- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am interested in using SCCM In Band provisioning, all of the clients that I manage have an SCCM client installed. Do I still need a PKI instructure similar to the one required for Out Of Band provisioning? I can't seem to find a document that describes the specific requirements for In-Band Provisioning.
regards
Steve
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stephen,
Whether you are doing in-band or out of band provisioning, the PKI requirements are the same. You will still need a PKI remote configuration certificate (either generated in-house or from a 3rd party CA like verisign or godaddy) and a PKI infrastructure to issue the certificates to the provisioned AMT client (used for secure communication).
Here is the link to Microsoft doc: http://technet.microsoft.com/en-us/library/cc161856.aspx http://technet.microsoft.com/en-us/library/cc161856.aspx; however, there is OOB configuration you need to do first.
To get you from ground zero to provisioning, I would recommend taking a look at the SCCM quick start guide.
/servlet/JiveServlet/downloadBody/1754-102-3-3205/Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9.pdf http://communities.intel.com/servlet/JiveServlet/downloadBody/1754-102-3-3205/Quick%20Start%20Install%20Guide%20for%20MS%20CfgMgr%20SP1%20Out%20of%20Band%20Management%20Rev1_9.pdf
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matt,
I have building up my lab enviornment, and I have come across a problem. I am able to get as far as provisioning the client, however I cannot access the OOB management console or power control features.
My SCCM Server is running Server 2008 Ent Ed 32 bit SP2, and SCCM 2007 R2 SP2. SP2 for SCCM is currently in beta. The server is still running IE7. I am unable to install KB908209. I have added the regsitry key associated with kb908209, but it has no effect.
Can you suggest anything I can try?
regards
s
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Steve,
Are you at least getting prompted for credentials in the IE web interface, or is it not coming up at all?
Also, go ahead and follow the directions here to enable verbose logging in your OOBconsole:
/community/openportit/vproexpert/blog/2009/06/22/oob-console-error http://communities.intel.com/community/openportit/vproexpert/blog/2009/06/22/oob-console-error
Not that it has anything to do with it, but I'd personally recommend upgrading to IE8
Trevor Sullivan
Systems Engineer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you ensured you installed all of the required hotfixes: /docs/DOC-1897 http://communities.intel.com/docs/DOC-1897
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are running the SCCM SP2 beta, there is no need for the SCCM SP1 hotfixes listed here: /docs/DOC-1897 http://communities.intel.com/docs/DOC-1897
As alluded by Trevor, i think we need to isolate the issue down to ether a PKI or Kerberos issue. Can you perform Collection based power control or is the issue just isolated to the Out of Band Management Console? From the "SCCM SP1 / vPro Common Issues and Potential Resolutions" wiki (/docs/DOC-1627 http://communities.intel.com/docs/DOC-1627)... let's see if we can isolate the problem.
Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)Potential Root cause(s):
The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.
Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: "[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: "To configure AMT settings and AMT User Accounts".
SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.
Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".
Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.
Potential Root cause(s):
The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.
Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: "[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: "To configure AMT settings and AMT User Accounts".
Verify that the SCCM Primary Site Servers has been granted full control permissions on the out of band management OU. SCCM SP1 Help File Article: "[How to Prepare Active Directory Domain Services for Out of Band Management|http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx]"
Active Directory computer object that was created for the AMT device was overwritten or deleted
Kerberos User not being successfully added when provisioning 2.x AMT client and the AMTOPMGR.log is giving the following error:
The Add user ACL fails on 2.x systems if ALL the realms are checked including the PT Admin realm in . Treat the PT Admin Realm as mutually exclusive with all the other realms. Verify that none of your Out of Band Component - AMT Settings - AMT User Accounts have PT Admin Realm selected with any other realm
--Matt Royer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is an update on this problem...
I am still able to get the PC to become provisioned in the SCCM console, however I still can't control any power settings.
I have confirmed I am logging in with an account specified in the AMT settings.
Am I however getting certificate errors when I attempt to browse to the computer via IE on the SCCM Server. See attached Screenshot. Also I am getting the following errors in the AMTopmgr.log.
Error: Failed to get CIM_AssociatedPowerManagementService instance.~ $$
AMT Operation Worker: AMT machine SGH85203MZ.demo.lab can't be power off. Error code: 0x80072F8F
I may upgrade to IE8 on the SCCM server to see if it has any impact.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, Got it working. My problem is that I had the wrong certificate specified on the OOB Management configuration. I had specified AMT Provisioning Cert instead of the ConfigMgr AMT Web Server Certificate. No wonder that the client couldn't receive the correct cert.
Thanks to those who helped me out.
regards
Steve
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page