Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Can't Power Off provisioned machine with SCCM SP1 Client

idata
Employee
2,615 Views

Hello!

Actually we're implementing SCCM 2007 with SP1 RTM to provisioning Vpro capable machines (Dell Optiplex 755 with version 3.0.9), including Intel WS Translator (Today, last update).

We have right now one machine provisioned by SCCM SP1 (using in-Band provisioning with client SCCM SP1 & BIOS provisioning enterprise mode - PKI) with an In-House Certification Authority and included the Hash in this client machine (BIOS).

We can see all options in OOB Management menu in SCCM SP1 when right click the mouse, included "Power Control", however, when we push this option, nothing happens in the client machine.

We have reviewed the AMTOPMGR.LOG file and we found these errors (in continued schedule):

  • Using traslator for version 3.0.9.

  • session params : https://vpro-sc.vpro.com/wstrans/pro/eoi30/SSCCPC01.vpro.com/wsman , 41001

  • ERROR: Invoked(get) failed: 80020009argNum = 0

  • Description: WinRM client can't process this request. Basic authentication is disabled in client configuration. Change settings and try the request again.

  • Error: Failed to get CIM_AssociatedPowerManagementService instance.

  • AMT Operation Worker: AMT machine SSCCPC01.VPRO.COM can't be poser off. Error code: 0x803380DF

WinRM is activate in client machine with basic authentication enabled. (WinRM quickconfig).

In addition, if we connect to the machine port 16993 in Internet Explorer , we can view a web with the Intel Logo for VPro and:

PAGE NOT FOUND

 

Web browser access to Intel Active Management Technology is disabled on this computer, or the page in the address bar is unavailable.

We don't know what can we solve this issue and all replies are wellcome.

Thank's in advance!

0 Kudos
8 Replies
Matthew_R_Intel
Employee
635 Views

From the log, it appears you are using a vPro client with firmware 3.0.9. SCCM SP1 has a requirement for firmware 3.2.1 for native support. For SCCM SP1 to management vPro Clients less than 3.2.1, you are required to implement the Intel WS-MAN translator and configure SCCM to use it. Have you installed and configured the WS-MAN Translator?

Please reference the following blogs...

p-11064

p-11240

Matt Royer

0 Kudos
idata
Employee
635 Views

Hi Matt and thanks for your reply,

Yes, we're using firmware 3.0.9 and Intel WS-MAN Translator is instaled and configured with Listening port 443 and forwarding port 16993 and certificate. Updated in version downloaded this morning.

Full permissions applied in the OU for AMT provisioning... etc... etc...

But something is wrong! of coruse the oobconsole is out of order, but we can't manage power too with vpro machine compliant.

We can't found information about these errors in AMTOPMGR.log anywhere....

Thanks!

0 Kudos
Steven_D_Intel1
Employee
635 Views

Instead of using winrm quickconfig, use the following command on the SCCM server

winrm set winrm/config/client/auth @{Basic="true"}

Note there is a space between auth and @ but there is no space between @ and the opening brace character

After using this command, type winrm get winrm/config/client to confirm that basic authentication is enabled. I have used this on my SCCM system and have successfully provisioned AMT 2.2 and 2.6 clients using WSMAN Translator beta 528 to the point where SCCM collection initiated power management works correctly. However, like you, I am unable to access the AMT WebUI correctly

If after making this change you still cannot make this work, then sugguest you try the following

1. Confirm that an object representing the Management Controller has been correctly created in Active Directory and that it is not disabled. If there is no object, check the permissions on your AD OU or Container, especially inherited permissions

2. Instead of using PKI method provisioning, use PSK which will force SCCM to use the translator during the configuration process

3. Upgrade from AMT 3.0.9 to AMT 3.2.1 if your OEM has made a new BIOS available for you

Good Luck

0 Kudos
idata
Employee
635 Views

I would expect that WebUI works if Kerberos is functional to the client. If OOB Console is working, then Kerberos is working. If Kerberos is working, but IE is not, then you need to work from the IE perspective.

Please view the following help topic on using IE: http://technet.microsoft.com/en-us/library/cc161817(TechNet.10).aspx

Dave

0 Kudos
Steven_D_Intel1
Employee
635 Views

Thankyou for your reply davidra. I too would have assumed that if OOB console is working then Kerberos is working. However since my clients are AMT 2.2. and 2.6 then I am not currently able to use the OOB console via the WSMAN translator

Overnight things changed slightly. The scenario now is

AMT 3.2.1 system - WebUI fully functional, collection initiated power control fully functional and OOB console fully functionalB-)

AMT 2.6.3 system via WSMAN translator beta 528 - WebUI fully functional, collection initiated power control fully functional and OOB console not applicable at this time:)

AMT 2.2.1 system via WSMAN translator beta 528 - WebUI gets as far is displaying logon screen and allows entry of valid credentials but then displays 'page not available' error. Collection initiated power control fully functional and OOB console not applicable at this time:(

Objects exist in AD for all three clients, collection operations work on all clients and OOB console works where I would expect it to work but the WebUI doesn't work properly on AMT 2.2.1

The AMTOPMGR.LOG file reveals some errors during provisioning of the 2.2.1 system; specifically around AddACLs and SetActivePowerScheme which both give error 8002009argNum = 0 and a desription indicating WinRM client cannot process request. The response from the destination computer does not include any results. I kinda ignored the power scheme setting and assumed the ACL setting is where the problem may lie - but that's just a guess

I have also tried couple of weeks ago with AMT 2.5 system and this too behaved just like the AMT 2.2 system (collection initiated operations worked fine but WebUI fails after entering valid login credentials)

Maybe I did something wrong with the WinRM client (which is default installation 1.1 on Server 2003 with Basic Authentication enabled) or perhaps a WSMAN translator issue ?

Any insight would be gratefully received

Best Regards

sdavies

0 Kudos
Steven_D_Intel1
Employee
635 Views

Further to my last post, I carefully checked the difference between AMTOPMGR when provisioning AMT 2.2.1 and AMT 2.6.3 client since one does not work (i.e. WebUI doesn't allow login) and one does work (i.e. allows WebUI login)

With AMT 2.2.1 the AddACLs fails, with 2.6.3 AddACLs is successful

Brief reading of WSTRANS.LOG seems to indicate WSMAN returns a zero response to SCCM when the AMT API AddUserAclEntryEx is called by SCCM

I conclude the issue lies somewhere with WSMAN and its processing of this API when used with AMT 2.2 systems. Maybe I am wrong, but this is where the log files seem to point. Seems strange that power control still works, but perhaps because WSMAN is in the transmission path between SCCM and the 2.2.1 system then perhaps WSMAN is somehow circumventing the apparent ACL problem. Of course WSMAN is nowhere in the path between the browser and the AMT 2.2.1 system so the ACL problem prevents the browser working correctly

Best Regards

sdavies

0 Kudos
idata
Employee
635 Views

MIRoyer will have to reply with information about the differences between your 2.2.1 system and the 2.6.3.

Thanks.

Dave

0 Kudos
Matthew_R_Intel
Employee
635 Views

In regards to the OOB Console for vPro client less then 3.2.1... That is a known limitation until the release of SCCM SP1 HotFix 1. Regarding the 2.2.1 and webUI inaccessibility after being provisioned by SCCM through the WS-MAN Translator, I don't have a response at this point. We will need to take a closer look at it to see if we can reproduce the issue.

Matt Royer

0 Kudos
Reply