Re: Unable to Provision Legacy AMT Devices in SCCM

MFish7 · ‎05-19-2010

Hi All,

I have a Windows Server 2008 R2 with SCCM 2007 R2 SP2 that is provisioning systems successfully for those with AMT version HIGHER than 3.2.1....For legacy

systems, I have installed the WS Man Translator however its not provisioning our systems...I have attached the relevant log files..

My WS Man Translator is configured as follows:

1) I am using the same password im using in SCCM Component Management (A strong password like /mailto:P@55w0rd P@55w0rd)2) I am using a custom PSK (4444) (XXXX-0000-0000-0000-0000-0000)3) I am using the PFX file (GoDaddy) (Also same PFX file was used as the Provisioning Cert in SCCM4) I am using my internal generated Web Certificate for 443. ( I see this as being the active cert in IIS for the default website too)5) I am not using a Run/As account and I have set the SCCM's server AD Object to "Allow Delegation for All Services"6) I am able to get to http://SCCMSERVERFQDN/wstrans http://SCCMSERVERFQDN/wstrans

The logs i have attached indicate an attempt to access the following url... via some kind of web service request?

http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity.Get http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity.Get()

The errors im getting are as follows:

Failed to get CIM_SoftwareIdentity instance

ERROR: Invoke(get) failed: 80020009argNum = 0

I verified i can get to http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/ from both the OOB MP (SCCM) and the legacy clients.

I have enabled verbose logging for WSTrans but the logs don't indicate anything other than what was already given here.

Does anybody have any ideas? THanks!

idata · ‎05-24-2010

It looks like it may be a DNS related issue you are seeing. Have you verified that you can ping the client from your SCCM server? Does the IP address that the SCCM server resolves match the one on your client?

MFish7 · ‎05-24-2010

Dan,

Thanks for getting back to me. Yes, the SCCM server is pingable and resolvable correctly from the client machine. I can ping the clinet machine from the SCCM server. Also, the DNS name for "provisionserver" also matches the IP of our SCCM server. Our DHCP options 6/15 are also configrued correctly. I know this isnt what you want to hear

idata · ‎05-24-2010

What is the firmware version on the system you are trying to provision? Is it the most up-to-date available?

MFish7 · ‎05-24-2010

The problem children are all on 3.0.2 and this is the latest supported version from Lenovo's website

idata · ‎05-24-2010

What is the model number or, product type, of these clients? It's usually formatted like XXXX-YYY.

MFish7 · ‎05-24-2010

One of the systems is a ThinkCentre M57p (6073B3U). I see that there IS an update for this particular model (version 3.0.3)...we are on 3.0.2...

idata · ‎05-24-2010

I highly recomend you update the firmware on your systems to the latest version. Besides removing the need to use the WS-MAN Translater, you will get fixes that address known bugs as well as compatability issues with SCCM.

MFish7 · ‎05-24-2010

The BIOS is at its latest release..AMT Drivers in Windows are now on 3.0.3 (were 3.0.2). Same exact issues are happening. I would love to get these past a version 3.2.1 but there is no supported release for the hardware

MFish7 · ‎05-24-2010

Also, the oobmgmt.log on the client shows this..all looks normal...

BEGIN oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

Retrying to activate the device. oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

Resending last OTP oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

Successfully activated the device. oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

END oobmgmt 5/24/2010 11:16:07 AM 1484 (0x05CC)

BEGIN oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

Retrying to activate the device. oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

Resending last OTP oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

ON SCHEDULE OOBMgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

Successfully activated the device. oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

END oobmgmt 5/24/2010 11:23:16 AM 592 (0x0250)

BEGIN oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

Retrying to activate the device. oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

Resending last OTP oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

Successfully activated the device. oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

END oobmgmt 5/24/2010 11:23:16 AM 3220 (0x0C94)

idata · ‎05-24-2010

You can grab the latest firmware for your system here: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-73601 http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-73601

It's version 3.2.10. The actual firmware version will differ from the driver version for things like the HECI driver, but will address your needs in terms of provisioning and management of your clients.

MFish7 · ‎05-24-2010

Ok, ill updatet her to 3.2.1 and post the results...gimme 15-20 min

MFish7 · ‎05-24-2010

Ok i got the AMT firmware on 3.2.1 but now im getting hit with "Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server" errors...I have ensured that the Root Chain is included in the Provisioning Cert on the SCCM server...

Just a side note, this particular machine has a static ip address...I manually went into the ME Bios and set the hostname,ip address,gateway,dns servers, and domain name in the ME Bios but thats it...the IP matches the static IP within window...IE the system is NOT on DHCP....is this a supported configuration?

idata · ‎05-24-2010

Yes, static IP's make a big difference. In order to use static IP's you have to give the ME it's own IP address, which can complicate things for SCCM. Your best bet is to do it all with DHCP if possible.

MFish7 · ‎05-24-2010

The settings i have now are the SAME static IP configured...I will try to setup the machine to have 1 static ip for windows and 1 ip for AMT....I will post results.

Update - I found out that "Both Static - This state will not support enterprise provisioning\configuration, nor 802.1x, nor Intel® AMT over wireless."

I suppose im SOL as most of our 3.0.2 clients are Static and will explain why WS Trans is not provisioning them....

MFish7 · ‎05-25-2010

Well the Static Address issue is resolved but i am experiencing the exact same errors for machines who are on DHCP and NOT STATIC

idata · ‎05-27-2010

Are you systems configured for DHCP also running the latest firmware? Are you able to ping them from your SCCM console?

idata · ‎05-27-2010

Yes, The legacy systems im working on now are ALL on DHCP and they are pingable and resolvable from SCCM server ( Both A Rrecord and PTR)

I can also do the same from the client to the SCCM server (A and PTR records)

I have verified that DHCP Options 6 & 15 are available for these machines (No different than the rest of the already provisioned systems)

This is def a head scratcher as i KNOW the provisioning process works for non legacy systems....

MFish7 · ‎05-27-2010

Yes, The legacy systems im working on now are ALL on DHCP and they are pingable and resolvable from SCCM server ( Both A Rrecord and PTR)

I can also do the same from the client to the SCCM server (A and PTR records)

I have verified that DHCP Options 6 & 15 are available for these machines (No different than the rest of the already provisioned systems)

This is def a head scratcher as i KNOW the provisioning process works for non legacy systems....