Community
cancel
Showing results for 
Search instead for 
Did you mean: 
TKrem1
New Contributor I
1,402 Views

VPro OoB Managment with SCCM 2012 SP1 CU1 Problems

Hello dear VPro Experts,

i discovered some problems while trying to manage VPRo Clients with SCCM 2012, perhaps someone has some tips for me.

After bringing OoB Provisioning to work under SCCM 2007 we startet migrating to SCCM 2012.

Now i have some problems getting it to work again. The machines I tried to provision are fully

unprovisioned, the MEBx Password is set to our standard Password.

We double checked the Prerequisites from the MS Technet page and installed and configured the Enrollment Point and OoB-Role on

 

our Primary Server.

The Certificates we use were newly created via Verisign in the same way we build the working Certificates under SCCM 2007.

 

The Web Server Certificates from our PKI was also newly created and implemented. Mei and Heki drivers are installed and

 

up to date.

The Client im testing with at the moment has the AMT Version 5.0.1.

Now I get the Problem, that I can't provision the workstation via SCCM. When I try to discover the AMT status the amtopmgr.log

 

brings the following errors and the client is only shown as detected.

Discover

 

Testclient using IP address 10.37.135.52 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 728 (0x02D8)

STATMSG:

 

ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=Testprimary.testing.oursite.de

 

SITE=P10 PID=5240 TID=7568 GMTDATE=Di Jul 16 06:38:09.468 2013 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3=""

 

ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568(0x1D90)

AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

DoPingDiscoveryForAMTDevice succeeded. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 728 (0x02D8)

AMT Discovery Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 7568 (0x1D90)

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 728 (0x02D8)

**** Error 0x3bb9b550 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 728 (0x02D8)

DoSoapDiscovery failed with user name: admin. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:09 728 (0x02D8)

Flag iWSManFlagSkipRevocationCheck is set. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

session params : /Testclient.testing.oursite.de:16993,2011001 https://Testclient.testing.oursite.de:16993,2011001 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

DoWSManDiscovery failed with user name: admin. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Start Kerberos Discovery SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Flag iWSManFlagSkipRevocationCheck is set. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

session params : https:// https:// Testclient.testing.oursite.de:16993,2484001 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

DoKerberosWSManDiscovery failed. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Flag iWSManFlagSkipRevocationCheck is set. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

session params : /10.37.135.52:16993,2015001 https://10.37.135.52:16993,2015001 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Description: A security error occurred SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

DoWSManDiscovery failed with user name: admin. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

Discovery to IP address 10.37.135.52 succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

CSMSAMTDiscoveryTask::Execute, discovery to Testclient succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER

16.07.2013 08:38:10 728 (0x02D8)

CSMSAMTDiscoveryTask::Execute - DDR written to D:\CM2012\inboxes\auth\ddm.box SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=10 MUF=0 PCNT=1, P1= 'Testclient.testing.oursite.de' P2='' P3='' P4='' P5='' SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

CStateMsgReporter::DeliverMessages - Created state message file: D:\CM2012\inboxes\auth\statesys.box\incoming\w1p7jxgk.SMX SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

General Worker Thread Pool: Succeed to run the task

 

Testclient.testing.oursite.de. Remove it from task list. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

General Worker Thread Pool: Work thread 728 has been requested to shut down. SMS_AMT_OPERATION_MANAGER 16.07.2013 08:38:10 728 (0x02D8)

General Worker Thread Pool: Work thread 728 exiting. SMS_AMT_OPERATION_MANAGER...

0 Kudos
11 Replies
Alan_A_Intel
Employee
85 Views

TKremer,

You should consider using Intel SCS instead of SCCM to provision your vPro clients. The reason I say this is because SCCM still uses SOAP to communicate with AMT during the provisioning process. SOAP was deprecated in AMT 6 in favor of WS-Management. Starting with version 9.0 of AMT, SOAP is no longer supported and any solution that uses it will no longer work.

However, if you wish to continue using SCCM to provision your vPro clients then please try removing the AMT provisioning certificate from the SCCM machine store. After doing that, re-import it directly into the machine store via MMC. There is an intermittent bug with Windows that causes problems if you install the certificate into the current users store and then copy it to the machine store.

-Alan

TKrem1
New Contributor I
85 Views

Hello Alan,

thank's for the answer.

 

I deleted the certificate from the Servers Personal Store and re-imported it again via MMC.

 

The error message stayed the same and the server can't connect to the machine.

I checked the admin password again but it is correct. The Firewallports are open on both sides. WinRM is configured to allow https on both sides.

We hoped to use the in-band provisioning without SCS and have a autodiscovery and autoprovisioning with SCCM only. But i will try SCS for provisioning. The question is, can i send power-on and other things via SCCM if the client is provisioned with SCS and imported to SCCM. All our machines are already SCCM-Clients.

