Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,407 Views

OOB Management Console Connects to AMT-Based Computers but Does Not Display Information

I used SCCMSP1 (build 4.00.6181.1000) provision with AMT 3.2.1 successfully and can remote power on/off AMT machine. When the out of band management console connects to the selected

AMT-based computer but console does not display any information. I check <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log. It indicate below reason: "GetAMTPowerState fail with result:0x80070035." This

could be a configuration issue in the AMT-based computer's BIOS extensions for

serial over LAN and IDE redirection. But I double check the setting and make sure enable "user name and password" for the serial over LAN and IDE redirection. Any wrong on the setting?

Thanks!

Bill

0 Kudos
21 Replies
Matthew_R_Intel
Employee
117 Views

Here are some things to double check.

  • Within "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management", ensure you have granted the Kerberos user that you are trying to connect with has appropriate rights.

  • On your certificate Authority that issues AMT certs for provisioning, make sure a cert was issued to your AMT clients. If it's not, ensure that "Out of Band Management" component configuration is set to use that CA and template along with having the appropriate permission to request the cert.

  • Ensure the client object was created in the AD OU you specified in the "Out of Band Management" component configuration. If it not there, you need to adjust your permissions on the OU so that the SCCM computer (what sms exec runs under) object has access to add items to that OU.

Either one of these can give you that symptom. Double check for me and let me know what you find.

Matt Royer

idata
Community Manager
117 Views

Hi Matt:

Thanks your help. Would clarify where to add Kerberos user in SCCM? Original, I only add "domain/administrator" user in "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->AMT settings->AMT user accounts". Do I need add "Doman/admin" user into the list? Originally, I added administrator and admin into "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->Provisioning settings->AMT provisioning and Discovery Accounts". Would you clarify where to add AMT users.

The second, I checked AMT machine and found that provisioning is successfully and SCCM indicated it's provisioned. I can see remote menu in SCCM. When I use IE to connect AMT machine with https://<ip/ address>:16993, AMT machine response logon homepage. When I logon on with admin user, it always asky "<IP address/admin" password to me. Does it mean that certificate Authority that issues AMT certs for provisioning was not issued to my AMT clients? How to check whether CA issued the certification to AMT client?

last question is about Kerberos clock tolerance (minutes). I saw "kerberos clock tolerance(minutes)" items in botton of "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management->AMT settings". Its default value is 5. What means it?

Thanks!

Bill

Matthew_R_Intel
Employee
117 Views

For the TLS connection to work correctly, you should be connecting through the web browser with the FQDN and not the IP address of the vpro client (https://client.domain.com:16993). Although it should not matter, try adding a digest account via "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "Provisioning Settings". Once you do that, right client on the vPro client and select "Out of Band Management" -> "Update Provisioning Data in Management Controller Memory". After you update the management controller, try running the OOB Console again.

To give us little more error reporting, change the error level of the Out of Band Console to "Verbose". This can be done by modify the "Error" to "Verbose" in the following file c:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config

Matt Royer

idata
Community Manager
117 Views

I met same issue , Here is log info. please tell me the reason why oob console can not connet to AMT.Thanks.

1 [2008-5-21 16:37:16] :OOBConsole: Trace started

1 [2008-5-21 16:37:16] :Create AmtClientManager.

6 [2008-5-21 16:37:18] :Executing WQL: 'SELECT * FROM SMS_Site WHERE ReportingSiteCode = '''

6 [2008-5-21 16:37:18] :ResultObject: 'a21e57d8-5ec2-4275-bf3c-3eb069eae8b9'

6 [2008-5-21 16:37:18] :Executing static method SMS_Identification.GetProviderVersion()

6 [2008-5-21 16:37:18] :No method parameters specified

6 [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.GetSessionHandle()

6 [2008-5-21 16:37:18] :No method parameters specified

6 [2008-5-21 16:37:18] :SCF session handle {6c809fc9-f9bd-425f-912c-4f1b884ff689} successfully aquired

