Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,609 Views

Configuration Failed during provisioning

Hi,

We started deployment of Intel vPro technology via GPO:

client computers were never provisioned before, some of them in secured networks.

Such command is used:

ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly 192.168.253.35 ProfileMain /WMIuser domain\rcsuser /WMIuserpassword password

In result we got 60 from 490 clients have status "Configuration Failed":

problem AMT versions:

AMT 5

5.0.2 anyone of successfully configured client.(~30)

Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

AMT6/7

6.0.3/6.1.1/7.1.13 rest computers status "Configuration Failed":

Initial connection to the Intel(R) AMT device failed. Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Questions:

about AMT5

What should I do with clients AMT version 5.0.2? I suppose that issue with AMT version

about 6/7

What are network requirements for client and server(protocols/ports) for such kind of deployment? It might be some core firewall misconfiguration(routes,rules..). I didnt find network requirements in deployment guide.

0 Kudos
14 Replies
Alan_A_Intel
Employee
237 Views

adovb,

To help with diagnosing these issues please do the following.

  • On one of the AMT 5 systems update the BIOS and ME firmware to the latest available.

  • For the AMT 6 and 7 systems can you confirm you're using DHCP.

EArda
Beginner
237 Views

Hi all,

I have the same problem.

Is there any solution.

Bruno_D_Intel
Employee
237 Views

May have several reasons for this issue, the first one to start is define: AMT versions that is failing, what is the error message that you are facing, are you using a 3rd party certificate? which one? can you share a little more about your environment?

BTW: GPO is not recommended to be used to vPro provisioning.

Best Regards!

-Bruno Domingues

EArda
Beginner
237 Views

Hi Bruno,

Thank you for your interest. I have 5 different model PCs. And I have different type of errors. All my computers has static IP adress.

 

C:\Configuration\AMT\Remote Configuration Files>ACUConfig.exe /lowsecurity /verb

ose /output console ConfigViaRCSOnly amtsrv01.cb.testbank.com.tr rconfig-basic

/WMIUser cb\amtadmin /WMIUserPassword P@ssw0rd

Starting log 2014-11-21 10:15:06

Set compatibility mode to 9.0.

Connected to the Intel(R) Management Engine Interface driver, version

9.5.15.1730

Intel(R) AMT in PROVISIONING_MODE_ENTERPRISE

Calling function Discovery...

Calling function GetLocalSystemAccount over MEI...

Connected to the Intel(R) Management Engine Interface driver, version

9.5.15.1730

Function GetLocalSystemAccount over MEI ended successfully

Host Based Setup is supported

Current Control Mode: 0 (Not provisioned)

Allowed Control Modes: 2 (Admin) and 1 (Client)

Function Discovery ended successfully

GetHostAndMEInfo output data:

IsAMT:True,

isAmtCapable:False,

isEnterpriseMode:True,

configurationMode:0,

isRemoteConfigEnabled:True,

AMTversion:9.0.20,

isMobile:False,

provisioningTlsMode:2,

uuid:1258C380-B86D-11E3-A91C-F0921CF686AC,

isClientConfigEnabled:True,

hostBasedSupport:True,

configurationState:0,

FQDN:,

embeddedConfigurationAllowed:False.

isLANLessPlatform:False.

PKIDNSSuffix: Empty.

:Starting Remote configuration...

***** Start RemoteConfiguration ******

***** Start StartConfigurationInt ******

Connected to the Intel(R) Management Engine Interface driver, version

9.5.15.1730

Active certificate hashes have the following names:

(0xc000005a)

15

VeriSign Class 3 Primary CA-G1

VeriSign Class 3 Primary CA-G3

Go Daddy Class 2 CA

Comodo AAA CA

Starfield Class 2 CA

VeriSign Class 3 Primary CA-G2

VeriSign Class 3 Primary CA-G1.5

VeriSign Class 3 Primary CA-G5

GTE CyberTrust Global Root

Baltimore CyberTrust Root

Cybertrust Global Root

Verizon Global Root

Entrust.net CA (2048)

Entrust Root CA

VeriSign Universal Root CA

Activate Intel(R) AMT configuration:

(0xc0000050) (Success.

)

Waiting for FW to move to In-Provision state(0)...

The Start configuration operation completed successfully.

***** END StartConfigurationInt ******

RCSaddress=amtsrv01.cb.testbank.com.tr, RCSWMIUser=cb\amtadmin, RCSProfileName=

rconfig-basic

SGW-34-182-222.cb.testbank.com.tr

RCSaddress=amtsrv01.cb.testbank.com.tr, RCSWMIUser=cb\amtadmin, UUID=1258C380-B

86D-11E3-A91C-F0921CF686AC, ConfigMode=2, PID=, RCSProfileName=rconfig-basic, AM

TVersion=9.0.20, OldADOU=, Configure AMT Name= True. Configure AMT IPv4= True. S

ource For AMT Name= Host Name- SGW-34-182-222 Domain Name- cb.testbank.com.tr .

