Note: The Self Signed Certificate issue was corrected with AMT firmware 3.2.2. Please work with your OEM to secure the 3.2.2 firmware update. -- Matt Royer
Summary
An issue has been identified that may cause the remote configuration provisioning process to fail when using Microsoft System Center Configuration Manager (SCCM) on systems that have been upgraded from Intel AMT 3.x firmware to 3.2.1 firmware. The Self-signed certificate used to establish the initial PKI provisioning (Remote Configuration) connection is being read as invalid, which causes this failure.
The recommended resolution is to perform a provision and un-provision of the system to regenerate the Self-signed certificate. This resolves the certificate being read as invalid and prepares the PC to be provisioned successfully by SCCM. This can be accomplished locally at the PC or remotely from the console. Both scenarios are documented in detail below but local provision/un-provision will require entering the Management Engine BIOS Extension (MEBx) screen at the local machine. To perform this action remotely, the community has developed a software-based script to execute a remote provision/un-provision. The script should be run for vPro clients experiencing this issue prior to SCCM provision. Once the script is executed, the vPro clients can then be natively provisioned by SCCM.
Background
vPro Clients that are experiencing the issue will show up as AMT Status "Detected" within the Collection View after a Management Controller discovery and will exhibit with the following error in the amtopmgr.log:
During SCCM Management Controller Discovery
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x6fcb970 returned by ApplyControlToken
*During a SCCM Provisioning attempt*
Error 0x80090308 returned by InitializeSecurityContext during follow up TLS handshaking with server.
Error 0x261b948 returned by ApplyControlToken
Note: An AMT Status of "Detected" can occur for a variety of reasons; in general it means that the SCCM Out of Band Service Point is unable to establish an initial connection with the AMT client. This scenario can also occur when the computer has been previously provisioned for AMT outside Configuration Manager and the password for the AMT Remote Admin Account or the MEBx Account has been changed and is unknown.
When trying to provision a vPro Client that has a firmware version less than 3.2.1 that is impacted with the Self-signed Certificate issue, SCCM will forward the request to the Intel WS-MAN Translator (which is required for provisioning and management of a vPro Client less than 3.2.1.) The Intel WS-MAN Translator will handle provisioning the vPro client despite the invalid Self-signed Certificate. The steps listed below should not be required for firmware versions less than 3.2.1 if you have the Intel WS-MAN Translator installed and properly configured.
As an interim workaround for vPro Clients 3.2.1 experiencing the issue, you can either locally (through the MEBx) or remotely provision and un-provision the AMT client. The un-provisioning process will regenerate a new Self-signed Certificate within the AMT Management Engine, after which, SCCM can natively use this newly generated certificate to establish the initial secure connection during the provisioning process.
Provisioning via Pre-Shared Key (PSK) is not impacted by the Self-signed Certificate issue; however, to leverage PSK provisioning you will need to install / configure the Intel WS-MAN Translator and load the PID/PPS pair into the vPro client. PID/PPS configuration within the vPro client requires either manual configuration via Management Engine BIOS Extension (MEBx) or One Touch Provisioning through USB key import.
Local Provision / Un-provision
To performing a Provision / Un-provision locally on the vPro Client
Log into the MEBx by pressing Ctrl-P during POST
If you have not changed the default admin password already, login in with "admin" as the password. If you have already changed the MEBx password, log in with the password you changed it to
Within the MEBx Menu, select "Change Intel(R) ME Password".
When presented with "Intel (R) New ME Password", Enter in the same password you configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.
When presented with "Verify Password", re-enter the password.
From the MEBx Menu, select "Intel(R) AMT Configuration"
Within the Intel(R) AMT Configuration Menu, select "Provision Model"
When presented with "Change to Intel(R) AMT 1.0 Mode: (Y/N)", enter "N"
When presented with "Change to Small Business : (Y/N), enter "Y"
When returned to the Intel(R) AMT Configuration Menu, select "Unprovision"
When presented with "Reset Intel(R) AMT Provisioning: (Y/N), enter "Y"
When presented, ensure you select "Full Unprovision" and press enter
When returned to the Intel(R) AMT Configuration Menu, select "Return to Previous Menu"
When returned to the MEBx Menu, select "Exit"
When presented with "Are you sure you want to exit: (Y/N)", enter "Y"
Allow vPro Client to reboot fully
After performing the local Provision / Un-provision, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. Although fairly simplistic, one of key disadvantages of locally provisioning and un-provisioning the vPro Client is that you will need to have physical (touch) access.
Remote Provision / Un-provision
To perform a Provision / Un-provision remotely on the vPro Client, the community has created a visual basic script that will perform the function remotely. In an attempt to reduce the complexity, the VBScript leverages the Intel WS-MAN Translator to provide the authentication and remote configuration connection. To leverage this remote Provision/Un-provision capability, you must have the Intel WS-MAN Translator installed and configured prior to executing the VBScript. Please visit the following Blog to learn how to install and configure the Intel WS-MAN Translator.
