Up to Discussions in Ask An Expert

This Question is Possibly Answered

1 "correct" answer available (4 pts) 2 "helpful" answers available (2 pts)
1 2 3 Previous Next
38 Replies Last post: Jul 10, 2008 10:44 PM by miroyer
Reply

SCCM SP1 Out of Band Mgmt AMT Client Settings

Apr 10, 2008 8:32 AM

Click to view sbelz's profile sbelz 1 posts since
Apr 10, 2008

We
are deploying a lot of new clients. Dell hasn't out a AMT 3.2 version yet on
their clients wich is required for SCCM Out of Band Mgmt. So we can't test the
integration with SCCM SP1 Beta.

We
must order the clients now and don't know the required AMT Client Settings. We
want to set all the settings by our OEM (Dell) before the hardware delivery.

We
have an internal Microsoft Enterprise Root CA. We want to use Remote
Configuration. When not required we want to use internal certificates and not
official certificates.


What
settings are required in the AMT Bios that we can automatically integrate our
clients to SCCM SP1 Out of Band Mgmt?

Do
we need to import the Root CA from our internal MS Enterprise Root CA on the
AMT Clients or can we do this over Remote Configuration? Are any other settings
requires? (Passwords, Ent. Mode, Provision Server)


Thanks
and best regards

Average User Rating
(0 ratings)
Click to view miroyer's profile miroyer 104 posts since
Aug 31, 2007
Reply 1. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Apr 10, 2008 9:02 AM

Microsoft and Intel have included support for AMT firmware versions less than 3.2 with the inclusion of the WS-MAN Translator that will be released and integrated with SCCM SP1 with the release RC1. The SCCM SP1 beta today does support 3.x clients for testing validation purposes; however, there will be a hard requirement to use the WS-Translator with any client less than 3.2 once RC1 releases.
To avoid having to manually configure your internal CA root hash, you can work with your OEM to have the cert hash of your provisioning cert issuing CA pre-loaded into firmware. Other then the root cert hash of your internal CA, that should be all you need to do. Although, the default admin password will be changed as SCCM goes through the provisioning process, you can request the OEM to pre-configure the MEBx password for you. This will need to match what you configured your SCCM environment with.


Matt Royer

Click to view davidra's profile davidra 26 posts since
May 2, 2008
Reply 2. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings May 3, 2008 9:18 AM

I realize your question was about the Beta build, and we've now shipped the RC (release candidate) build, but I'll answer your questions specifically about Beta first, then about the Release candidate.

FOR BETA: The only setting required in BIOS (MEBx really) to enable remote provisioning initiated by the SCCM client agent is the root certificate hash of your internal CA must be entered in the cert hash list. Now, if you've entered in the root cert hash through the MEBx (or the USBFILE utility), you've also likely had to change the MEBx password, so you'll need to add that into the list of provisioning accounts/passwords (admin is the account name, and enter the MEBx account's password as your provisioning password). We only support Enterprise mode, so AMT will need to be set to run in that mode (which is the default mode).

The beta actually supports the Dell 3.0 firmware version. There were some changes between Beta and RC that required 3.2 - so if you're testing the RC, you'll need the 3.2, but if you're still testing the Beta version, you can use your Dell 755's with the 3.0 firmware. And, Matt's comment about the translator applies to 3.0 firmware for the final release of SP1 - you'll need that if you have systems that aren't updated to 3.2, or you have 2.1, 2.2, 2.5 or 2.6 AMT in your environment.

FOR RC: The only setting required in BIOS (MEBx really) to enable remote provisioning initiated by the SCCM client agent is the root certificate hash of your internal CA must be entered in the cert hash list. Again, if you've added the cert hash manually, then enter the MEBx password into the "Provisioning/Discovery" account list.

SCCM can automatically register an alias in DNS for the out of band service point (checkbox option in the Out of Band Management properties in Component Configuration), so you wont' need to update the firmware with the IP address or name of your provisioning server (unless you want to).

