Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,489 Views

AMT Status stuck at "Detected"

SCCM SP1 (6221)

HP 2530p / ME firmware 4.1.1

We are currently setup with an internal certificate, and the hash has been inserted into the MEBx. ME password set a to mailto:P@ssw0rd P@ssw0rd and added as an AMT Provisioning and Discovery Account. The SCCM client is installed on the laptop and the AMT version is being reported. AMT Status is stuck at Detected, no matter how many times I do a partial or full unprovision, or even a AMT reset from the BIOS.

Everytime I attempt to discover OOB management controllers on this machine, the AMTOPMGR.LOG reports:

Auto-worker Thread Pool: Work thread 2592 started

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.1.25.233:16992.

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

 

**** Error 0x2afb8a8 returned by ApplyControlToken

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

 

**** Error 0x2afb8a8 returned by ApplyControlToken

 

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

 

**** Error 0x2afb8a8 returned by ApplyControlToken

 

session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001

 

ERROR: Invoke(get) failed: 80020009argNum = 0

 

Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".

 

Error: Failed to get AMT_SetupAndConfigurationService instance.

 

session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001

 

ERROR: Invoke(get) failed: 80020009argNum = 0

 

Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".

 

Error: Failed to get AMT_SetupAndConfigurationService instance.

 

session params : http://CND910154G.eweisel.com:16992 http://CND910154G.eweisel.com:16992 , 111001

 

ERROR: Invoke(get) failed: 80020009argNum = 0

 

Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".

 

Error: Failed to get AMT_SetupAndConfigurationService instance.

 

CSMSAMTDiscoveryTask::Execute - DDR written to D:\Microsoft Configuration Manager\inboxes\auth\ddm.box

 

Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.

Any suggestions appreciated. Thanks.

0 Kudos
3 Replies
idata
Community Manager
63 Views

Hello,

 

I'm guessing it's going go to be one of two things, if we're dealing with the 4.x platform:

 

1. Can you please validate the forward/reverse DNS records for the client (using nslookup from the site server)? Please be sure to query the FQDN of the client (eg. amtclient.mydomain.com)

2. Have you configured option 15 on your DHCP scope to match your Active Directory domain name (eg. mydomain.com)?

 

 

If both of these are looking ok, can you run the MEinfowin tool on your machine and provide the output?

 

 

MEinfowin Download Link: http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html

 

Hope this helps!

 

-Trevor Sullivan

 

idata
Community Manager
63 Views

Thanks for the suggestions.

1. Have confirmed nslookup successful from both directions, from client and from SCCM.

2. Confirmed that option 15 configured for our test domain.

After a full unprovision, re-entering the internal cert hash, deleting the machine from SCCM, rediscovering, the machine now shows up in SCCM as Not Provisioned. The collection is set to perform an automatic Out of Band provisioning, but no progress.

I've initiated machine policy retrieval, and the logs now say:

Warning: AMT device 5DC865B1-F3D1-11DC-819D-7BAF9D3B0883 is a SMS client. Reject hello message to provision

meinfowin says:

Copyright(C) 2005-08 Intel Corporation. All Rights Reserved.

AMT SKU Found.

 

Intel(R) MEInfo Win Version: 4.1.0.1023

BIOS Version: 68PSU Ver. F.0D

Intel(R) AMT code versions:

 

Flash: 4.1.1

 

Netstack: 4.1.1

 

Apps: 4.1.1

 

Intel(R) AMT: 4.1.1

 

SKU: IAMT Tdt

 

VendorID: 8086

 

Build Number: 1028

Intel(R) AMT Mode:

 

Link status: Link up

 

Cryptography fuse: Enabled

 

Flash protection: Enabled

 

Last ME reset reason: Global system reset

 

Configuration state: In process

 

BIOS boot State: Post Boot

 

Host Mac Address: 00-23-5a-31-2a-92

 

Wireless MAC address: 00-00-00-00-00-00

 

FWU Override Counter: Always

 

FWU Override Qualifier: Always

 

Wireless Driver Version: Not Available

 

Wireless Hardware Version: Not Available

 

UNS Version: 4.0.5.1103

 

LMS Version: 4.0.6.1103

 

MEI Driver version: 4.0.1.1074

 

MEBx Version: 4.0.4.6

 

FT Version: 4.1

 

FT Build Number: 1028

 

Manageability Mode: AMT

 

Local FWUpdate: Enabled

 

Secure FWUpdate: Enabled

 

TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH): Disabled

 

FW behavior on Flash Descriptor Override Pin-Strap: Halt

TPM is disabled or The SKU does not support TPM..Hence TPM Values cannot be retrieved

idata
Community Manager
63 Views

Hello,

 

Glad to hear you got the "Detected" part sorted out

 

Try running the below PowerShell code against the AMT system. This should force the auto-provision policy to be enabled, and should trigger an immediate provisioning attempt. Let me know how it works! Just change the text in blue to the name of the target system, or just a period if you're running it locally.

-------------------------------------------------------------------------

Function Trigger-Provision ([string] $TargetSystem = ".")

 

{

 

if ($TargetSystem -gt "")

 

{

 

$ScheduleId = "{00000000-0000-0000-0000-000000000120}"

 

$SmsClient = [wmiclass]"\\$($TargetSystem)\root\ccm:SMS_Client"

 

Write-Host "Triggering provision attempt on $TargetSystem"

 

$SmsClient.TriggerSchedule($ScheduleId)

 

}

 

}

Function Set-AutoProvisionPolicy ([string] $TargetSystem = ".", [bool] $AutoProvision = $True)

 

{

 

if ($TargetSystem -le "") { return $null }

# $TargetSystem = "."

 

$WmiNs = "root\ccm\policy\machine\requestedconfig"

 

$WmiClass = "CCM_OutOfBandManagementSettings"

 

$WmiPath = "\\$TargetSystem\$WmiNs`:$WmiClass"

 

$WmiPath = "\\$TargetSystem\root\ccm\policy\machine\actualconfig:CCM_OutOfBandManagementSettings"

 

Write-Host "WMI Path is: $WmiPath"

 

$Global:OobSettings = [wmiclass]($WmiPath)

 

$Global:OobSettingsInstance = $OobSettings.CreateInstance()

 

$OobSettingsInstance.AutoProvision = $AutoProvision

 

$OobSettingsInstance.SiteSettingsKey = 1

 

if ($OobSettingsInstance) { $OobSettingsInstance.Put() }

 

 

trap

 

{

 

Write-Host "Error occurred setting auto-provision policy"

 

if ($OobSettingsInstance) { $OobSettingsInstance.Put() }

 

}

 

}

Set-AutoProvisionPolicy "targetsystem"

 

Trigger-Provision "targetsystem"

-------------------------------------------------------------------------

 

Cheers!

Trevor Sullivan