Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2931 Discussions

unprovisonex.exe problem

idata
Employee
2,145 Views

Hi, i am getting an error while trying to remotely unprovision clients. (see attachement)

can someone advise on what could be the cause/fix?

And also, is there a way i can use this tool to mass unprovision a list clients automaticaly and not just one at a time.

currently my clients are autoprovisioning through sccm with a 3rd party cert...i am at about 2350 clients provisionned but now for some reason about 150 or so out of these 2350 clients (including mine) are showing up in sccm as detected even though the local client log show machine as still being provisioned, also all certificates the clients have received through provisioning process still remain and so those the associated amt AD object.

because of this detected status in sccm I cannot use the delete provisioning date from the management controllers memory and try a re-provision

please advise

thanks

0 Kudos
10 Replies
idata
Employee
1,208 Views

your screen shot shows that you are specifying the admin acount credentials. This is not required if the chipset has been configured for TLS comms. Alternatively remove the -tls option

so thsi should do the trick for SCCM provisioned clients

Unprovisionex.exe -hostname hostname.domain.com -tls -full

just make sure you are logged in with a user that was configured with pt admin rights on the chipset

or you can run the command specifying the mebx account details

Unprovisionex.exe -hostname hostname.domain.com -user admin -pass password -full

to run against a list of computer names in a file called clients.txt create a batch file that runs

for /f %%i in (clients.txt) do "unprovisionex.exe -hostname %%i.domain.com -user admin - pass password -full"

0 Kudos
Bruno_Domignues
Employee
1,208 Views

Stéphane,

As far these machines were provisioned using SCCM, the actual admin password is stored into SCCM database. In this case, you must use kerberos authentication (i.e. your logon account) instead of digest authentication (i.e. admin).

There is a way that you do it in mass, try use the ACUConfig.exe that you can find into http://software.intel.com/en-us/articles/download-the-latest-version-of-intel-amt-setup-and-configuration-service-scs/ SCS 7.1 package and create a SCCM package to execute it locally in each vPro machine that you want unprovision. I don't know how you define the ACLs in these vPro machine, it can be little trick.

Best Regards!

-Bruno Domingues

0 Kudos
idata
Employee
1,208 Views

ok thanks, i got this working logged in as myself on a desktop and passing this line to a remote mebx.

unprovisionex.exe -hostname hostname.fqdn -tls -full

but i noticed that it does not remove the AD amt object and it does not revoke the certificate issued from my CA server.

this seems normal to me as it seems to just target the mebx but is there anyway i can automate the AD object and certificate revocation along with this task like the sccm task that is available "Delete Provisioning Data from Management Controller Memory"

for the problem i am having with 150 provisoned clients or so the Delete Provisioning Data from Management Controller Memory option is not there any longer as they show up as detected status in sccm even though all the provisioning info is still there.

so by using the unprovisionex it will un-provision the client and it will then get re-provisioned again and in turn the status in sccm becomes provisioned again (in this case i don't have to delete the amt object or revoke the cert)

but if our service desk needs to rename pc that has a amt status of detected and was previously provisioned they will need to delete the AD account and revoke the cert automaticaly like in sccm does for clean up purposes.

please advise if someone has an easy way of doing this in conjonction with the unprovisionex tool.

thanks

0 Kudos
idata
Employee
1,208 Views

Hi,

I also got problems with unprovisioning clients. I accidently provisioned all my client with the wrong certificate through SCCM, and now I can't connect to them or unprovision them unless I do it manually from the MEBx bios.

I have tried to use the unprovisionex.exe utility, both remotely and locally from the client, but keep getting error messages.

I have tried the following command parameter:

Excecuted from remote computer:

UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

The Intel(R) AMT device, lab7.astrupfearnley.net, is invalid.

and

UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent

An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

Also tried to specify user and password, both the local admin/pw and the domain user that was granted access during provisioning, but still get the same error message.

Excecuted form local computer

UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

The Intel(R) AMT device, lab7.fqdn, is invalid.

and

UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

ERROR: Unable to connect with the AMT device. No connection could be made becaus

e the target machine actively refused it 192.168.205.5:16993

The Intel(R) AMT device, lab7.fqdn, is invalid.

Anyone got a solution for this? Or du I actually have to put on a pair of sneakers and do it the hard way?

0 Kudos
Bruno_Domignues
Employee
1,208 Views

Stéphane,

Usually, not removing the AD object and revoking the certificate is not an operational problem.

Before I joined Intel, I worked 8 years at Microsoft, mainly with AD deployments and is very common creation of some kind of procedure to periodically clean up old computer and users account not used for a period of time, and you can use since vb scripts until utilities like http://www.joeware.net/freetools/tools/oldcmp/index.htm this.

