclass]($WmiPath)
$Global:OobSettingsInstance = $OobSettings.CreateInstance()
$OobSettingsInstance.AutoProvision = $AutoProvision
$OobSettingsInstance.SiteSettingsKey = 1
if ($OobSettingsInstance) { $OobSettingsInstance.Put() }
trap
{
Write-Host "Error occurred setting auto-provision policy"
if ($OobSettingsInstance) { $OobSettingsInstance.Put() }
}
}
Set-AutoProvisionPolicy "targetsystem"
Trigger-Provision "targetsystem"
-------------------------------------------------------------------------
Cheers!
Trevor Sullivan
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page