Lastly, if you have downloaded the release candidate from the connect.microsoft.com web site, you should take a look through the help file. Click the search tab, and type in "out of band" to find all the AMT related content. There are step by step walkthroughs of setting up your certificates, cert templates, and lots of information on the prerequisites and specific requirements.

Hope that helps, and please ask more questions if you have them.

Dave Randall

Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 3. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 12:20 PM
in response to: davidra

Hi,

i just finished setup all the requerments including the HASH and still the SCCM having problems to provisin my Dell 755 machine, in the \SCCMInstall\Logs\amtopmgr.log i'm getting :

incoming connection from (client ip address) x.x.x.x:16994
incoming data is: Configuration version: PKI Configuration
Count: 5
UUID: The client UUID
Found matched hash from hello ......
Warrnig: AMT device UUID is SMS Client: Reject hello message to provision
waiting to incoming hello....

i can't get any luck with this , any idea?

thanks in advanced,

Kobi

Click to view davidra's profile davidra 26 posts since
May 2, 2008
Reply 4. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 12:59 PM
in response to: kobile

The log file indicates that your computer currently has the SCCM agent installed. When the OOBSP receives a hello packet from a computer that is already a SCCM client, it will reject the packet.

To initiate provisioning for that computer, make a collection with that one computer in it (a direct member collection is fine). Then, right click the collection, choose "Modify collection settings" and select the Out of Band tab. Enable the checkbox on that page and save the settings. Then, right click the collection and choose "update collection membership" to get the policy generated right away.

Now, your client will get the policy and initiate provisioning. Normally, the policy polling interval is 60 minutes. You could go to the ctrl panel applet on that client system and do the "initiate machine policy retrieval and evaluation" to kick start it.

Let us know how it goes.

Dave

Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 5. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 4:00 PM
in response to: davidra
Hi,

Thanks for the fast response,

now i can open the out of the band console, but there is no data for the selected computer and i noticed that after 30 seconds or so ,
in the left bottom status bar the SYSTEM appears as disconnected.

Kobi
Attachments:
Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 6. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 4:00 PM
in response to: davidra

Hi Davidra,

i followed the instruction from this link http://communities.intel.com/openport/message/3711
but still the same,


Kobi

Click to view davidra's profile davidra 26 posts since
May 2, 2008
Reply 7. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 4:46 PM
in response to: kobile

I'm assuming your'e still using 3.0 firmware (not 3.2.1). In order to use the Out of band Console with any AMT systems, you need to be using AMT firmware version 3.2.1 - it contains updates that allow your out of band console to connect and authenticate with Kerberos. Without AMT 3.2.1, you cannot complete a Kerberos authentication, and therefore, the system does not connect.

Sorry. Hopefully, we'll see the update from Dell soon. I personally do not have an ETA from them however.

Dave

Click to view miroyer's profile miroyer 104 posts since
Aug 31, 2007
Reply 8. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 5:01 PM
in response to: kobile
Kobile,

This traditional is related to a Kerberos authentication issues. Can you double check that an object was created in the OU you specified in the AMT settings? Also, are you able to do collection based power control? What firmware version is your AMT client? http://communities.intel.com/openport/docs/DOC-1627

Matt Royer

Guest Guest
Reply 9. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 2, 2008 11:13 PM
in response to: miroyer
Rumor has it that the AMT v3.2.1 firmware from DELL will be webposted in days........ So if you've already installed SCCM SP1 RC or the RTM, my advise is to wait.
Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 10. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 3, 2008 8:03 AM
in response to: davidra

Hi Dave,

you are right, the AMT version is 3.0.9, and the power control is working.

i will try contact DELL to see if the firmware is available,

thanks a lot guys, and keep doing an excellent work.

Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 11. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 3, 2008 8:03 AM
in response to: davidra

Hi Dave,

you are right, the AMT version is 3.0.9, and the power control is working.

i will try contact DELL to see if the firmware is available,

thanks a lot guys, and keep doing an excellent work.

Click to view miroyer's profile miroyer 104 posts since
Aug 31, 2007
Reply 12. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 3, 2008 10:29 AM
in response to: kobile

Although it is recommended that you upgrade your vPro 3.x firmware to 3.2.1 to take advantage of the native support within SCCM SP1, Intel has developed the WS-MAN Translator that allows for SCCM to communicate with legacy firmware versions (firmware less than 3.2.1). Please reference the following blogs...


