Unable to Provision Windows 7 via SCCM

MFish7 · ‎11-20-2009

Hi all,

We have a Server 2008 R1 with SCCM 2007 R2 SP2 w/ WS Trans Mgmt installed and configrued. All is well and he have multiple Windows XP SP3 systems running on Lenovo T400 AMT 4.1.3 firmware. The issue we are having is with Windows 7 clients. The status that is showing up in SCCM is "Not Supported" and the logs for provisioing are below. I have bolded the item i think is the culprit.

The only option available, aside from divorcing the client from the site, is to in-band provision this machine via the ConfigMgr Client Agent. The oobmgmt.log on the client contains only success messages with nothing to indicate any problem. The AMT, SOL / ME Drivers were all installed correctly on the Windows 7 machine. The hash is also verified below as being in the ME BIOS.

After much review, i stumbled upon a document from technet stating that In-Band Provisioning via the SCCM SP2 agent is NOT SUPPORTED for Windows 7. The article can be reached http://technet.microsoft.com/en-us/library/ee344146.aspx here (Scroll down to the section regarding Out of Band Management toward the bottom).

Is this true? Can Windows 7 clients NOT be in-band Provisioned???

Thanks!

AMTOPMGR.LOG on SCCM server

Attempting to establish connection with target device using SOAP.

Found matched certificate hash in current memory of provisioning certificate

Create provisionHelper with (Hash: 12F303BCFA0508DB7C6132137A03A44BBE020006)

Set credential on provisionHelper...

Try to use provisioning account to connect target machine laptop.domain.com...

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

Server unexpectedly disconnected when TLS handshaking. **** Error 0x995ac80 returned by ApplyControlToken

Fail to connect and get core version of machine laptop.domain.com using provisioning account # 0.

AMT Provision Worker: Wakes up to process instruction files

AMT Provision Worker: Wait 20 seconds...

idata · ‎11-20-2009

Hi

I stumbled across the same note on that Technet-Page and was shocked. If I remember correctly, I found another page from which I concluded that the one you found too must be wrong. Sadly I cannot remember where - and I haven't yet tried to provision a Windows 7 In-Band-Provisioning.

The ApplyControlToken Error reminds me of the problems I had provisioning my machines (under Vista): Have you tried doing a full unprovision (through the BIOS or CMOS-Reset) on the failing machine?

Ingo

MFish7 · ‎11-20-2009

I have in fact Fully Unprovisioned the laptop multiple times with the same result. The ConfigMgr Client Agent is an SP2 agent so i would think it would support Windows 7.

The BIOS is fully updated and the AMT firmware as well (4.2)

idata · ‎11-21-2009

Sorry, I have no further ideas. Maybe Trevor has some?

If the same server configuration works under Vista-Clients, then the Technet-note seems to be true :-(

Ingo

idata · ‎11-23-2009

Hey guys,

I posted over on the http://www.systemcentercentral.com/Forums/tabid/60/categoryid/6/indexid/53602/Default.aspx System Center Central forums, where this same thread was started. My best guess is that either the DHCP configuration (option 15) or client's DNS records are incorrect. The only other thing I could think of would be that the OOB service point is contacting the wrong IP address, but he's running SP2, so that shouldn't be an issue (SCCM SP1 used the client's hardware inventory IP, not DNS ... long story).

Just how many clients is this problem occurring on? You might want to take one of them, and pull the CMOS battery, to effectively reset the hardware to factory default configurations. Alternatively, and I'm not sure of this, but I think Lenovo has a factory reset option in one of the BIOS screens ... might be worth looking into. By pulling the CMOS battery, you ensure that the AMT firmware is at factory defaults, and would be useful for troubleshooting.

FWIW: I have successfully provisioned multiple Windows 7 clients in-band, both RTM and RC versions using ConfigMgr SP1, and I'm pretty sure SP2 Beta in my previous employer's lab.

Cheers,

Trevor Sullivan

http://trevorsullivan.wordpress.com http://trevorsullivan.wordpress.com

MFish7 · ‎11-23-2009

Trevor, thanks for you reply. Yes DNS is correctly setup both A and PTR records...this is onyl occuring on T400 laptops with Windows 7. Out xp systems provision without error.

DHCP 6 and 15 are setup.

I have fully unprovisioned AND unloaded the AMT to factory defaults (default password admin)

No dice

idata · ‎11-23-2009

Mike,

Yeah, I saw your post about DHCP and DNS on System Center Central; I was just posting that here to ensure that it was documented here also.

Two thoughts:

1. Do you have a lab environment that you could duplicate this issue on?

2. Alternatively, if you were to take one of these failing units and load a Windows XP image on it, would it magically work?

Cheers,

Trevor Sullivan

http://trevorsullivan.wordpress.com http://trevorsullivan.wordpress.com

MFish7 · ‎11-23-2009

The issue has been reproduced on other T400 Windows 7 laptops...no we havnt tried puting an XP image on the T400..good idea

It is interesting to point out however that on the problem windows 7 client , when i open up "Intel Management and Security Status" the "Service Status" area initially shows that Intel AMT is unconfigured and that Intel TPM is operational. After about 10-15 seconds, these status' go to "Information Unavailable"

I have verified that the drivers installed are 4.2 and my AMT bios is 4.2.

MFish7 · ‎11-23-2009

Update - T400 with XP image SUCCESSFULLY provisioned...

idata · ‎11-23-2009

Weird. We'll do a sanity check in the morning on one of your Win7 systems.

FYI for anyone following this thread: Mike and I are taking this offline, and I'm going to look at the issue over a live meeting session. I'll post back with any [sanitized] findings.

Cheers,

Trevor Sullivan

http://trevorsullivan.wordpress.com http://trevorsullivan.wordpress.com

MFish7 · ‎11-24-2009

We have SUCCESS!!!

So i decided to take a step back and started fresh. I unprovisioned the laptop, and this time i specified manually the Host name, IP address, Provisioning server address and all other items in the ME BIOS Config. Immedietely after doing this i saw the hello requests start coming in (which they wern't before) and it clicked right away....The network drop at my desk (from which ive been testing all these laptops) is NOT ON DHCP. It is on a restricted subnet that has direct access to the internet (bypass proxy) and therefore does not have DHCP.

When i relocated the drop to a DHCP available port, and made sure DNS reflected the change, the provisioning went as smooth as butter.

The problem i have is that many users are on this restricted subnet and they need to be manually configured. When i manually configured ALL my settings in ME BIOS, there were ApplyToken errors on the server logs. The only way i could get this to work is to have DHCP enabled.

When i manually specify options 6 and 15 into the ME BIOS (DNS Domain Name and DNS Servers) = no dice

I found an article that outlines static IP addressing and AMT. What difference is there for the AMT to need its own IP when it is statically configured as opposed to DHCP which can share the IP.

"Q18: Will I need an extra IP address for Intel® AMT?

A18: Intel® AMT only requires its own separate IP address for out-of-band communication in network configurations where static IP addresses are used. In network configurations using Dynamic Host Configuration Protocol (DHCP), out-of-band communication with Intel AMT is conducted through a separate port number at the IP address shared with the capability operating system, and no additional IP addresses are needed."

idata · ‎11-25-2009

Mike,

Glad to hear you got things working finally. Remote provisioning with Configuration Manager does require you to be using DHCP. Static IPs can be used if you are provisioning in SMB mode (I think). I don't typically get into the SMB side of things.

I'll add this to my checklist for remote provisioning issues for ConfigMgr

Cheers,

Trevor Sullivan