Default OS Name= Host Name- SGW-34-182-222 Domain Name- cb.testbank.com.tr . H

ost Static IPv4= IPv4 Address- 10.100.182.222 IPv4 SubNet- 255.255.255.0 IPv4 Ga

teway- 10.100.182.1 IPv4 Primary DNS- 10.12.12.60 IPv4 Secondary DNS- 10.12.12.7

0 . Host IPv4= IPv4 Address- 10.100.182.222 IPv4 SubNet- 255.255.255.0 IPv4 Gate

way- 10.100.182.1 IPv4 Primary DNS- 10.12.12.60 IPv4 Secondary DNS- 10.12.12.70

. Configure AMT IPv4 to DHCP mode= False.

***** END RemoteConfiguration ******

***********

Exit with code

75.

Details: Failed to complete remote configuration of this Intel(R) AMT device.

Initial connection to the Intel(R) AMT device failed.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are c

orrect and that a network connection exists to the target.

Bruno_D_Intel
Employee
237 Views

I noted that you are using "ConfigViaRCSOnly" parameter, it means that you are provisioning using PKI provisioning method, right? in this case, you should use DHCP instead of static IP, at least ME must receive the DNS suffix (i.e. option 15) through DHCP in order to validate the certificate.

Also, another point, that often happen on provisioning, Windows Firewall usually drop connection from Intel SCS to AMT, ports: 16992/16993, can you check if you are able to telnet from Intel SCS to theses ports? in case not, you must create an exception rule to allow.

Best Regards!

-Bruno Domingues

EArda
Beginner
237 Views

Hi Bruno,

There is no firewal between SCS and client computer. I tried to configure client with Acu wizard. After client mode configuration tried again with Configurator.exe and configuration was success. But this time have to start Acu Wizard manually.

Bruno_D_Intel
Employee
237 Views

In the log that you sent, I'm understanding that you are trying PKI provisioning, i.e. do you have a 3rd party certificate, right? So, in order to make it work and based on your scenario, DHCP is a requirement to certificate validation and allow PKI provisioning. Also doing telnet test you can make sure that is no issue also on both side, not only in between.

If you are not using PKI provisioning, you can export you profile from RCS and use this command line to provision:

ACUConfig.exe /output console /verbose ConfigAMT /DecryptionPassword /AbortOnFailure

Best Regards!

-Bruno Domingues

EArda
Beginner
237 Views

Yes I have a certificate from comodo.

What I have to do exacly for provision static IP AMT clients.

Best Regards,

Bruno_D_Intel
Employee
237 Views

Ok, you can't configure vPro using certificate (i.e. PKI mode) without DHCP, you must have a DHCP working in your network that deliver your DNS suffix (i.e. option 15) that match with certificate that you acquired from Comodo. If you have it, you can use static IP. If you don't have DHCP with this option or that your DNS suffix doesn't match with your certificate, you have to use Host Based Configuration.

The biggest difference between HBC and PKI, is that PKI you can control the vPro machines without user consent while with HBC, user must consent to allow gain control over vPro machine.

Best Regards!

-Bruno Domingues

EArda
Beginner
237 Views

Hi Bruno,

I managed to configure some remote machines with HBC method. But user consent is not undesirable for me. What is the minimal settings on dhcp and SCS profile. We want to use static IPs on host operating systems.

Best Regards,

Bruno_D_Intel
Employee
237 Views

Basically, what do you need in DHCP, is define the suffix DNS - DNS option 15, that match with your domain and in profile select this option:

It should work, I already tested this scenario and worked pretty well.

Best Regards!

-Bruno Domingues

ITerl
Beginner
237 Views

Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

I had the same problem.

We're using our custom certificate so there is no valid root certificate hash in the intel mbex on the system you want to provision.

After I added our root cert hash (thumbprint) - ctrl+p while booting, it started provisioning successfully.

I'm still looking for a solution how to insert root cert hash remotely.

Regards,

Igor

EArda
Beginner
237 Views

Hi Igor,

I have buy a certificate from Comodo. I think there is not a way to add hash remotely.

Best Regards,

Bruno_D_Intel
Employee
237 Views

Igor,

Unfortunately, for security reasons you can't inject a root certificate in ME trusted list remotely, but you can do it using USB key, see further details in this usage case: https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20979&lang=eng&OSVersion=&DownloadTy... https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20979&lang=eng&OSVersion=&DownloadTy...

Best Regards!

-Bruno Domingues

Reply