Alan_A_Intel
Employee
85 Views

When you re-imported the AMT provisioning certificate did you import it directly into the machine store and not the personal store?

As for provisioning with SCS and managing with SCCM. Yes, SCCM will maintain the same level of control over your vPro clients as before. We are currently updating our SCS Add-on for SCCM to make the process of integration easier.

TKrem1
New Contributor I
85 Views

Hi Alan

I re-imported the certificate to the personal store like shown in the most Step-by-Step Guides.

 

I searched for a method to install the certificate directly to the machine store but couldn't find one via mmc until now. Could you please tell me how to do this?

For SCS i tried to implement it with the help of Blair Mullers Blog. Unfortunately i couldn't find the mentioned mof file in the SCS 8.2 download. Is there an estimated time of arrival for the new SCS Add-on?

Thank's for your help.

Alan_A_Intel
Employee
85 Views

I read your reply wrong, I thought you had imported the certificate into the user personal store, not the computers; you are importing the certificate correctly. Please check your system event log for SChannel errors. If you find any please include the hex code from the error.

As for the SCS Add-on, we should have an updated version available next week.

TKrem1
New Contributor I
85 Views

I checked the system event log and found some Schannel errors. The Error describtion is as follows.

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 80.

 

-Provider[

 

Name] Schannel[

 

Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85}

EventID36887

Version0

Level2

Task0

Opcode0

Keywords0x8000000000000000

-TimeCreated[

 

SystemTime] 2013-07-19T07:44:49.99...
Alan_A_Intel
Employee
85 Views

Can you tell me the exact steps you took when reimporting the provisioning certificate back into the local computers personal certificate store?

TKrem1
New Contributor I
85 Views

No problem, here are my taken steps.

1. I opend a console via mmc and used the certificates snap-in for computer account\local computer. That happend on the server that should use the certificate.

 

2. I navigated to Certificates\Personal\Certificates and used the Import.

 

3. I browsed to the location of the Verisign Certificate and opend it.

4. I used the Option Place all certificates in the following store: Personal

 

5. Closed the window with Finish. After some seconds I got the message the Import was succesfull.

6. In the Certificate store i can see the newly imported certificate.

 

The Certification Path shows me that the certificate chain looks good. Verisign can be found in the Third-Party Root Certification. At the moment, i don't know what went wrong.
idata
Community Manager
85 Views

Hi TKremer

I've got almost the same problem. A old SCCM 2007 service on Windows Server 2008 R2 witch can provision AMT 3.2.0 to version 8.1.20.

We have created a new Windows 2012 Server with SQL 2012 and SCCM 2012 (Comodo certificate). The team have provisioned AMT 5.1.0 to version 8.1.20 successfully. But we have a lot of machines with AMT 3.2.30. All of these have failed with the same error in the event log. "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 80."

TLS1_ALERT_INTERNAL_ERROR (80) from http://www.eventid.net/display-eventid-36887-source-Schannel-eventno-10676-phase-1.htm Event ID: 36887 Source: Schannel

amtopmgr.log

**** Error 0x1f53b410 returned by ApplyControlToken~ $$<07-22-2013 16:52:11.910-60>

Fail to connect and get core version of machine C60024001.ccad.canterbury.ac.uk using provisioning account # 1. $$<07-22-2013 16:52:11.911-60>

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~ $$<07-22-2013 16:52:11.920-60>

At the moment this looks like a Windows Server 2012 problem as one of my colleagues has provisioned AMT version 3.2.30 using Windows 2008 R2 with SQL 2012 and SCCM 2012.

I've been working on the changes Microsoft have made to the Security Channel settings in Server 2012 but so far have been unsuccessful.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\

Which OS are you on?

Tony Bennett

Canterbury Christ Church University

Alan_A_Intel
Employee
85 Views

Well, you are definitely importing the certificate correctly.

This is a Microsoft bug, and the workaround we were trying of importing the certificate directly into the local computer's personal certificate store isn't working. You will need to either open an MSDN support ticket and have Microsoft take a look at this issue, or use Intel SCS to configure your vPro clients. If you can't wait for the new SCS Add-on, there are instructions on how to manually integrate SCS with SCCM.

https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21696 https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21696

TKrem1
New Contributor I
85 Views

@Tony Bennett

 

Hi Tony, thank's for the answer.

 

We are using Server 2012 with SQL 2012 and SCCM 2012.

 

In our case even provisioning of version 5 and up dosen't work.

@Alan Anderson

 

I will try and implement the Intel SCS to configure the clients.

We plan switching our productive systems to Server 2012 and SCCM 2012 at the end of the year so i want to have as much time as possible to test the AMT provisioning and OoB-Functions.

Thanks for your help.

Reply