6 [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

6 [2008-5-21 16:37:18] :Refresh of SCF successful

6 [2008-5-21 16:37:18] :Initializer '{3F32691E-24B1-4b1e-9915-37B633F39392}', will no be run, unsupported application type

6 [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

6 [2008-5-21 16:37:18] :Refresh of SCF successful

6 [2008-5-21 16:37:18] :Found Site code 'XYZ' for RefreshScf

6 [2008-5-21 16:37:18] :Executing static method SMS_SiteControlFile.RefreshScf()

6 [2008-5-21 16:37:18] :Refresh of SCF successful

6 [2008-5-21 16:37:18] :Adding key 'Default Floppy Path'

6 [2008-5-21 16:37:18] :Adding key 'Default CD Path'

6 [2008-5-21 16:37:18] :Adding key 'Enable WebUI'

6 [2008-5-21 16:37:18] :Adding key 'Enable SOL'

6 [2008-5-21 16:37:18] :Adding key 'Enable IDER'

6 [2008-5-21 16:37:18] :Adding key 'Admin User Name'

6 [2008-5-21 16:37:18] :Adding key 'Use Random Password'

6 [2008-5-21 16:37:18] :Adding key 'VLan Mode'

6 [2008-5-21 16:37:18] :Adding key 'Kerberos Max Clock Tolerance'

6 [2008-5-21 16:37:18] :Adding key 'VLan Tag'

6 [2008-5-21 16:37:18] :Adding key 'Enable Ping'

6 [2008-5-21 16:37:18] :Adding key 'Max Partner Storage Size'

6 [2008-5-21 16:37:18] :Adding key 'Max Non Partner Storage Size'

6 [2008-5-21 16:37:18] :Adding key 'Bios10 Password'

6 [2008-5-21 16:37:18] :Adding key 'Tls Encryption'

6 [2008-5-21 16:37:18] :Adding key 'Nac Enabled'

6 [2008-5-21 16:37:18] :Adding key 'Nac Cert'

6 [2008-5-21 16:37:18] :Adding key 'New MEBx Password'

6 [2008-5-21 16:37:18] :Adding key 'Enable Kerberos'

6 [2008-5-21 16:37:18] :Adding key 'Provisioning Account'

6 [2008-5-21 16:37:18] :Adding key 'Provisioning Account PWD'

6 [2008-5-21 16:37:18] :Adding key 'TCP Provisioning Port'

6 [2008-5-21 16:37:18] :Adding key 'Enable Hello Listener'

6 [2008-5-21 16:37:18] :Adding key 'CA FQDN'

6 [2008-5-21 16:37:18] :Adding key 'CS Name'

6 [2008-5-21 16:37:18] :Adding key 'CS Type'

6 [2008-5-21 16:37:18] :Adding key 'Cert Template'

6 [2008-5-21 16:37:18] :Adding key 'Console Cert Template'

6 [2008-5-21 16:37:18] :Adding key 'Bypass BIOS Password'

6 [2008-5-21 16:37:18] :Adding key 'Register Provisioning Server'

6 [2008-5-21 16:37:18] :Adding key 'Active Directory Container'

6 [2008-5-21 16:37:18] :Adding key 'Translators'

6 [2008-5-21 16:37:18] :Adding key 'Maintenance Schedule'

6 [2008-5-21 16:37:18] :Adding key 'Enable CRL Checking'

6 [2008-5-21 16:37:18] :Adding key 'Use Proxy'

6 [2008-5-21 16:37:18] :Adding key 'Proxy Server Address'

6 [2008-5-21 16:37:18] :Adding key 'Proxy Port'

6 [2008-5-21 16:37:18] :Adding key 'Default Floppy Path'

6 [2008-5-21 16:37:18] :Adding key 'Default CD Path'

6 [2008-5-21 16:37:18] :Adding key 'Enable WebUI'