Certificate revocation is another subject: If the private key is destroyed when you make a full unprovision there is no real reason to revoke it, because revoking will not free space, it will increase the size of the CRL.

I know that each one has his own administrative policies, but if you want, a script for unprovision can be tailored to orchestrate these activities.

My two cents!

-Bruno Domingues

0 Kudos
Bruno_Domignues
Employee
1,208 Views

Hi,

If you provisioned your machines using SCCM, that is debug flow:

The correct procedure is using a domain account with PT administrator rights in the ME ACL, using this syntax:

UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

Based on response that you got, it can be a kerberos authentication issue. Are you able to connect to this machine by IE and ignoring the certificate warning? if so, and you got the pop-up to enter username & password, try these setting in your IE:

- Configure the IE to recognize the Intranet vPro machines as "Local Intranet" zone;

- In "Local Intranet" zone > click in "Custom Level..." > In the "User Authentication" and sub seccion "Logon", select "Automatic logon with current user name and password"

- Make sure that in "Internet Options" > Advanced > the "Enable Integrated Windows Authentication" is marked;

- And what is most important: you must create http://support.microsoft.com/kb/908209 this registry key in order to send a kerberos ticket in a non-80 port, that is our case.

Try again access the machine using IE, ignoring the certificate warning should work... now try again:

UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

and let us know about your progress.

Best Regards!

-Bruno Domingues

0 Kudos
idata
Employee
1,208 Views

Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly. If no license is provided, you should contact the submitter.

Thanks for your input Bruno much appreciated.

Here is the vbs script i created to run the unprovisionex.exe tool against a list of clients within a txt file for people that are new to vbs or like myself have limited vbs skills, it will save you some time

vbs code

Const ForReading = 1

 

Set objFSO = CreateObject("Scripting.FileSystemObject")

If (objFSO.FileExists("enter path to your clients.txt file here")) Then

 

Set SearchList = objFSO.OpenTextFile("enter path to your clients.txt file here", ForReading)

 

Else

 

WScript.echo "Bad input file, exiting"

 

WScript.Quit 1

 

End If

 

Do While Not SearchList.AtEndOfStream

 

strSearch = SearchList.ReadLine

 

if strSearch <> "" then

 

Set objWSHShell = CreateObject("WScript.Shell")

 

Set oExec = objWSHShell.Exec("enter path to your unprovisionex.exe tool here\unprovisionex.exe -hostname " & strSearch & ".fqdn.ca -tls -full")

 

Do While oExec.Status = 0

 

WScript.Sleep 100

 

Loop

 

End If

 

Loop

Thanks

Stéphane

0 Kudos
idata
Employee
1,208 Views

Thanks for your reply, and sorry for the late response, but I still get the same Unauthorized error message.

I had already added the hotfix and the registry tweak. And have also configured IE as you specified.

I am able to connect to the client from IE with the address "https://lab7.fqdn:16993 https://lab7.fqdn:16993", I get an error message regarding the certificate "There is a problem with this website's security certificate" but are able to click on "Continue to this website (not recommended)".

I can now see the "Log On.." button, but are still unable to log on. Have tried with both the Mebex admin user/password and the domain user I specified in SCCM Out of Band Management before provisioning the clients, both login failes.

If I try to unprovision the client i still get the unauthorized message:

UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

 

Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent 

An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

Have tried to manually unprovision a few clients from the BIOS, and that works, and I can confirm that my Mebex password is correct.

Any other tricks that might get me going? Would be nice to not have to do it manually on every client in the company.

0 Kudos
Bruno_Domignues
Employee
1,208 Views

It looks to be a kerberos issue.

did you try these /community/openportit/vproexpert/blog/2009/03/23/kerberos-ticket-size-can-stop-you-from-connecting-to-vpro-systems-and-using-idersol procedure in order to see if is not a problem with kerberos token size? it should be good see if you have these AMT objects in Active Directory. The easiest way to debug kerberos issue is using WebUI.

You mentioned that you faced a certificate error accessing the WebUI, can you see in certificate details if the certificate subject name match with computer name?

Best Regards!

-Bruno Domingues

0 Kudos
idata
Employee
1,208 Views

Hi Bruno,

It's like you say. the cerrtificate is the problem. I by accident provisend the clients with a wrong certificate, so all the clients got a certificate with the name of the SCCM server, and the certificate subject name do not match the computer.

But since I know the username and password for the MEBx account I thought I would be able to unprovison the clients and ignor the certificate mismatch error.

So far the only workaround I have found is to manually unprovision the client from the MEBx BIOS.

0 Kudos
Reply