Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Ask An Expert > Discussions
Up to Discussions in Ask An Expert

This Question is Possibly Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
39 Replies Last post: Dec 8, 2008 12:30 PM by Drugs Online Pharmacy   1 2 3 Previous Next
Sebastian Belz
Sebastian Belz
1 posts since
Apr 10, 2008  
Reply
Currently Being Moderated

Apr 10, 2008 8:32 AM

SCCM SP1 Out of Band Mgmt AMT Client Settings

 

We are deploying a lot of new clients. Dell hasn't out a AMT 3.2 version yet on their clients wich is required for SCCM Out of Band Mgmt. So we can't test the integration with SCCM SP1 Beta.

 

 

We must order the clients now and don't know the required AMT Client Settings. We want to set all the settings by our OEM (Dell) before the hardware delivery.

 

 

We have an internal Microsoft Enterprise Root CA. We want to use Remote Configuration. When not required we want to use internal certificates and not official certificates.

 

 

What settings are required in the AMT Bios that we can automatically integrate our clients to SCCM SP1 Out of Band Mgmt?

 

 

Do we need to import the Root CA from our internal MS Enterprise Root CA on the AMT Clients or can we do this over Remote Configuration? Are any other settings requires? (Passwords, Ent. Mode, Provision Server)

 

 

Thanks and best regards

 

 

Reply
Average User Rating
(0 ratings)




Matt Royer  
Matt Royer
162 posts since
Aug 31, 2007
Currently Being Moderated
1. Apr 10, 2008 9:02 AM in response to: Sebastian Belz
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Microsoft and Intel have included support for AMT firmware versions less than 3.2 with the inclusion of the WS-MAN Translator that will be released and integrated with SCCM SP1 with the release RC1. The SCCM SP1 beta today does support 3.x clients for testing validation purposes; however, there will be a hard requirement to use the WS-Translator with any client less than 3.2 once RC1 releases.

To avoid having to manually configure your internal CA root hash, you can work with your OEM to have the cert hash of your provisioning cert issuing CA pre-loaded into firmware. Other then the root cert hash of your internal CA, that should be all you need to do. Although, the default admin password will be changed as SCCM goes through the provisioning process, you can request the OEM to pre-configure the MEBx password for you. This will need to match what you configured your SCCM environment with.

 

 

 

 

Matt Royer

 

 

Report Abuse Reply
David Randall  
David Randall
26 posts since
May 2, 2008
Currently Being Moderated
2. May 3, 2008 9:18 AM in response to: Sebastian Belz
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

I realize your question was about the Beta build, and we've now shipped the RC (release candidate) build, but I'll answer your questions specifically about Beta first, then about the Release candidate.

 

 

FOR BETA: The only setting required in BIOS (MEBx really) to enable remote provisioning initiated by the SCCM client agent is the root certificate hash of your internal CA must be entered in the cert hash list. Now, if you've entered in the root cert hash through the MEBx (or the USBFILE utility), you've also likely had to change the MEBx password, so you'll need to add that into the list of provisioning accounts/passwords (admin is the account name, and enter the MEBx account's password as your provisioning password). We only support Enterprise mode, so AMT will need to be set to run in that mode (which is the default mode).

 

 

The beta actually supports the Dell 3.0 firmware version. There were some changes between Beta and RC that required 3.2 - so if you're testing the RC, you'll need the 3.2, but if you're still testing the Beta version, you can use your Dell 755's with the 3.0 firmware. And, Matt's comment about the translator applies to 3.0 firmware for the final release of SP1 - you'll need that if you have systems that aren't updated to 3.2, or you have 2.1, 2.2, 2.5 or 2.6 AMT in your environment.

 

 

FOR RC: The only setting required in BIOS (MEBx really) to enable remote provisioning initiated by the SCCM client agent is the root certificate hash of your internal CA must be entered in the cert hash list. Again, if you've added the cert hash manually, then enter the MEBx password into the "Provisioning/Discovery" account list.

 

 

SCCM can automatically register an alias in DNS for the out of band service point (checkbox option in the Out of Band Management properties in Component Configuration), so you wont' need to update the firmware with the IP address or name of your provisioning server (unless you want to).

 

 

Lastly, if you have downloaded the release candidate from the connect.microsoft.com web site, you should take a look through the help file. Click the search tab, and type in "out of band" to find all the AMT related content. There are step by step walkthroughs of setting up your certificates, cert templates, and lots of information on the prerequisites and specific requirements.

