We are in the process of exploring vPro with SCCM 2007 in our lab environment.
We followed the 'Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9' to setup our CA and install SCCM
and the appropriate post installation steps in SCCM.
The Client PC in our environment: Dell Optiplex 755
Bios Version : A12
AMT Version : 3.2.2
As we didn't have a 3rd party certificate(verisign, godaddy or comodo), we included the CA's certificate thumbprint
value onto the AMT machine by logging into the MEBx.
We had to change the MEBx default password from 'admin'.
We also defined the new MEBx password in SCCM 'Out of Band Management' component properties.
Now SCCM identifies the AMT PCs as status 'Detected', but we couldn't bring it to the state 'Provisioned'
We have the 'Intel WS-Management Translator' installed and configured.
We also tried the 'SelfSignedFix.vbs' following(http://communities.intel.com/openport/community/openportit/vproexpert/microsoft-vpro/blog/2008/08/19...
-321-selfsigned-certificate-issue-and-working-around-it-for-microsoft-system-configuration-manager-sp1) and get an error stating 'cannot connect to client'
We have made the new MEBx password in the 'SelfSignedFix.vbs' as well.
The AMTopmgr.log says the following:
Incoming Connection from 192.168.1.215:16994. Incoming data is - Configuration version: PKI Configuration. Count : 14 UUID : 4C4C4544-004C-4810-8046-B9C04F314253 Error: Hash list of AMT device 4C4C4544-004C-4810-8046-B9C04F314253 doesn't contain our provision server certificate hash.
Are we missing any steps ?
Please let me know if i can provide any more information about out lab environment.
Thanks & Regards
The portion of the log that you posted indicates an out-of-band provision attempt, not an in-band (SCCM client initiated) provision attempt. You'll want to
Because you are working with the Dell OptiPlex 755 with AMT 3.2.2, you don't need to use the Intel WS-MAN Translator and you don't need to worry about the self-signed cert issue (it's fixed in 3.2.2). You should be able to natively provision AMT 3.2.2 systems with ConfigMgr.
First things first, I'd recommend that you install Microsoft KB 960804, which is an update rollup containing a number of AMT-related hotfixes. Once you apply this hotfix, try reprovisioning your device using in-band provisioning.
Also keep in mind that, although I don't think this appears to be an issue right now, DNS and DHCP configuration is of utmost importance. Your DHCP option 15 needs to match your Active Directory domain suffix, and your client needs to have correctly registered A and PTR records in DNS.
Thanks for ur reply.
We have added Option 15 in DHCP with DNS suffix and also i've checked with the DNS entries as well which looks pretty good.
Also we have upgraded to SCCM SP1 with R2 and yet to upgrade with the KB960804.
Should i be doing any changes with IIS ?
Should i import any of the certificates onto IIS ?
You shouldn't need to make any changes to IIS. The only thing you'd need to do with IIS is if you were using the WS-MAN Translator, which you shouldn't be at this point, unless you have AMT 2.x systems in your environment. Even so, I'd avoid complicating your issues with the translator, and focus on resolving native ConfigMgr provisioning with 3.2.1 (or greater) systems.
So i wouldn't be playing around with IIS as most of the PCs in my environment are AMT 3.2.2.
Also i have another query, as i log in to MEBx for the Certificate hashes and change the default password to
a different one should this be an issue while provisioning the PCs.
I do understand that the new password is defined in the 'Provisioning settings' of the OOB component properties,
am wondering why the Client PC status shows up as 'detected' and not as 'not provisioned' even though i followed
the same steps as in the 'Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9' .
Steps which i followed:
I updated the SCCM server with KB960804-X86
I Uninstalled and reinstalled the SCCM client on the specific AMT pc.
Did a AD system discovery again.
Still the 'AMT status' of that PC is shown as 'Detected'
Any suggestions ?
P.S: The log file still shows the same message
"Error: Hash list of AMT device 4C4C4544-004C-4810-8046-B9C04F314253 doesn't contain our provision server certificate hash."
I would suggest trying the following:
Here is a video I created that shows you how to find your root CA thumbprint / hash:
Had a chance to read ur post in the below community discussion:
If U could please help me with a step-by-step on how to get VNC integrated with WinPE and take the winPE screen on remote it would be great.
Thanks in advance
Please see this new blog entry (sorry I didn't post it before!)
How r U ?
I did try all the stpes you have mentioned in the 'WinPE VNC integration' document but when we try to take remote control of the client PC,
I endup with a blank black screen.
Am i missing any steps ?
I haven't done extensive testing around this, so I don't know all the details about it. You could try playing around with the settings on the server side, such as disabling compression for example. Before you export the registry values on the reference machine which you install & configure WinVNC on, change some of the WinVNC server configuration settings, and see if this has any effect on your results.