Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Intel AMT: Configuration task sequence fails

idata
Employee
3,968 Views

Hi,

When trying to configure Intel AMT on a testPC the Intel AMT:Configuration fails. Intel AMT is added in SCCM 2012 R2. The Intel SCS: Platform Discovery - and Intel AMT: Discovery task sequences are installed.

When I look in the smsts.log file after trying to run the Intel AMT: Configuration it says the following:

Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). ). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

tep out UpdateADObjectPassword InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Step out CreateADObject InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

AD object creation failed. An Active Directory interface internal error occurred. InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). ). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

onfigure Profile Failed: An Active Directory interface internal error occurred. InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). ). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

(0xc0003a99). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

An Active Directory interface internal error occurred. InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). ). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

(0xc0003a99). InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

***** END ClientControlConfiguration ****** InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

*********** InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Exit with code InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

3. InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Details: Failed to configure this Intel(R) AMT device. InstallSoftware 1/12/2015 11:32:01 1604 (0x0644)

Anyone had this problem, and has a sollution for it?

Thanks,

Sander.

0 Kudos
1 Solution
Dariusz_W_Intel
Employee
1,778 Views

Sander,

it looks like you have not given access to additional AD OU for Intel AMT $iME computer objects to account that is runnig AMT Configurator (for HBC is is executed as SCCM agent - client computer account) or RCS service logon account for Remote Configuration) - See SCS user guide section 2.1 -row 5 - you can limit permissions with custom task to Genral create and delete Computer child objects only.

The other possible cause is that you have not applied SCS 10 hot fix https://downloadcenter.intel.com/download/24563 Download Intel® Setup and Configuration Software (Intel® SCS) after applying Microsoft* Security update MS15-096.be used

SCS 9 or earlier can't be used after applying Microsoft* Security update MS15-096.

rgds

darek

View solution in original post

8 Replies
Dariusz_W_Intel
Employee
1,779 Views

Sander,

it looks like you have not given access to additional AD OU for Intel AMT $iME computer objects to account that is runnig AMT Configurator (for HBC is is executed as SCCM agent - client computer account) or RCS service logon account for Remote Configuration) - See SCS user guide section 2.1 -row 5 - you can limit permissions with custom task to Genral create and delete Computer child objects only.

The other possible cause is that you have not applied SCS 10 hot fix https://downloadcenter.intel.com/download/24563 Download Intel® Setup and Configuration Software (Intel® SCS) after applying Microsoft* Security update MS15-096.be used

SCS 9 or earlier can't be used after applying Microsoft* Security update MS15-096.

rgds

darek

idata
Employee
1,778 Views

Dariusz,

Thanks. We did not apply the hotfix Intel SCS 10 after the Microsoft Security Update MS15-096. Will install the hotfix and see if it works.

Kind regards,

Sander.

0 Kudos
idata
Employee
1,778 Views

We cannot install the Intel SCS 10 hotfix. We're receiving following error:

The program can't start because SSLEAY32.dll is missing from your computer. Try reinstalling the program to fix this problem.

So we tried reinstalling the Intel SCS addon for SCCM and received this error:

Failure: Could not load file or assembly 'AdminUI.WqlQueryEngine, Version=4.0.6000.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.

We've spend quite some bit trying to fix this but we didn't succeed. We also did not find a sollution on the internet that helped us. Anyone here had this problem, and has a sollution?

Kind regards,

Sander.

0 Kudos
Dariusz_W_Intel
Employee
1,778 Views

Sander,

There are 3+1 SW packages in play :

  1. Intel SCS (RCS service + SCS Console, ACU Wizard, ACUConfig) it configures Intel AMT/vPro technology regardless of other management Console SW like ex MS SCCM.

     

    SSLEAY32.dll is part of RCS service, most probably you have accidentally deleted it during SCS 10 fix installation.

     

    You may reinstall or repair RCS installation from SCS 10 original package (then apply SCS 10 fix again)

     

  2. Intel SCS 10 fix – those are two files RCSServer.exe and ACU.dll files that shall replace SCS 10 original files (in RCSService , SCS Console, ACU Wizard and Configurator folders (4 folders – fix guide is missing some of them).

     

    You just replace those two files appropriately –there is no install process, do not delete any other file. To replace RCSServer.exe you have first to stop RCS service – replace its binary and start it again.

     

    This fix is for SCS 10 only (no fix/solution for SCS 9 or earlier) – SCS 11 to be launched soon will have it natively incorporated.

     

    This fix is not related to any specific management Console SW like ex MS SCCM but it related to MS AD with MS15-096 security patch.