6 [2008-5-21 16:37:18] :Adding key 'Enable SOL'

6 [2008-5-21 16:37:18] :Adding key 'Enable IDER'

6 [2008-5-21 16:37:18] :Adding key 'Admin User Name'

6 [2008-5-21 16:37:18] :Adding key 'Use Random Password'

6 [2008-5-21 16:37:18] :Adding key 'VLan Mode'

6 [2008-5-21 16:37:18] :Adding key 'Kerberos Max Clock Tolerance'

6 [2008-5-21 16:37:18] :Adding key 'VLan Tag'

6 [2008-5-21 16:37:18] :Adding key 'Enable Ping'

6 [2008-5-21 16:37:18] :Adding key 'Max Partner Storage Size'

6 [2008-5-21 16:37:18] :Adding key 'Max Non Partner Storage Size'

6 [2008-5-21 16:37:18] :Adding key 'Bios10 Password'

6 [2008-5-21 16:37:18] :Adding key 'Tls Encryption'

6 [2008-5-21 16:37:18] :Adding key 'Nac Enabled'

6 [2008-5-21 16:37:18] :Adding key 'Nac Cert'

6 [2008-5-21 16:37:18] :Adding key 'New MEBx Password'

6 [2008-5-21 16:37:18] :Adding key 'Enable Kerberos'

6 [2008-5-21 16:37:18] :Adding key 'Provisioning Account'

6 [2008-5-21 16:37:18] :Adding key 'Provisioning Account PWD'

6 [2008-5-21 16:37:18] :Adding key 'TCP Provisioning Port'

6 [2008-5-21 16:37:18] :Adding key 'Enable Hello Listener'

6 [2008-5-21 16:37:18] :Adding key 'CA FQDN'

6 [2008-5-21 16:37:18] :Adding key 'CS Name'

6 [2008-5-21 16:37:18] :Adding key 'CS Type'

6 [2008-5-21 16:37:18] :Adding key 'Cert Template'

6 [2008-5-21 16:37:18] :Adding key 'Console Cert Template'

6 [2008-5-21 16:37:18] :Adding key 'Bypass BIOS Password'</p...

Matthew_R_Intel
Employee
117 Views

liuxpa, can you try the following...

Add a seporate provisioning account by going to "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "Provisioning Settings" tab; just create an account something like "testaccount" with a password. Once you do that, right click on the vPro client and select "Out of Band Management" -> "Update Provisioning Data in Management Controller Memory". After waiting about a minute, try running the OOB Console again.

Like I mentioned above, this should not be necessary; however, would like to see if this makes any difference for you.

Matt Royer

idata
Community Manager
117 Views

Hi Matt:

I follow your guide and double check "Site Database"->"Site Manager"->"Site Server Name"->"Site Settings"->"Component Configuration"->"Out of Band Management"->"Provisioning settings" and add admin, administrator and AMTtest users into the accounts, "Update the Provisioning Data in Management Controller Memory", but I still can't see any AMT information in OOB console. I can remote power-on/off/restart the machine, but I can't see the AMT data in console. Does it kerberos user issue?

On the other hand, I used IE to connect AMt machine with FDQN <https://amt-01.vprodemo.com;16993>. I can see logon homepage, but it always ask me logon on with user and password. I sure I type-in correctly user (I try admin, AMTtest), but it still does not work. The situtation same as <https://192.168.0.100;16993>. I consider the issue is same as above console problem. Do you have any suggestion for setting. what I can check in setup.

Thanks!

Bill

Matthew_R_Intel
Employee
117 Views

Bill,

There are 2 additional things I would recommend double checking.