The VBScript and guide can be download from the following location (http://communities.intel.com/docs/DOC-1850) and contents can be decompressed to a folder on either your SCCM server or on workstation that you want to run the script from. Please note that you must have WINRM basic authentication switched to "true" on the computer you are planning to run the VBscript from; WINRM Basic Authentication is required for connections to the Intel WS-MAN Translator to work properly. To turn WINRM Basic Authentication to true, run the following command from the command line:
winrm set winrm/config/client/auth @{Basic="true"}
With the archive file decompressed, you will see two VBScripts in the folder: SelfSignedFix.vbs and ExecFromCollection.vbs. SelfSignedFix.vbs is the VBScript that will perform the remote Provision / Un-provision. To use the SelfSignedFix.vbs, there are several parameters you must supply for it to work properly:
Intel WS-MAN Translator URL: This is the secure URL on which the Intel WS-MAN Translator is listening
The Hostname, FQDN, or IP Address of the vPro Client: This is the vPro Client that is having the issue with the Self-signed Certificate and needs to be Provisioned / Un-provisioned
Log File Location: This is the folder or share where the results of the provision / un-provision will be logged for the client. Note that SelfSignedFix.vbs script will automatically create a new log with the filename of the hostname, FQDN, or IP Address you used as the previous parameter.
Screen Output: Whether (Y) or not (N) to display the Provisioning / Un-provisioning output on the console screen.
Critical Note: Prior to executing the SelfSignedFix.vbs, it is imperative that you change the MEBx password in the SelfSignedFix.vbs VBScript to match what is configured in SCCM Component Configuration -> Out Of Band Management -> General Tab -> MEBx Account.
As a general reference, you can only change the MEBx password remotely once and only if the vPro Client is in a factory default state (never been provisioned). Since this VBScript remotely provisions and un-provisions the vPro client, we must set the MEBx password during this provisioning process. To Change the MEBx password, open SelfSignedFix.vbs with any text editor and modify (line 19) with your environment specific information:
Const SCCMMEBxPassword = "P@ssw0rd" to Const SCCMMEBxPassword = "<your SCCM MEBx password>"
Note: If you have already changed the MEBx password, the MEBx password will not changed; however, you should still change the SCCMMEBxPassword in SelfSignedFix.vbs VBScript to match your SCCM Configuration in case you run into a vPro Client where you have not changed the MEBx password yet.
With the MEBx Password modified, here are some examples of how the SelfSignedFix.vbs can be run from the command line:
cscript SelfSignedFix.vbs
vpro-client.vprodemo.com c:\temp N
cscript SelfSignedFix.vbs
vpro-client "
sccmsp1\certfix$\error logs" Y
cscript SelfSignedFix.vbs
192.168.0.101 "" Y
After running SelfSignedFix.vbs, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues.
Provision / Un-provision Log
Similar to what is displayed in the previous screen shots, a successful remote Provision / Un-provision log will look like the following:
**Begin Execution 8/11/2008 8:22:22 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.101/wsman
Setting AMT Clock
Setting HostName
Setting TLS settings
Setting new MEBx Password
CommitChanges
CommitChanges_OUTPUT
ReturnValue = 2057
Unprovision
PartialUnprovision_OUTPUT
ReturnValue = 0
**End Execution 8/11/2008 8:22:30 PM*************************
In an event that vPro Client is inaccessible to be remotely provisioned / un-provisioned, the error log will look like the following:
**Begin Execution 8/11/2008 8:22:12 PM*************************
Connecting to https://sccmsp1.vprodemo.com/wstrans/setup/eoi20/192.168.0.100/wsman
Unable to connect to AMT Device: 192.168.0.100
**End Execution 8/11/2008 8:22:12 PM*************************
This error can occur for a variety of reasons. Some common causes of this error are:
In either case, you will need to root cause why the vPro Client was not remotely accessible to be provisioned / un-provisioned. You can then run SelfSignedFix.vbs at a later time to retry and remotely provision / un-provision.
Automating the execution of SelfSignedFix.vbs within SCCM
To avoid having to run SelfSignedFix.vbs on each impacted system individually, there are a couple of automated procedures you can perform depending on what is right for your environment. To identify and isolate the vPro Clients that are impacted by the invalided Self-signed Certificate, you can create a SCCM Collection using the following criteria "Select * from sms_r_system where AMTStatus=1"; this will automatically bucket all the vPro Clients listed as AMTStatus Detected in a single collection for easy identification.
For step by step instructions on how to create the collection for vPro Clients with the AMT Status of Detected, please reference the guide included with the scripts.
Once you have the impacted vPro Clients in a single collection, you can either use SCCM Advertisements to push and execute SelfSignedFix.vbs from the client or you can use the included ExecFromCollection.vbs to connect directly to collection and execute SelfSignedFix.vbs on an enumerated list of members in that collection.
