Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

SCCM 2007 SP2 R3 vPro provisioning issue

idata
Employee
1,715 Views

Hi we have SCCM 2007 SP2 R3 will not provision vPro capable clients inband.

Configuration - following http://www.vproexpert.com/sccm_vpro/ http://www.vproexpert.com/sccm_vpro/

Internal 2008 R2 Enterprise CA with a 2048bit root cert (hash entered into the MEBx on clients)

SCCM AMT Provisioning cert issued and installed on the SCCM server.

AMT Web Server Certificate created and published on the CA with rights for the SCCM server to enrol and manage certificates

SCCM Collection for Unprovisioned vPro clients with "Enable automatic out of band management controller provisioning" selected.

DNS options 06 and 15 configured on the DHCP server,

DNS reverse lookup zone created and working as expected.

provisionserver.domain.com published in DNS

WSMAN traslator 1.1 installed and configured, web server cert issued and installed.

clients can connect to https://hollywood-dev.devtranzrail.co.nz/wstrans https://sccm.fqdn/wstrans in IE and version 1.1 Build:00582 is displayed. SSL cert chain is OK

2 Test clients

HP 8460p with AMT 7.1.3

Lenovo M58 with AMT 5.0.2

SCCM server can resolve the test clients via hostname and fqdn and clients can resolve the sccm server by hostname and fqdn

oobmgmt.log client log

ON SCHEDULE OOBMgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

BEGIN oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

Retrying to activate the device. oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

Resending last OTP oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = 1CDB2B5E52CD8D1AB7A90ACF8414474083A4FE28, RetryCount = 5 oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

Successfully activated the device. oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = 2AD6B6B9C16146CF4F0703C8DC3955FCC50B58B6, AMT Core Version = 7.1.3 oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

END oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

 

 

amtopmgr.log

AMT Discovery Worker: Reading Discovery Instruction C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{2CCA124F-5D58-4187-B8CD-85887CFF4241}.RDC... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames 'DEV0001D', NULL, 'DEV' SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 268 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromCollection: Found machine WL30581 - 10.160.193.11 from Collection DEV0001D. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 269 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromCollection: Found machine WD20078 - 10.160.193.10 from Collection DEV0001D. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Finish reading discovery instruction C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{2CCA124F-5D58-4187-B8CD-85887CFF4241}.RDC SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: There are 4 tasks in pending list SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Send task to completion port SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

Auto-worker Thread Pool: Current size of the thread pool is 3 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Send task to completion port SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

Auto-worker Thread Pool: Work thread 3508 started SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 3508 (0x0DB4)

 

Auto-worker Thread Pool: Current size of the thread pool is 4 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: 2 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HOLLYWOOD-DEV SITE=DEV PID=2128 TID=2652 GMTDATE=Thu Jul 21 21:54:46.942 2011 ISTR0="2" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

Auto-worker Thread Pool: Work thread 5980 started SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 5980 (0x175C)

 

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C)

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.10:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:52 a.m. 5844 (0x16D4)

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.11:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:52 a.m. 4888 (0x1318)

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.10:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:53 a.m. 3508 (0x0DB4)

 

CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.11:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:53 a.m. 5980 (0x175C)

 

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318)

 

CSMSAMTDiscoveryTask::Execute - DDR written to C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318)

 

Auto-worker Thread Pool: Succeed to run the task . Remove it from task list. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318)

 

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:55 a.m. 5980 (0x175C)

 

 

1. In the training they mention that you can provision by PS...

0 Kudos
6 Replies
idata
Employee
347 Views

Sorry to hear you are having trouble getting your systems provisioned!

Just a quick review of the logs here are a few things to check / answers to your questions:

1. When using clients >=3.2.1, SCCM will default to PKI provisioning natively. If it sees a provisioning attempt from a system <3.2.1, it will kick the request over to the WSMAN Translator, which will then attempt the provision. So while it is physically possible to provision a system >3.2.1 using PSK, it is unsupported in SCCM.

2. I believe SCCM is having trouble connecting to the client natively, and therefore cannot query AMT for the version number. After it attempts to connect and fails, it kicks it over to the WSMAN translator where it is attempting a connection to 16992.

3. Make sure you are entering the HASH of the ROOT CA of your internal provisioning certificate chain into the MEBx. Also make sure you are entering the user/password (that you just created) into the provisioning settings tab inside SCCM --->Site settings --->component config--->out of band management--->provisioning accounts.

4. Have you tried re-installing the SCCM client agent on the machine? Sometimes after a machine is moved to/from another domain or renamed, a re-install of the client agent helps the provisioning process.

5. You are correct, the CA Web Enrollment component is not needed.

a few more things to check:

  • Make sure you are using a wired connection.
  • Also, because you have changed the MEBx password, make sure you are entering that new password in the SCCM site Settings--->component config--->OOB settings--->provisioning accounts tab.
idata
Employee
347 Views

I have had some success,

The Lenovo M58 provisioned on Friday and can manage it out of band.

Which is good news as it means the SSL Cert AD OU and delegation is all working.

One issue is that SOL is not working this fails with error 0xc (and may be related to kerberos ticket size) but i have not got to the bottom of that yet.

The HP 8460p still will not provision inband, it has an option "Activate Network" in the MEBx that when turned on it puts it into Admin mode ( AMT status reported Admin) where it should be Enterprise.

Our root CA hash is entered into each test machine MEBx

I am trying reinstalling the SCCM agent on the HP machine to see if provisioning start and succeeds.