The first is that a certificate for the vPro client (in your case amt-01.vprodemo.com) was issued by the Certification Authority defined within "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" and is not expired. If you are able to connect to https://amt-01.vprodemo.com:16993 (or the FQDN of the client having the issues) without being issued a warming by internet explorer that the certificate is invalid, the certification should be fine; however, I would double check on your CA that the certificate was actually issued for the FQDN of your vPro client (make sure you view the certificate detail and confirm). If it wasn't, you need ensure that your Enterprise CA is configured within Out of Band Management Component Configuration and that the computer account (the computer name object) that the Site Server is running under has Read, Enroll, and Auto Enroll for the Certificate Template that is used to issue the cert. Note that I have seen issues where a cert was generated but was given the FQDN of the SCCM site server if the permissions where not set correctly and then this cert is then pushed to the vPro client with the wrong FQDN in the certificate.

The Second thing is to validate that the vPro objects (computer object) are being created in the OU that you configured in "Site Database"-> "Site Manager" -> Site server Name -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" during the provisioning process. You should be able to see that the object was created by using "Active Directory Users and Computers" and browsing to the OU and then the object; you should be able to see that the vPro Client object is in a healthy (no red X) state. If vPro object is not being created in the OU, I would double check the permissions. This can be done by opening "Active Directory Users and Computers" for your domain, right clicking on the OU you are using to store the vPro client object, and select Properties (make sure your "Advanced Features" under view is checked prior to selecting Properties). Click on the security tab and click add; when the window appears search for the SCCM site server computer object and select it. Give the computer object of the SCCM Site Server full control. Depending on your domain configuration, you may also need to click on the advance button for the SCCM site server computer object and ensure that the "Apply onto" is set to "this object and all child objects".

Let me know if that helps.

Matt Royer

idata
Community Manager
117 Views

Hi Matt:

It seems it's security permissions issue. I follow your guide and check again. Acutally, I can't see computers in OU (Out of band management Controllers), the computers was located in Computers Contrainers. Even I moved the computers into OU, the phenomenon is same. I configure the permission with below. Would you help me check which one is wrong?

OU: Out of Band Management Controllers:

SCCMSP1$(VPRODEMO\SCCMSP1$): Full Control, add "This object and child objects" into "Apply onto" list

CA Templates

ConfigMgr AMT Provisioning:

ConfigMgr Out of Band Service Points: Read, Enroll, Autoenroll

ConfigMgr AMT Web Service Certificate

ConfigMgr Primiary Site Servers: Read, Enroll, Autoenroll

Thanks!

Bill

idata
Community Manager
117 Views

Hi Matt:

Thanks your supporting, I upgrade to new 6222 build version, change Web Server permission to Read and Enroll in <![CDATA[<span style="font-weight: bold">{font:Verdana}{size:8.5pt}{color:red}Authenticated Users{color}{size}{font}]]>(The Default is Read only) , add Primiary site server into OU. Then it works now.

Thanks!

Bill

Matthew_R_Intel
Employee
117 Views

Glad to hear Bill. Thanks for working through it.

Matt Royer

idata
Community Manager
117 Views

Hi vPro experts!! I have a similar problem with a Dell Optiplex 755 client, I checked all the requises and are OK, permissions, CA, OU... but nothing happens, client id provisioned but I can't turn on/off/restart the client and I can't open the OOB Management Console.

What was the steps that you followed to solve this thread, please?

Thanks in advance!!

idata
Community Manager
117 Views

I have the same problem!

I have a vPro lab with SCCM SP1 and a Dell Optiplex 755 client, with 3.2.1 MEBx version, the client is provisioned without SCCM agent, but when y try to power on,off,restart nothing happens!

The OOB console try to connect but appears as disconnected.

Were you able to resolve it?

Help me, please?

Tks.

Matthew_R_Intel
Employee
117 Views

Maras,

Can you provide your error messages you are seeing in <ConfigMgrInstallationPath>\Logs\amtopmgr.log and <ConfigMgrInstallationPath>\AdminUI\AdminUILog\Oobconsole.log.