Critical Note: Before proceeding to use one of these large execution methods, it is recommended that you test your configuration (both SelfSignedFix.vbs and Intel WS-MAN Translator) by testing on a few impacted system individually first. Once you run SelfSignedFix.vbs steps above on these select impacted vPro Clients, you need to ensure you are able to natively provision the client within SCCM before you move onto a more automated implementation.
Using ExecFromCollection.vbs
ExecFromCollection.vbs is a VBscript that will connect to a desired collection, enumerate the list of members in the collection, and execute SelfSignedFix.vbs VBScript against each member in the collection. Prior to using ExecFromCollection.vbs, you must first change the SMSSiteCode, SMSServer, SMSCOLLECTION, and WSTransURL constants. To modify the required constants, open up ExecFromCollection.vbs with any text editor and change the following values with entries specific to your environment (Make sure you save your changes).
SMSSITECODE : This is your SMS Site Code
SMSSERVER : This is the FQDN of you SMS Site Server
SMSCollection : This is the SMS Collection ID that you want to enumerate the list of vPro Clients from. You can find the Collection ID of a particular collection by right clicking on the collection and select "Properties"; the Collection ID will be at the bottom of the General Tab
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1774/9.JPG!
WSTransURL : This is the secure URL in which the Intel WS-MAN Translator is listening on
Once the constants have been modified within ExecFromCollection.vbs, you can execute the VBscript by running the following Command Line:
cscript ExecFromCollection.vbs
ExecFromCollection.vbs will cycle through each enumerate member in the collection and execute SelfSignedFix.vbs VBScript against it. Prior to running ExecFromCollection.vbs, you need to ensure that the SelfSignedFix.vbs VBscript and ExecFromCollection.vbs VBscript are located in the same folder.
After running ExecFromCollection.vbs VBscript, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log files to help isolate the root of their issue. For step- by-step instructions on using ExecFromCollection.vbs, please reference the Guide included in the download package.
Using SCCM Advertisement to Execution SelfSignedFix.vbs
In terms of leveraging SCCM Advertisements to push the SelfSignedFix.vbs down to the client and execute it, there are several different ways this could be done. This example simply pulls the SelfSignedFix.vbs off a remote share which is then executed by a SCCM Task Sequence. When the advertisement is picked up by the SCCM Client Agent, the task sequence is executed and SelfSignedFix.vbs is run on the vPro Client machine. Depending on your environment, you may want to leverage alternative methods of deploying and executing this with a SCCM Advertisement. Please note, that the SelfSignedFix.vbs is not performing any provision / un-provision commands locally on the client; although it is running on the local client, the provision / un-provision commands are being routed to the Intel WS-MAN Translator and then the commands are sent back down to the vPro client from the Intel WS-MAN Translator.
In preparation of creating a task sequence, create a remote share on a server where the SelfSignedFix.vbs will be run from and the log files generated from SelfSignedFix.vbs will be stored. Ensure sufficient permissions are granted to the account running the advertisement.
Create a New Task Sequence and give it a name that is easily recognizable. Make sure you create the Task Sequence with the option of "Create a new custom task sequence".
When you edit your task sequence, add a new "General"-> "Run Command Line" task.
Give the task an appropriate name and in the Command Line field enter in:
cscript
server\share\SelfSignedFix.vbs %COMPUTERNAME% "
server\share" N
... where
server\share is the remote share that you created and https://wsmantransurl/ is the secure URL of your Intel WS-MAN Translator. %COMPUTERNAME% is an OS environment variable that will give you the hostname of the client.
!http://communities.intel.com/openport/servlet/JiveServlet/downloadImage/38-11443-1766/12.JPG!
Once the task sequence is created, you can advertise the task sequence on a Collection you created for just the AMT Detected vPro Clients.
Depending on your advertisement mandate, the next time the client's SCCM agent pulls down an updated policy it will execute the task sequence.
After running SelfSignedFix.vbs VBscript via the advertisement, you should be able to do a rediscovery of the Management Controller within SCCM and see that the AMT Status is now reflected as "Not Provision". With the vPro Client in a "Not Provision" state, SCCM will be able to natively provision the client without issues. For any vPro Clients that remain in a Detected state, review the log file and isolate the root of their issue.
Note: Depending on your Client OS configuration, it may be necessary to set WINRM basic authentication to "true" prior to execution SelfSignedFix.vbs; this can be accomplished by add winrm set winrm/config/client/auth @{Basic="true"} command line task prior to the execution of SelfSignedFix.vbs.
This blog was intended to give you a general understanding of the issue and the work arounds that are in place. For a comprehensive step-by-step guide, please refer to the documentation included with Remote Provision / Un-provision Script archive file. To download the Scripts and the Guide, please visit the following URL: http://communities.intel.com/docs/DOC-1850
--Matt Royer
