- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, we've got the Out of Band Service point setup on our primary SCCM Site Server which is Native Mode as well. The Provisioning Cert (Standard Web SSL Cert) is from Verisign and the AMT Template is from out internal CA. I've stepped through all the instructions in the Quick Start Guide v1.9 (from Intel) and I'm not seeing any computers listed as supported. We have a lot that say "Not Supported" for AMT Status and the remaining ones say "Unknown." The AMTOPMGR.log doesn't have anything glaring, but I'm not sure what to look for to indicate problems with my setup...........
I can initiate a Management Controller Discovery on the All System Collection and the AMTOPMGR.log file scrolls through like any other discovery (i.e. AD System Discovery log file) but my gut tells me something is wrong as I know for a fact we have vPro computers out there from Dell (Optiplex).
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
First things first ... let's make sure that your systems are being properly recognized as AMT clients by Configuration Manager. The ConfigMgr client inventories AMT details during hardware inventory cycles, and stores the data in a "AMT Agent" section in Resource Explorer. In order for the ConfigMgr client to detect the management controller however, you will need to make sure that the HECI driver (Intel Management Engine Interface) device is installed on the AMT clients. Here are a couple steps to try:
1) Open Device Manager on one of your AMT clients, open the System category, and look for "Intel(R) Management Engine Interface" .... if you cannot find it, then ConfigMgr probably doesn't know that your client is an AMT client.
2) Open Resource Explorer in your ConfigMgr console for the same ConfigMgr resource you are working with in step # 1. Look for an AMT Agent section in the hardware inventory for the system. If the section doesn't exist, or doesn't contain any information, you probably don't have the HECI driver installed on the AMT system.
3) Run the MEinfowin tool from IBM. This retrieves information about the AMT chipset using the HECI driver. If it fails to run, your HECI / MEI (Management Engine Interface) probably isn't installed correctly. http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html Download MEinfowin
Post back with your results.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, the driver is in Device Manager and the Resource Explorer is showing AMT. In the AMTOPMGR.LOG I'm getting this
CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.0.18.183:16992
CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.0.18.183:16993
CSMSAMTDiscoveryTask::Execute - DDR written to E:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box
Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.
AMT Discovery Worker: Wakes up to process instruction file.
I have the firewall turned off on the client! Why wouldn't it be able to connect to those ports?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, I now installed all the latest Dell Intel Drivers for this one computer and now I'm seeing this in the AMTOPMGR.log
Server unexpectedly disconnected when TLS handshaking.
**** Error 0x84fb970 returned by ApplyControlToken
Server unexpectedly disconnected when TLS handshaking.
**** Error 0x84fb970 returned by ApplyControlToken
session params : http://WCOR3J7C1J1.xxxxxx.com:16992 http://WCOR3J7C1J1.xxxxxx.com:16992 , 111001
ERROR: Invoke(get) failed: 80020009argNum = 0
Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
Error: Failed to get AMT_SetupAndConfigurationService instance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you run MEinfowin and paste the results here? Also, please validate the following:
1) DHCP Option 15 matches the FQDN of the Active Directory domain that your ConfigMgr site server resides in
2) Use nslookup to verify the forward (A) and reverse (PTR) DNS records for the client and ConfigMgr site server (do this step from the site server)
3) Create a collection with your vPro system in it and enable Automatic Provisioning (right-click collection and choose Modify Collection Settings)
By the way, while you're troubleshooting an issue with AMT provisioning, you can do a couple of things to speed up the process:
1) Modify your sitectrl file to enable a higher provisioning attempt frequency (mine's set to 10 minutes right now)
2) Use the sendsched.vbs script to make a connection to WMI on the vPro client, and force-trigger an AMT provision attempt
3) Force a machine policy update from the ConfigMgr control panel applet (after you set the )
FYI, I've never really had a whole lot of success with the "Discover management controllers" task ... it never seems to work right, and I'm not sure what it is supposed to do. Rather, if I were you, I'd just go ahead and try to provision a device.
Hope this helps,
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. DHCP Option 15 matches
2. NSLookup verified records
3. Got the collection setup.
MEInfo
Intel(R) MEInfo Win Version: 2.5.0.1032
BIOS Version: A02
Intel(R) AMT code versions:
Flash: 5.0.1
Netstack: 5.0.1
Apps: 5.0.1
Intel(R) AMT: 5.0.1
Sku: 18440
VendorID: 8086
Build Number: 1111
Recovery Version: 5.0.1
Recovery Build Num: 1111
Legacy Mode: False
Link status: Link up
Cryptography fuse: Enabled
Flash protection: Enabled
Last reset reason: Power up
Setup and Configuration: In process
BIOS Mode: Post Boot
Error: The operation failed due to an internal error.
FWU Override Counter: Always
FWU Override Qualifier: Always
FW on Flash Desc Override: Disable
Kedron Driver Version: Not Available
Kedron HW Version: Not Available
UNS Version: 5.0.5.1102
LMS Version: 5.0.6.1102
HECI Version: 5.0.1.1055
1. I don't know how to modify the sitectrl file
2. where is the sendsched.vbs?
3. I can force Machine Policy Updates.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attached to this post are the scripts necessary to manually fire off a provisioning attempt. Simply run "AMT Policy Scheduler.bat" vProClient.vProdemo.com.
Here is more information about how to modify your sitectrl file.
http://social.technet.microsoft.com/forums/en-US/configmgrgeneral/thread/3f52755a-24a6-4d62-9fa4-db4c23a9a305/ http://social.technet.microsoft.com/forums/en-US/configmgrgeneral/thread/3f52755a-24a6-4d62-9fa4-db4c23a9a305/
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what I get on the client when running the script.
From the oobmgmt.log
Can not read last OTP from [Software\Microsoft\Sms\Mobile Client\OutOfBand Management\OneTimePassword], (0x80070002)
Can not set new OTP or load last OTP!
Failed to Call GenerateOTPPassword provider method, 80041001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you ever logged into the MEBx on this system, and if so, did you change the password on the MEBx? I would recommend setting the MEBx back to factory defaults. The way I usually do this is to pull the power cord & the CMOS battery, and then give the BIOS a few seconds to reset.
Trevor Sullivan
Systems Engineer
OfficeMax Corporation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page