Community
cancel
Showing results for 
Search instead for 
Did you mean: 
idata
Community Manager
1,695 Views

SCCM In-Band Provisioning

Hi All,

I am interested in using SCCM In Band provisioning, all of the clients that I manage have an SCCM client installed. Do I still need a PKI instructure similar to the one required for Out Of Band provisioning? I can't seem to find a document that describes the specific requirements for In-Band Provisioning.

regards

Steve

0 Kudos
7 Replies
Matthew_R_Intel
Employee
103 Views

Stephen,

Whether you are doing in-band or out of band provisioning, the PKI requirements are the same. You will still need a PKI remote configuration certificate (either generated in-house or from a 3rd party CA like verisign or godaddy) and a PKI infrastructure to issue the certificates to the provisioned AMT client (used for secure communication).

 

 

Here is the link to Microsoft doc: http://technet.microsoft.com/en-us/library/cc161856.aspx http://technet.microsoft.com/en-us/library/cc161856.aspx; however, there is OOB configuration you need to do first.

To get you from ground zero to provisioning, I would recommend taking a look at the SCCM quick start guide.

 

/servlet/JiveServlet/downloadBody/1754-102-3-3205/Quick Start Install Guide for MS CfgMgr SP1 Out of Band Management Rev1_9.pdf http://communities.intel.com/servlet/JiveServlet/downloadBody/1754-102-3-3205/Quick%20Start%20Instal...

--Matt Royer

idata
Community Manager
103 Views

Hi Matt,

I have building up my lab enviornment, and I have come across a problem. I am able to get as far as provisioning the client, however I cannot access the OOB management console or power control features.

My SCCM Server is running Server 2008 Ent Ed 32 bit SP2, and SCCM 2007 R2 SP2. SP2 for SCCM is currently in beta. The server is still running IE7. I am unable to install KB908209. I have added the regsitry key associated with kb908209, but it has no effect.

Can you suggest anything I can try?

regards

s

idata
Community Manager
103 Views

Steve,

Are you at least getting prompted for credentials in the IE web interface, or is it not coming up at all?

Also, go ahead and follow the directions here to enable verbose logging in your OOBconsole:

/community/openportit/vproexpert/blog/2009/06/22/oob-console-error http://communities.intel.com/community/openportit/vproexpert/blog/2009/06/22/oob-console-error

Not that it has anything to do with it, but I'd personally recommend upgrading to IE8

Trevor Sullivan

Systems Engineer

William_Y_Intel
Employee
103 Views

Have you ensured you installed all of the required hotfixes: /docs/DOC-1897 http://communities.intel.com/docs/DOC-1897

Matthew_R_Intel
Employee
103 Views

If you are running the SCCM SP2 beta, there is no need for the SCCM SP1 hotfixes listed here: /docs/DOC-1897 http://communities.intel.com/docs/DOC-1897

As alluded by Trevor, i think we need to isolate the issue down to ether a PKI or Kerberos issue. Can you perform Collection based power control or is the issue just isolated to the Out of Band Management Console? From the "SCCM SP1 / vPro Common Issues and Potential Resolutions" wiki (/docs/DOC-1627 http://communities.intel.com/docs/DOC-1627)... let's see if we can isolate the problem.

Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)

Potential Root cause(s):

Symptom: SCCM provisions a vPro Client successfully and you are able to invoke Collection based power operation; however, the Out of Band Console does not connect to the vPro Client.

Potential Root cause(s):

  • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

  • Active Directory computer object that was created for the AMT device was overwritten or deleted

  • Kerberos User not being successfully added when provisioning 2.x AMT client and the AMTOPMGR.log is giving the following error:

     

    Add ACLs..

     

    ERROR: Invoke(invoke) failed: 80020009argnum = 0

     

    Description: The WinRM client cannot process the request. The destination computer returned an empty response to the request

     

    Error: failed to Add User Acl

     

    Error: CSMSAMAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs
    • The Add user ACL fails on 2.x systems if ALL the realms are checked including the PT Admin realm in . Treat the PT Admin Realm as mutually exclusive with all the other realms. Verify that none of your Out of Band Component - AMT Settings - AMT User Accounts have PT Admin Realm selected with any other realm

 

--Matt Royer
idata
Community Manager
103 Views

Here is an update on this problem...

I am still able to get the PC to become provisioned in the SCCM console, however I still can't control any power settings.

I have confirmed I am logging in with an account specified in the AMT settings.

Am I however getting certificate errors when I attempt to browse to the computer via IE on the SCCM Server. See attached Screenshot. Also I am getting the following errors in the AMTopmgr.log.

Error: Failed to get CIM_AssociatedPowerManagementService instance.~ $$

AMT Operation Worker: AMT machine SGH85203MZ.demo.lab can't be power off. Error code: 0x80072F8F

I may upgrade to IE8 on the SCCM server to see if it has any impact.

idata
Community Manager
103 Views

Ok, Got it working. My problem is that I had the wrong certificate specified on the OOB Management configuration. I had specified AMT Provisioning Cert instead of the ConfigMgr AMT Web Server Certificate. No wonder that the client couldn't receive the correct cert.

Thanks to those who helped me out.

regards

Steve

Reply