Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,799 Views

Cant auto-provision computers via SCCM

Hello Experts - Im really hoping that someone can help me with this!

Our company is using OOB provisioning via SCCM to enable remote power management at our remote and local sites. SCCM has been configured to provision new computers and has been working fine until recently. We are using lenovo machines and I have found the most recent computers that we have been receiving for some reason have not been auto provisioning as required. We have been running with the same model of computer(5205), so nothing has changed there, latest drivers, have tested un-configuring one of the older computers and that auto reconfigured ok. I have tested configuring other model computers and they work fine. So i dont think its a issue with SCCM Infrastructure. We are using Go Daddy certificates.

I am getting errors on logs on the amtopmgr.log file like:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)</span>

Provision target is indicated with SMS resource id. (MachineId = 16814 5205S6044VW.domain.com.au) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Found valid basic machine property for machine id = 16814. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

The provision mode for device 5205S6044VW.domain.com.au is 1. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Check target machine (version 6.2.20) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

The IP addresses of the host 5205S6044VW.domain.com.au are 10.64.5.48. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Create provisionHelper with (Hash: C12DE4692395AE1C89701006AD537138AB0BA28F) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Try to use provisioning account to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioning account # 0. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:57 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioning account # 1. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:58 PM 345124 (0x54424)

Try to use default factory account to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:58 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using default factory account. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:59 PM 345124 (0x54424)

Try to use provisioned account (random generated password) to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:59 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16814) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

Error: Can NOT establish connection with target device. (MachineId = 16814) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)</span>

When ME bios is unconfigured I cannot telnet to the host name via either 16992 and 16993 port. If i go into the bios and manually configure it i can then telnet to port 16992 and i can web browse remotely to the AMT device. I have tried disabling AMT and re-enable several times, and resetting AMT all with no luck.

I have tried ZTClocalagent -activate and get these errors at the bottom of the log which I think is a good clue but dont know how or what to do from here? Im hoping someone here can help? I have over 200 computers that need configuring at over 200 sites, and obviously would need to rely on remote configuration.

Provisioning TLS Mode:

 

NOT READY

Failed performing Start Configuration command:

 

PT_STATUS_INVALID_PT_MODE: Command is not permitted in current operating mode.

Activate Intel AMT configuration:

 

Failure
0 Kudos
8 Replies
idata
Community Manager
102 Views

It looks like the mebx password has been changed and not reflected in the sccm.

Can you check and see if the password has been changed to one that is not used in the sccm?

idata
Community Manager
102 Views

 

Hi gfuestonx - I have tried various different things in an attempt to get it working on a test computer. Using default password, setting a password that is configured in SCCM, resetting everything back to default, none of it works. Other model computers dont have a issue with provisioning straight after imaging has taken place... The previous batch of computers from Lenovo with the same model didnt have a issue with this either. Im wondering if it could be hardware related..
idata
Community Manager
102 Views

Have you tried updating the BIOS and ME firmware?

idata
Community Manager
102 Views

 

Hi - I have tried updating the ME firmware from 6.0.31 to 6.2.0 but still had no joy. I will try update the bios tomorrow..
idata
Community Manager
102 Views

Based on the output of ztclocalagent, it appears this may be FW problem. To help isolate:

1. Please download SCS8 here: http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921 http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

2. Access the configurator directory and run the following on the client: ACUConfig /output console systemdiscovery.

3. Paste resulting XML file.

idata
Community Manager
102 Views

Hi Kyle - Thanks for the help. Here is the resulting information in the xml file.

- - 8.0.0 2012-07-01 23:23:54 8.0.13.27 9BKT41AUS Corporate; Desktop; 645B4A46-8340-DC5B-409E-5C68315A5CA8 LENOVO ThinkCentre M90z Desktop S6044VW - Intel(R) Full AMT Manageability 6.2.20 6.2.20.1035 True - True True True True False False True False True True True True True True - Enterprise Mode Pre Provisioning False Not Ready False VeriSign Class 3 Primary CA-G1, 742c3192e607e424eb4549542be1bbc53e6174e2, Enabled, Default; VeriSign Class 3 Primary CA-G3, 132d0d45534b6997cdb2d5c339e25576609b5cc6, Enabled, Default; Go Daddy Class 2 CA, 2796bae63f1801e277261ba0d77770028f20eee4, Enabled, Default; Comodo AAA CA, d1eb23a46d17d68fd92564c2f1f1601764d8e349, Enabled, Default; Starfield Class 2 CA, ad7e1c28b064ef8f6003402014c3d0e3370eb58a, Enabled, Default; VeriSign Class 3 Primary CA-G2, 85371ca6e550143dce2803471bde3a09e8f8770f, Enabled, Default; VeriSign Class 3 Primary CA-G1.5, a1db6393916f17e4185509400415c70240b0ae6b, Enabled, Default; VeriSign Class 3 Primary CA-G5, 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5, Enabled, Default; GTE CyberTrust Global Root, 97817950d81c9670cc34d809cf794431367ef474, Enabled, Default; Baltimore CyberTrust Root, d4de20d05e66fc53fe1a50882c78db2852cae474, Enabled, Default; Cybertrust Global Root, 5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6, Enabled, Default; Verizon Global Root, 912198eef23dcac40939312fee97dd560bae49b1, Enabled, Default; VeriSign Universal Root CA, 3679ca35668772304d30a5fb873b0fa77bb70d54, Enabled, Default; True None False True True True False - 6.0.0.1179 True domain.com.au 5205S6044VW Microsoft Windows 7 Enterprise 6.0.30.1202 6.0.0.1202 - - 5205S6044VW domain.com.au - 10.64.5.48, fe80::91b2:c19c:b10b:68e2 255.255.255.0, 64 True 10.64.65.4 10.64.65.2, 10.64.65.3, 10.14.4.31 10.64.5.1 domain.com.au 5205s6044vw.domain.com.au - - True False 5205S6044VW.domain.com.au True - True True 04:7D:7B:62:E7:E4 On S0 in AC; On SX in AC; - 0.0.0.0 255.255.255.0 10.64.5.1 10.64.65.2 10.64.65.3 - True True False - False -

idata
Community Manager
102 Views

has anyone got any ideas for this?

idata
Community Manager
102 Views

Found an answer to this.

Basically ran ZTCLocalAgent.exe -activate and found that Zero Touch Configuration was set to disabled by default for these computers and setup and configuration was set to not completed. After much more research through the Intel SDK found that a setting in the ME bios was incorrect. Changed the TLS PKI Remote COnfiguration to Enabled. Then logged back into the computer and ran the ZTCLocalAgent.exe -activate which had changed the Zero Touch COnfiguration to enabled, and changed provisioning TLS mode to PKI. SCCM then configured oob for this computer instantly!!

Im glad that its fixed, however this is hardly Zero Touch Configuration and now i have to work out how to deploy this bios change remotely to over 200 sites. Cant believe that this setting would be set to disabled in the bios but its caused a massive headache for me.

Reply