SCCM SP1 & WS-MAN Translator: How vPro firmware versions less than 3.2.1 are supported
Intel WS-MAN Translator Beta released and available for download

Matt Royer

Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 13. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 3, 2008 12:14 PM
in response to: miroyer

Hi,

after installing the BETA of WS-MAN, i got an error and the service didnt start, i configured it as discribed it the PDF attaced.
for some reson my default web server on SCCM server using port 443 , after changing the port the on the WS-MAN the service started but nothing happed.

Idecided to uninstall the WS-MAN, an since i'm having truble to provision clients , even the on that allready provisioned.

the error i'm getting from AMTOPMGR.LOG is:

Error: Translator regestry key has not been found. Please ensure it being installed. (HKEY_LOCAL_MACHINE\SOFTWARE\Intel\WsMan Translator) ,

How can i resolve this error, i tried to re-configured the out of band properties in SCCM but with no luck.

Kobi

Click to view kobile's profile kobile 16 posts since
Jun 2, 2008
Reply 14. Re: SCCM SP1 Out of Band Mgmt AMT Client Settings Jun 3, 2008 12:19 PM
in response to: miroyer

Hi,

i noticed that sccm find the machine but there is an error that i cant figure out:

Incoming Connection from 192.168.10.54:16994.
Incoming data is - Configuration version: PKI Configuration.
Count : 10
UUID : 4C4C4544-0044-4D10-8037-CAC04F48334A
Found matched hash from hello message with current provision certificate. (Hash: 3C198CF5E36F586B8A7B7630D36ED988B95FF21C)
Warning: AMT device 4C4C4544-0044-4D10-8037-CAC04F48334A is a SMS client. Reject hello message to provision.
Waiting for incoming hello message from AMT devices...
AMT Discovery Worker: Wakes up to process instruction files
AMT Discovery Worker: Reading Discovery Instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc{81616515-5DCF-40BE-AEFE-874E7BB8CA27}.RDC...
AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, 'GUID:F52EB94E-FD4D-467E-AAC2-8B91852540E5', 'EST'
AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine XPVPRO755 (XPVpro755.c-dom.est), ID: 73 - 192.168.10.54 from Resource GUID:F52EB94E-FD4D-467E-AAC2-8B91852540E5.
AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 73
AMT Discovery Worker: Execute query exec AMT_GetProvAccounts
AMT Discovery Worker: Finish reading discovery instruction C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc{81616515-5DCF-40BE-AEFE-874E7BB8CA27}.RDC
AMT Discovery Worker: Parsed 1 instruction files
AMT Discovery Worker: There are 1 tasks in pending list
AMT Discovery Worker: Send task to completion port
Auto-worker Thread Pool: Current size of the thread pool is 1
AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.
STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=C-SCCM SITE=EST PID=256 TID=2928 GMTDATE=Tue Jun 03 19:08:06.310 2008 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
AMT Discovery Worker: Wait 20 seconds...
AMT Discovery Worker: Wakes up to process instruction files
AMT Discovery Worker: Wait 20 seconds...
AMT Discovery Worker: Wakes up to process instruction files
AMT Discovery Worker: Wait 20 seconds...
Auto-worker Thread Pool: Work thread 2348 started
CAMTDiscoveryWSMan::DoDetectAMTVersion: recv failed: 10054
HTTP digest authentication failed with status = 401.
HTTP digest authentication failed with status = 401.
SecurityAdministration.GetDigestRealm finished with HResult = 0x0, status = 0x0, clientError = 0.
AMT Discovery Worker: Wakes up to process instruction files
AMT Discovery Worker: Wait 20 seconds...
GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0.
CSMSAMTDiscoveryTask::Execute - DDR written to C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\auth\ddm.box
Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.
AMT Discovery Worker: Wakes up to process instruction files
AMT Discovery Worker: Wait 3600 seconds...

1 2 3 Previous Next

Actions

More Like This