     

     

  3. Intel SCS integration add-on for MS SCCM – this is just to allow easier integration of Intel SCS with MS SCCM (where Intel SCS takes over the AMT configuration role from MS SCCM native OOB Configuration point role which is not able to configure Intel AMT 9 or newer and/or use Host Based Configuration).

     

    It is optional – not mandatory –you can still disable automatic SCCM OOB controllers provisioning in SCCM Primary site servers, configure AMT with TLS and AD integration adding Primary Site server AD group to AMT ACL, open AMT listener port (there is tool in AMT SDK) and simply run OOB AMT discovery from SCCM and then manage it from SCCM.

     

    Intel SCS add-on for SCCM is simply doing all of it for you by importing ready to use (have to enable for collections) task sequences – it is not modifying Intel SCS /RCS itself at all.

     

    So attempt to reinstall SCS Add-on was not able to fix miss deleted DLL file.

     

     

    SCS Add on installer is using older MS DLL for importing tasks to SCCM which was changed with the latest MS SCCM 2012 SP2 update so it is just installer that fails (but add on is not installed).

     

    Intel is working on preparing new version of the SCS add on for SCCM to be published soon (~Q1'2016).

     

     

    So first fix RCS missing file, double check if RCSserver.exe and ACU.dll files have 2015-10-15 date – which is new fixed version, if not replace those two files with files from SCS 10 fix.zip.

     

    And then check if you still have AMT task sequences in SCCM and if they work OK (remember you have to replace ACU.dll in SCCM task sequence files folder)

     

    If it works it means you have not damaged your task sequences by attempting to reinstall SCS add on

     

     

  4. Intel® Core™ vPro™ processor KVM add-on for System Center Configuration Manager* -adds AMT KVM Viewer app to the management toolset and links it straight to SCCM console right click action menu https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=3051&DwnldID=21835 https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=3051&DwnldID=21835

Dariusz Wittek

Intel EMEA | Biz Client Solution Architect

Mobile: +48 602 41 41 40 Email: mailto:dariusz.wittek@intel.com dariusz.wittek@intel.com

 

idata
Employee
1,778 Views

Dariusz,

Thank you for your explanation. Got everything working again, well not really... Managed to install everything again on the server and now I'm having the following issue:

When running the Intel SCS: Platform Discovery task sequence on a client it doesn't get added to other collections (i.e. Intel AMT: Exists). If I then run a hardware inventory on the client it still doesn't get placed in the other collections. I also tried updating the membership etc... I'm following this guide and I am stuck at step 2: https://sccmguru.wordpress.com/2014/01/30/integrating-configuration-manager-2012-r2-with-intel-scs-9-0-part-7-deploying-intel-amt/ Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 7 : Deploying Intel AMT | SCCM GURU

Any ideas?

Kind regards,

Sander.

0 Kudos
Dariusz_W_Intel
Employee
1,778 Views

Sander,

SCCM Guru blog uses bit different approach with some "extreme" simplifications (using all AMT related certificate types in single certificate template -like "one to rule them all").

Intel SCS integration add-on requires import of MOF files that allows extension of client HW inventory - have you done this step?

rgds

darek

0 Kudos
idata
Employee
1,778 Views

Hi Darek,

Yep, imported the MOF files and everything works now. Also wasn't patience enough. Thanks.

And here's the next problem:

When deploying the task sequence Intel AMT: Configuration it fails. Looking in smsts.log I see this:

Failed to load : XML error. The value of the SCSVersion tag in the profile is not applicable to this Intel(R) SCS version.

Used Intel SCS 10, so the latest one. And everything on the client is also updated.

What I did without result:

- Found hotfix (Gave following error: Not applicable to your system.)

- Made new .XML file, updated DPs.

Kind regards,

Sander.

0 Kudos
idata
Employee
1,778 Views

Anyone got some advice? Still having the "Failed to load : XML error. The value of the SCSVersion tag in the profile is not applicable to this Intel(R) SCS version." in the SMSTS.log after running the Configuration task sequence on the client.

Checked the following using Intel documentation:

- Profile is between quotes in task sequence. - OK

- Profile is created with Intel SCS 10. - Latest version, is OK?

- Try and open the profile using the Intel AMT Configurator Utility. - OK, I can see the profile so it is valid.

- Intel AMT system is not XP, it's W7. -> Hotfix for W7 AMT Systems. -> Failed hotfix.

- Deleted the profile and made a new from scratch. - NOK

Kind regards,

Sander.

0 Kudos
Reply