If you are not able to perform collection based power or connect via the Out Of Band Console, there is a high potential that you certificate was not created problem. On your issuing CA, make sure you see a certificate for the vPro client and that the FQDN that the certificate was issued to is the FQDN of the vPro Client.

d-1627 http://communities.intel.com/openport/docs/DOC-1627

Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)

Potential Root cause(s):

  • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

  • Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: "[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: "To configure AMT settings and AMT User Accounts".

SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.

  • Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

  • Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

idata
Community Manager
117 Views

Hi Miroyer,

I checked the permissions and are OK.

How to check whether CA issued the certification to AMT client?

Is necessary to generate and install a certificate for each client AMT?

Tks,

Maras

Matthew_R_Intel
Employee
117 Views

During the provisioning process, a certificate will be generated for each vPro client. To check to see if a certificate was issued, connect to your issuing Certificate Authority (the CA that you configured to issue the certificates via Certificate Template) and expand "Issued Certificates"; you should see your certificate in the list. Open the certificate by double clicking on it and verify that the "Issue To" is set listed as the FQDN of the vPro Client.

Are you able to perform collection based power control? Can you right click on the vpro client in the collection and select "out of band management" -> power control and use power on/off/restart on the vpro client. If you you're your certificate is most likely set up correctly. Then you should check to ensure you the AMT Object was created properly in the OU; to verify, open up the OU container and see if the object was created. It is also imperative you have the appropriate permissions created in the OU and the permissions were applied to that and the child objects. Check out the SP1 Help File Article: "How to Prepare Active Directory Domain Services for Out of Band Management" on the proper configuration.

--Matt Royer

idata
Community Manager
117 Views

*Hi Matt: *

  • One question for in-band provision on vPro machine with SCCM SP1: I saw <<**+ Intel vPro Out of Band Management Quick Start Install Guide>> in the web. It should be written by you. The In-band provision is a little different with OOB which I did in lab and SCCM help. If I follow the guide and do nothing on AMT ME and only turn-on AMT. Do I provision AMT in SCCMSP1 through SCCM Agent with inband provisioning if I only turn on AMT, but I don't type CA HASH, SCCM FDQN, SCCM server IP in AMT ME? Does SCCM agnet write CA HASH, SCCM server IP and FDQN information into ME when SCCM make inBand provisioning with vPro machine?+*

Thanks!

Bill

Matthew_R_Intel
Employee
117 Views

Bill,

Unlike Bare Metal provisioning within SCCM where you need to provide the Hostname, FQDN, and UUID of the vPro client you are trying to provision and then awaiting a matching UUID hello packet from the vPro Client to initiate the provisioning... Agent Based provisioning pulls the required information (Hostname, FQDN, etc) from the OS and passes that to the Out of Band Service point to provision the vPro Client along with the One Time Password (extra security message used only for provisioning).

--Matt Royer

idata
Community Manager
117 Views

Hi Maras:

if you checked all permission is correctly, please make sure your vPro client FDQN and SCCM vPro name is same as DNS name. For example, you did not boot your OS and in BIOS, your host name in SCCM may be dell01.example.com, but your DNS show the machine is "mymachine.example.com" because DNS only remember your OS FDQN. Simple way is that you type "mymachin" into ME host name and reboot. It should work.

Thanks!

Bill

idata
Community Manager
117 Views

I am having similar issues to those experienced in this thread and need to ask for your assistance to find a resolution

The following is occurring in my environment

  • Running SCCM SP1 with OOB mgmt configured

  • Using Internal CA with PKI infrastructure

  • MachineA has been provisioned via SCCM for the AMT device (v3.2.1) Provisiong took place after applying the CA cert root hash on the AMT device.

  • In my SCCM console, I can use the power control to reboot, power on and power off the device successfully.

  • I am unable to use the OOB mgmt console. I have turned on verbose logging on the OOB console and have similar logs to the log previously posted.