 

 

Hope that helps, and please ask more questions if you have them.

 

 

Dave Randall

 

 

Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
3. Jun 2, 2008 12:20 PM in response to: David Randall
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi,

 

 

i just finished setup all the requerments including the HASH and still the SCCM having problems to provisin my Dell 755 machine, in the \SCCMInstall\Logs\amtopmgr.log i'm getting :

 

 

incoming connection from (client ip address) x.x.x.x:16994

incoming data is: Configuration version: PKI Configuration

Count: 5

UUID: The client UUID

Found matched hash from hello ......

Warrnig: AMT device UUID is SMS Client: Reject hello message to provision

waiting to incoming hello....

 

 

i can't get any luck with this , any idea?

 

 

thanks in advanced,

 

 

Kobi

 

 

Report Abuse Reply
David Randall  
David Randall
26 posts since
May 2, 2008
Currently Being Moderated
4. Jun 2, 2008 12:59 PM in response to: kobile
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

The log file indicates that your computer currently has the SCCM agent installed. When the OOBSP receives a hello packet from a computer that is already a SCCM client, it will reject the packet.

 

 

To initiate provisioning for that computer, make a collection with that one computer in it (a direct member collection is fine). Then, right click the collection, choose "Modify collection settings" and select the Out of Band tab. Enable the checkbox on that page and save the settings. Then, right click the collection and choose "update collection membership" to get the policy generated right away.

 

 

Now, your client will get the policy and initiate provisioning. Normally, the policy polling interval is 60 minutes. You could go to the ctrl panel applet on that client system and do the "initiate machine policy retrieval and evaluation" to kick start it.

 

 

Let us know how it goes.

 

 

Dave

 

 

Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
5. Jun 2, 2008 4:00 PM in response to: David Randall
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

Hi,

 

Thanks for the fast response,

 

now i can open the out of the band console, but there is no data for the selected computer and i noticed that after 30 seconds or so ,

in the left bottom status bar the SYSTEM appears as disconnected.

 

Kobi

Attachments:
Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
6. Jun 2, 2008 4:00 PM in response to: David Randall
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi Davidra,

 

 

i followed the instruction from this link http://communities.intel.com/openport/message/3711

but still the same,

 

 

 

 

Kobi

 

 

Report Abuse Reply
David Randall  
David Randall
26 posts since
May 2, 2008
Currently Being Moderated
7. Jun 2, 2008 4:46 PM in response to: kobile
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

I'm assuming your'e still using 3.0 firmware (not 3.2.1). In order to use the Out of band Console with any AMT systems, you need to be using AMT firmware version 3.2.1 - it contains updates that allow your out of band console to connect and authenticate with Kerberos. Without AMT 3.2.1, you cannot complete a Kerberos authentication, and therefore, the system does not connect.

 

 

Sorry. Hopefully, we'll see the update from Dell soon. I personally do not have an ETA from them however.

 

 

Dave

 

 

Report Abuse Reply
Matt Royer  
Matt Royer
162 posts since
Aug 31, 2007
Currently Being Moderated
8. Jun 2, 2008 5:01 PM in response to: kobile
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

Kobile,

 

This traditional is related to a Kerberos authentication issues. Can you double check that an object was created in the OU you specified in the AMT settings? Also, are you able to do collection based power control? What firmware version is your AMT client? http://communities.intel.com/openport/docs/DOC-1627

 

 

 

 

 

Matt Royer

Report Abuse Reply
Guest
SunnyA
Currently Being Moderated
9. Jun 2, 2008 11:13 PM in response to: Matt Royer
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

Rumor has it that the AMT v3.2.1 firmware from DELL will be webposted in days........ So if you've already installed SCCM SP1 RC or the RTM, my advise is to wait.

Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
10. Jun 3, 2008 8:03 AM in response to: David Randall
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi Dave,

 

 

you are right, the AMT version is 3.0.9, and the power control is working.

 

 

i will try contact DELL to see if the firmware is available,

 

 

thanks a lot guys, and keep doing an excellent work.

 

 

 

 

Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
11. Jun 3, 2008 8:03 AM in response to: David Randall
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi Dave,

 

 

you are right, the AMT version is 3.0.9, and the power control is working.

 

 

i will try contact DELL to see if the firmware is available,

 

 

thanks a lot guys, and keep doing an excellent work.