0 Kudos
idata
Employee
347 Views

Update - I installed XP on the second client and it got provisioned straight away, so it appears to be related to Windows 7 so we are opening a premier case to see what MS have to say about it.

0 Kudos
idata
Employee
347 Views

Good to hear that you got your other machine provisioned!

I hope you are able to resolve the Windows 7 issue.

Josh

0 Kudos
idata
Employee
347 Views

Some progress,

I have 3 test clients in the lab, i can get all three to provision but all require manual intervention to get the magic to happen.

HP 2560p AMT 7.1.3

HP 2760p AMT 7.1.3

Lenovo M58p AMT 5.0.2

Ive been working with Microsoft using the HP 2760p that was fresh and never provisioned before.

Steps taken.

Imported the machine into SCCM to our OSD collection for inital deployment of our Windows 7 image. (build process via PXE)

Before building enter MEBx and enter our Root CA cert Hash into the MEBx

Restart to PXE and let the machine build.

After the build has finished it has SCCM Client version 4.00.6487.2157 and AMT Status = 0

Run a Management Controller detection and wait, Ran a System Discovery Cycle and wait, eventually it detects the management controller gets detected and Status is set to 2

Update collections so the vPro Unprovissioned collection picks up the machine , this collection is enabled for Automatic OOBM Controller provisioning.

Force AMT policy detection cycle by running

SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

BEGIN oobmgmt 4/08/2011 10:09:44 a.m. 4804 (0x12C4)

Retrying to activate the device. oobmgmt 4/08/2011 10:09:44 a.m. 4804 (0x12C4)

New OTP generated oobmgmt 4/08/2011 10:09:44 a.m. 4804 (0x12C4)

Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = B3778F04A73A170405264F4800EE20F9DD7E460A, RetryCount = 0 oobmgmt 4/08/2011 10:09:44 a.m. 4804 (0x12C4)

Raising event:

[SMS_CodePage(850), SMS_LocaleID(5129)]

instance of SMS_OOBMgmt_StartConfig_Success

{

ClientID = "GUID:62D2E79C-DC30-410A-8F5F-924201BA38C8";

ConfigurationStartTime = "2011-08-04 10:09:45";

DateTime = "20110803220945.353000+000";

MachineName = "WL02760";

ProcessID = 2280;

SiteCode = "DEV";

ThreadID = 4804;

};

oobmgmt 4/08/2011 10:09:45 a.m. 4804 (0x12C4)

Successfully activated the device. oobmgmt 4/08/2011 10:09:45 a.m. 4804 (0x12C4)

Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = DA5FBC2E613BF1C25FE7C7250AC78FBB08C57D80, AMT Core Version = 7.1.3 oobmgmt 4/08/2011 10:09:45 a.m. 4804 (0x12C4)

END oobmgmt 4/08/2011 10:09:45 a.m. 4804 (0x12C4)

 

It appears to generate the new OTP and send it to the SCCM server, this is where it starts to fall apart.

I would now expect to see in the amtopmgr.log the incoming ResourceID.OTP file dropped in the "C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov" inbox

Incoming instruction file C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\289.OTP to Provision Worker.

This OTP file never gets generated.

Eventually to get the machine to provision i uninstalled the SCCM client using

c:\windows\system32\ccmsetup\ccmsetup /uninstall

 

and

 

c:\windows\system32\ccmsetup\ccmsetup /mp:sccm.fqdn SMSSITECODE=DEV

 

After the sccm client has been re-installed the version is 4.00.6487.2000 (We deploy the R3 client patch as part of our OSD TS)

From this point issue another

SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

In the oobmgmt.log we can see a new OTP generated and in amtopmgr.log the incoming ResourceID.OTP file and provisioning starts and completes.

Incoming instruction file C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\289.OTP to Provision Worker. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

Found one 'ZTC Provision' task with type 'Machine Resource' and target ID '289' and IP address '0'. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

Target machine 289 is a AMT capable machine. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

Succeed to add new task to pending list. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

AMT Provision Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

AMT Provision Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

AMT Provision Worker: Send task WL02760.devtranzrail.co.nz to completion port SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

Auto-worker Thread Pool: Current size of the thread pool is 1 SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)

 

Auto-worker Thread Pool: Work thread 5428 started SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 5428 (0x1534)

 

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 5428 (0x1534)<p> 

 

 

From this point I deployed the newer SCCM Client, 4.00.6487.2157

Unprovissioned the machine by deleting the provisioning data using SCCM.

Updated my collection so it moved back into the "vPro Unprovissioned"

Force a AMT Policy Detection SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

And the Machine generates a new OTP and provissions.

So on the surface it does not look like a client version problem,

Questions:

  1. What is the best way to get the AMT Status in SCCM (Discover Management Controllers , System Discovery?)

     

  2. When a New OTP is generated is this the trigger for the "C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\ResourceID.OTP" to be created?

     

  3. If OTP generation is the trigger, why would this file fail to be created on the SCCM server?

     

  4. Microsoft have said that version 7.1.3 was not around for testing but it appears to work as I can get them to provisi...
0 Kudos
idata
Employee
347 Views

The machine we tested with provisioned after 1 week,

Every day it would generate a new OTP and send it off to SCCM which appears to ignore it. Then spontaineously on the firday it generated the new OTP for the day, and low and behold SCCM provisioned it.

0 Kudos
Reply