Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

SCCM - Client connectivity error

idata
Employee
3,587 Views

Hi,

We are in the process of exploring vPro with SCCM 2007 in our lab environment.

We followed the 'Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9' to setup our CA and install SCCM

and the appropriate post installation steps in SCCM.

The Client PC in our environment: Dell Optiplex 755

 

Bios Version : A12

 

AMT Version : 3.2.2

As we didn't have a 3rd party certificate(verisign, godaddy or comodo), we included the CA's certificate thumbprint

value onto the AMT machine by logging into the MEBx.

We had to change the MEBx default password from 'admin'.

We also defined the new MEBx password in SCCM 'Out of Band Management' component properties.

Now SCCM identifies the AMT PCs as status 'Detected', but we couldn't bring it to the state 'Provisioned'

We have the 'Intel WS-Management Translator' installed and configured.

We also tried the 'SelfSignedFix.vbs' following(http://communities.intel.com/openport/community/openportit/vproexpert/microsoft-vpro/blog/2008/08/19/intel-amt

-321-selfsigned-certificate-issue-and-working-around-it-for-microsoft-system-configuration-manager-sp1) and get an error stating 'cannot connect to client'

when the command "cscript SelfSignedFix.vbs https://VIRSRV4.VIRTUALDC.COM https://VIRSRV4.VIRTUALDC.COM 192.168.1.215 c:\temp N" is tried.

We have made the new MEBx password in the 'SelfSignedFix.vbs' as well.

The AMTopmgr.log says the following:

 

Incoming Connection from 192.168.1.215:16994. Incoming data is - Configuration version: PKI Configuration. Count : 14 UUID : 4C4C4544-004C-4810-8046-B9C04F314253 Error: Hash list of AMT device 4C4C4544-004C-4810-8046-B9C04F314253 doesn't contain our provision server certificate hash.

Are we missing any steps ?

Please advise.

Please let me know if i can provide any more information about out lab environment.

Thanks & Regards

Kumaran Alagesan

0 Kudos
14 Replies
idata
Employee
657 Views

Kumaran,

The portion of the log that you posted indicates an out-of-band provision attempt, not an in-band (SCCM client initiated) provision attempt. You'll want to

Because you are working with the Dell OptiPlex 755 with AMT 3.2.2, you don't need to use the Intel WS-MAN Translator and you don't need to worry about the self-signed cert issue (it's fixed in 3.2.2). You should be able to natively provision AMT 3.2.2 systems with ConfigMgr.

First things first, I'd recommend that you install Microsoft KB 960804, which is an update rollup containing a number of AMT-related hotfixes. Once you apply this hotfix, try reprovisioning your device using in-band provisioning.

http://support.microsoft.com/default.aspx/kb/960804 http://support.microsoft.com/default.aspx/kb/960804

-----------

Also keep in mind that, although I don't think this appears to be an issue right now, DNS and DHCP configuration is of utmost importance. Your DHCP option 15 needs to match your Active Directory domain suffix, and your client needs to have correctly registered A and PTR records in DNS.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
657 Views

Trevor,

Thanks for ur reply.

We have added Option 15 in DHCP with DNS suffix and also i've checked with the DNS entries as well which looks pretty good.

Also we have upgraded to SCCM SP1 with R2 and yet to upgrade with the KB960804.

Should i be doing any changes with IIS ?

Should i import any of the certificates onto IIS ?

Regards

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Kumaran,

You shouldn't need to make any changes to IIS. The only thing you'd need to do with IIS is if you were using the WS-MAN Translator, which you shouldn't be at this point, unless you have AMT 2.x systems in your environment. Even so, I'd avoid complicating your issues with the translator, and focus on resolving native ConfigMgr provisioning with 3.2.1 (or greater) systems.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
657 Views

Trevor,

So i wouldn't be playing around with IIS as most of the PCs in my environment are AMT 3.2.2.

Also i have another query, as i log in to MEBx for the Certificate hashes and change the default password to

a different one should this be an issue while provisioning the PCs.

I do understand that the new password is defined in the 'Provisioning settings' of the OOB component properties,

am wondering why the Client PC status shows up as 'detected' and not as 'not provisioned' even though i followed

the same steps as in the 'Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9' .

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Trevor,

Steps which i followed:

I updated the SCCM server with KB960804-X86

I Uninstalled and reinstalled the SCCM client on the specific AMT pc.

Did a AD system discovery again.

Still the 'AMT status' of that PC is shown as 'Detected'

Any suggestions ?

P.S: The log file still shows the same message

"Error: Hash list of AMT device 4C4C4544-004C-4810-8046-B9C04F314253 doesn't contain our provision server certificate hash."

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Trevor,

I've enclosed the screenshot of the log file.

Regards,

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Kumaran,

I would suggest trying the following:

  • Disable Intel WS-MAN Translator support in the Out-of-Band Component Configuration screen on your SCCM site server (this will simplify troubleshooting)
  • Make sure you have written down the correct thumbprint of the internal Enterprise Root CA certificate

Here is a video I created that shows you how to find your root CA thumbprint / hash:

http://blip.tv/file/1823217 http://blip.tv/file/1823217

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
657 Views

Voila !!

Got the PCs provisioned...!

Steps done:

 

1. Removed WS-MAN Translator

 

2. Corrected the certificate hashes.

Thanks Trevor

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Yay, congrats! I'm glad you got things going!

Come back if you need more help

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
657 Views

Hi Trevor,

Had a chance to read ur post in the below community discussion:

http://communities.intel.com/message/4231# 4231 http://communities.intel.com/message/4231# 4231

If U could please help me with a step-by-step on how to get VNC integrated with WinPE and take the winPE screen on remote it would be great.

Thanks in advance

Regards

Kumaran Alagesan

0 Kudos
idata
Employee
657 Views

Hi Trevor,

How r U ?

I did try all the stpes you have mentioned in the 'WinPE VNC integration' document but when we try to take remote control of the client PC,

I endup with a blank black screen.

Am i missing any steps ?

Regards

Kumaran Alagesan

 

0 Kudos
idata
Employee
657 Views

Kumaran,

I haven't done extensive testing around this, so I don't know all the details about it. You could try playing around with the settings on the server side, such as disabling compression for example. Before you export the registry values on the reference machine which you install & configure WinVNC on, change some of the WinVNC server configuration settings, and see if this has any effect on your results.

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

0 Kudos
idata
Employee
657 Views

Trevor,

I've completed the WinPE - VNC integration and things are working great.

Thanks again for your help.

Regards

 

Kumaran Alagesan
0 Kudos
Reply