  • There is an account for the AMT device in AD that was generated during the provisioning process

  • Certs appear to be working properly. My CA shows a cert requested from the SCCM oob server, issued to machinea.domain.com. The template used was SCCM AMT web server cert.

Please let me know if and where I am overlooking the resolution. We are in the process of signing a PO for the purchase of 500 new HP DC7800P and need to confirm these machines are capable of integrating with SCCM completely

Thank you for your help in advance

Matt M

OOBconsole.log

6 9/24/2008 7:54:07 AM :GetAMTPowerState fail with result:0x80070035

1 9/24/2008 7:54:11 AM :User disconnect

1 9/24/2008 7:54:11 AM :Closing SOL terminal...

1 9/24/2008 7:54:11 AM :SOL terminal closed

1 9/24/2008 7:54:11 AM :status message Type:Audit, ID:0x000000004000765D, User:CBB\mamason, Machine:D6257B, Target:T6257T add to queue, waiting for report.

4 9/24/2008 7:54:17 AM :Executing WQL: 'SELECT * FROM SMS_Site WHERE ReportingSiteCode = '''

4 9/24/2008 7:54:17 AM :ResultObject: '2da39d8f-3f4d-46aa-994e-093b91d0f454'

4 9/24/2008 7:54:17 AM :Executing static method SMS_Identification.GetProviderVersion()

4 9/24/2008 7:54:17 AM :No method parameters specified

4 9/24/2008 7:54:17 AM :Executing static method SMS_SiteControlFile.GetSessionHandle()

4 9/24/2008 7:54:17 AM :No method parameters specified

4 9/24/2008 7:54:17 AM :SCF session handle {a0c4e582-d2c8-4e03-8499-b04ef9b09a4e} successfully aquired

4 9/24/2008 7:54:17 AM :Executing static method SMS_SiteControlFile.RefreshScf()

4 9/24/2008 7:54:17 AM :Refresh of SCF successful

4 9/24/2008 7:54:17 AM :Initializer '{3F32691E-24B1-4b1e-9915-37B633F39392}', will no be run, unsupported application type

4 9/24/2008 7:54:17 AM :Executing static method SMS_StatusMessage.RaiseRawStatusMsg()

4 9/24/2008 7:54:17 AM :Success report status message Type:Audit, ID:0x000000004000765C, User:domain\user1, Machine:D6257B.

4 9/24/2008 7:54:17 AM :Executing static method SMS_StatusMessage.RaiseRawStatusMsg()

4 9/24/2008 7:54:17 AM :Success report status message Type:Audit, ID:0x0000000040007665, User:domain\user1, Machine:D6257B.

4 9/24/2008 7:54:17 AM :Executing static method SMS_StatusMessage.RaiseRawStatusMsg()

4 9/24/2008 7:54:17 AM :Success report status message Type:Audit, ID:0x000000004000765D, User:domain\user1, Machine:D6257B.

4 9/24/2008 7:54:17 AM :Executing static method SMS_SiteControlFile.ReleaseSessionHandle()

4 9/24/2008 7:54:17 AM :SCF session handle {a0c4e582-d2c8-4e03-8499-b04ef9b09a4e} has successfully released

4 9/24/2008 7:54:17 AM :IMR_RemoveClient with clientID=0 success.

1 9/24/2008 7:54:17 AM :IMR_RemoveAllClients success.

1 9/24/2008 7:54:17 AM :OOBConsole exit

GetAMTPowerState fail with result:0x80070035

GetAMTPowerState fail with result:0x80070035

Matthew_R_Intel
Employee
70 Views

Mamason,

Verify that the SCCM Primary Site Servers has been granted full control permissions on the out of band management OU. Reference SCCM SP1 Help File Article: "[How to Prepare Active Directory Domain Services for Out of Band Management|http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx]". You should also look in the AMT OU you specified and ensure that an object for the vPro client created after provisioning. Remember that SCCM server object needs to have full control over that OU and all child objects within the OU.

--Matt Royer

Reply