 

 

 

 

Report Abuse Reply
Matt Royer  
Matt Royer
162 posts since
Aug 31, 2007
Currently Being Moderated
12. Jun 3, 2008 10:29 AM in response to: kobile
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Although it is recommended that you upgrade your vPro 3.x firmware to 3.2.1 to take advantage of the native support within SCCM SP1, Intel has developed the WS-MAN Translator that allows for SCCM to communicate with legacy firmware versions (firmware less than 3.2.1). Please reference the following blogs...

 

 

 

 

SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported

Intel WS-MAN Translator Beta released and available for download

 

 

Matt Royer

 

 

Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
13. Jun 3, 2008 12:14 PM in response to: Matt Royer
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi,

 

 

after installing the BETA of WS-MAN, i got an error and the service didnt start, i configured it as discribed it the PDF attaced.

for some reson my default web server on SCCM server using port 443 , after changing the port the on the WS-MAN the service started but nothing happed.

 

 

Idecided to uninstall the WS-MAN, an since i'm having truble to provision clients , even the on that allready provisioned.

 

 

the error i'm getting from AMTOPMGR.LOG is:

 

 

Error: Translator regestry key has not been found. Please ensure it being installed. (HKEY_LOCAL_MACHINE\SOFTWARE\Intel\WsMan Translator) ,

 

 

How can i resolve this error, i tried to re-configured the out of band properties in SCCM but with no luck.

 

 

Kobi

 

 

Report Abuse Reply
kobile  
kobile
16 posts since
Jun 2, 2008
Currently Being Moderated
14. Jun 3, 2008 12:19 PM in response to: Matt Royer
Re: SCCM SP1 Out of Band Mgmt AMT Client Settings

 

Hi,

 

 

i noticed that sccm find the machine but there is an error that i cant figure out:

 

 

Incoming Connection from 192.168.10.54:16994.

Incoming data is - Configuration version: PKI Configuration.

Count : 10

UUID : 4C4C4544-0044-4D10-8037-CAC04F48334A

Found matched hash from hello message with current provision certificate. (Hash: 3C198CF5E36F586B8A7B7630D36ED988B95FF21C)

Warning: AMT device 4C4C4544-0044-4D10-8037-CAC04F48334A is a SMS client. Reject hello message to provision.

Waiting for incoming hello message from AMT devices...

AMT Discovery Worker: Wakes up to process instruction files

AMT Discovery Worker: Reading Discovery Instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{81616515-5DCF-40BE-AEFE-874E7BB8CA27}.RDC...

AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, 'GUID:F52EB94E-FD4D-467E-AAC2-8B91852540E5', 'EST'

AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine XPVPRO755 (XPVpro755.c-dom.est), ID: 73 - 192.168.10.54 from Resource GUID:F52EB94E-FD4D-467E-AAC2-8B91852540E5.

AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 73

AMT Discovery Worker: Execute query exec AMT_GetProvAccounts

AMT Discovery Worker: Finish reading discovery instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{81616515-5DCF-40BE-AEFE-874E7BB8CA27}.RDC

AMT Discovery Worker: Parsed 1 instruction files

AMT Discovery Worker: There are 1 tasks in pending list

AMT Discovery Worker: Send task to completion port

Auto-worker Thread Pool: Current size of the thread pool is 1

AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.

STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=C-SCCM SITE=EST PID=256 TID=2928 GMTDATE=Tue Jun 03 19:08:06.310 2008 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0

AMT Discovery Worker: Wait 20 seconds...

AMT Discovery Worker: Wakes up to process instruction files

AMT Discovery Worker: Wait 20 seconds...

AMT Discovery Worker: Wakes up to process instruction files

AMT Discovery Worker: Wait 20 seconds...

Auto-worker Thread Pool: Work thread 2348 started

CAMTDiscoveryWSMan::DoDetectAMTVersion: recv failed: 10054 HTTP digest authentication failed with status = 401. HTTP digest authentication failed with status = 401. SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0. AMT Discovery Worker: Wakes up to process instruction files

AMT Discovery Worker: Wait 20 seconds...

GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0.

CSMSAMTDiscoveryTask::Execute - DDR written to C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\auth\ddm.box

Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.

AMT Discovery Worker: Wakes up to process instruction files

AMT Discovery Worker: Wait 3600 seconds...

 

 

Report Abuse Reply
Go to original post 1 2 3 Previous Next

More Like This

  • Retrieving data ...