Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
3051 Discussions

Unable to Provision Legacy AMT Devices in SCCM

MFish7
Novice
5,487 Views

Hi All,

I have a Windows Server 2008 R2 with SCCM 2007 R2 SP2 that is provisioning systems successfully for those with AMT version HIGHER than 3.2.1....For legacy

systems, I have installed the WS Man Translator however its not provisioning our systems...I have attached the relevant log files..

My WS Man Translator is configured as follows:

1) I am using the same password im using in SCCM Component Management (A strong password like /mailto:P@55w0rd P@55w0rd)2) I am using a custom PSK (4444) (XXXX-0000-0000-0000-0000-0000)3) I am using the PFX file (GoDaddy) (Also same PFX file was used as the Provisioning Cert in SCCM4) I am using my internal generated Web Certificate for 443. ( I see this as being the active cert in IIS for the default website too)5) I am not using a Run/As account and I have set the SCCM's server AD Object to "Allow Delegation for All Services"6) I am able to get to http://SCCMSERVERFQDN/wstrans http://SCCMSERVERFQDN/wstrans

The logs i have attached indicate an attempt to access the following url... via some kind of web service request?

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity.Get http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity.Get()

The errors im getting are as follows:

Failed to get CIM_SoftwareIdentity instance

ERROR: Invoke(get) failed: 80020009argNum = 0

I verified i can get to http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/ from both the OOB MP (SCCM) and the legacy clients.

I have enabled verbose logging for WSTrans but the logs don't indicate anything other than what was already given here.

Does anybody have any ideas? THanks!

0 Kudos
18 Replies
idata
Employee
4,005 Views

It looks like it may be a DNS related issue you are seeing. Have you verified that you can ping the client from your SCCM server? Does the IP address that the SCCM server resolves match the one on your client?

0 Kudos
MFish7
Novice
4,005 Views

Dan,

Thanks for getting back to me. Yes, the SCCM server is pingable and resolvable correctly from the client machine. I can ping the clinet machine from the SCCM server. Also, the DNS name for "provisionserver" also matches the IP of our SCCM server. Our DHCP options 6/15 are also configrued correctly. I know this isnt what you want to hear

0 Kudos
idata
Employee
4,005 Views

What is the firmware version on the system you are trying to provision? Is it the most up-to-date available?

0 Kudos
MFish7
Novice
4,005 Views

The problem children are all on 3.0.2 and this is the latest supported version from Lenovo's website

0 Kudos
idata
Employee
4,005 Views

What is the model number or, product type, of these clients? It's usually formatted like XXXX-YYY.

0 Kudos
MFish7
Novice
4,005 Views

One of the systems is a ThinkCentre M57p (6073B3U). I see that there IS an update for this particular model (version 3.0.3)...we are on 3.0.2...

0 Kudos
idata
Employee
4,005 Views

I highly recomend you update the firmware on your systems to the latest version. Besides removing the need to use the WS-MAN Translater, you will get fixes that address known bugs as well as compatability issues with SCCM.

0 Kudos
MFish7
Novice
4,005 Views

The BIOS is at its latest release..AMT Drivers in Windows are now on 3.0.3 (were 3.0.2). Same exact issues are happening. I would love to get these past a version 3.2.1 but there is no supported release for the hardware

0 Kudos
MFish7
Novice
4,005 Views

Also, the oobmgmt.log on the client shows this..all looks normal...

BEGIN oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

 

Retrying to activate the device. oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

 

Resending last OTP oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

 

Successfully activated the device. oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

 

END oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

 

BEGIN oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

 

Retrying to activate the device. oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

 

Resending last OTP oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

 

ON SCHEDULE OOBMgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

 

Successfully activated the device. oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

 

END oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

 

BEGIN oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

 

Retrying to activate the device. oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

 

Resending last OTP oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

 

Successfully activated the device. oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

 

END oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)
0 Kudos
idata
Employee
4,005 Views

You can grab the latest firmware for your system here: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-73601 http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-73601

It's version 3.2.10. The actual firmware version will differ from the driver version for things like the HECI driver, but will address your needs in terms of provisioning and management of your clients.

0 Kudos
MFish7
Novice
4,005 Views

Ok, ill updatet her to 3.2.1 and post the results...gimme 15-20 min

0 Kudos
MFish7
Novice
4,005 Views

Ok i got the AMT firmware on 3.2.1 but now im getting hit with "Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server" errors...I have ensured that the Root Chain is included in the Provisioning Cert on the SCCM server...

Just a side note, this particular machine has a static ip address...I manually went into the ME Bios and set the hostname,ip address,gateway,dns servers, and domain name in the ME Bios but thats it...the IP matches the static IP within window...IE the system is NOT on DHCP....is this a supported configuration?

0 Kudos
idata
Employee
4,005 Views

Yes, static IP's make a big difference. In order to use static IP's you have to give the ME it's own IP address, which can complicate things for SCCM. Your best bet is to do it all with DHCP if possible.

0 Kudos
MFish7
Novice
4,005 Views

The settings i have now are the SAME static IP configured...I will try to setup the machine to have 1 static ip for windows and 1 ip for AMT....I will post results.

Update - I found out that "Both Static - This state will not support enterprise provisioning\configuration, nor 802.1x, nor Intel® AMT over wireless."

I suppose im SOL as most of our 3.0.2 clients are Static and will explain why WS Trans is not provisioning them....

0 Kudos
MFish7
Novice
4,005 Views

Well the Static Address issue is resolved but i am experiencing the exact same errors for machines who are on DHCP and NOT STATIC

0 Kudos
idata
Employee
4,005 Views

Are you systems configured for DHCP also running the latest firmware? Are you able to ping them from your SCCM console?

0 Kudos
idata
Employee
4,005 Views

Yes, The legacy systems im working on now are ALL on DHCP and they are pingable and resolvable from SCCM server ( Both A Rrecord and PTR)

I can also do the same from the client to the SCCM server (A and PTR records)

I have verified that DHCP Options 6 & 15 are available for these machines (No different than the rest of the already provisioned systems)

This is def a head scratcher as i KNOW the provisioning process works for non legacy systems....

0 Kudos
MFish7
Novice
4,005 Views

Yes, The legacy systems im working on now are ALL on DHCP and they are pingable and resolvable from SCCM server ( Both A Rrecord and PTR)

I can also do the same from the client to the SCCM server (A and PTR records)

I have verified that DHCP Options 6 & 15 are available for these machines (No different than the rest of the already provisioned systems)

This is def a head scratcher as i KNOW the provisioning process works for non legacy systems....

0 Kudos
Reply