Home > Intel Communities > Open Port IT Community > Intel® vPro™ Expert Center > Discussions
Previous Next Up to Discussions in Intel® vPro™ Expert Center

This Question is Not Answered

1 "correct" answer available (4 pts) 1 "helpful" answer available (2 pts)
22 Replies Last post: Jul 1, 2009 11:02 PM by Bob321   Go to original post 1 2 Previous Next
William York  
William York
37 posts since
Aug 24, 2007
Currently Being Moderated
15. Jun 25, 2009 9:11 AM in response to: Bob321
Re: AMT Provisioning hell

Bob, what provisioning certificate did you load into SCCM?  Is it your self generated SCCM cert that was produced from your internal CA?  And did you load that internal Root CA hash into the MEBx before the provisioning process started?  If you want to use your own internally developed cert, I would make sure all references to the VeriSign cert is removed from the CA (personal store and any other store possibly located) and remove it from SCCM (both in the OOB service point and the certificate stores on this site server.  Than make sure your self generated cert is loaded on your SCCM service point (in the OOB config and personal store on SCCM with appropriate private keys).  And make sure you load your internal Root CA hash (top level CA that produced your provisioning cert) into the MEBx.  And see what happens when provisioning.  From your thread below, it seems as you have multiple certs getting confussed and this is hard to diagnose.  I hope this might clean it up a bit...

Report Abuse
William York  
William York
37 posts since
Aug 24, 2007
Currently Being Moderated
16. Jun 25, 2009 9:13 AM in response to: Bob321
Re: AMT Provisioning hell

Did you do a full unprovision or partial unprovision?  And did you perform it from SCCM OOB console or did you perform it manually within the MEBx?

Report Abuse
Trevor Sullivan  
Trevor Sullivan
231 posts since
Jul 25, 2008
Currently Being Moderated
17. Jun 25, 2009 10:09 PM in response to: William York
Re: AMT Provisioning hell

Actually, in addition to what Bill York just mentioned, it might be worth going to the extent of removing and re-installing the OOB service point role on your site server, just to make sure things are "cleaned out."

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Report Abuse
Bob321  
Bob321
12 posts since
Jun 17, 2009
Currently Being Moderated
18. Jun 25, 2009 10:45 PM in response to: Trevor Sullivan
Re: AMT Provisioning hell

OK, I've done a full un-provision, from the BIOS and removed the object from AD. Then the M10 client could provision again fine (other clients still fail). I have removed the third party certificate from the certificate store on the oob management point server and deleted, then re-added the OOB service point role. I'm not sure how much 'cleaning' this does, as it still retained the settings I had. I did re-enter all the information anyway, just in case. No change.

 

The certificate is an internally provisioned one, and the correct certificate hash is in the BIOS of the client PCs. There is no difference in the BIOS settings between the client that does provision, and the ones that don't.

Report Abuse
Trevor Sullivan  
Trevor Sullivan
231 posts since
Jul 25, 2008
Currently Being Moderated
19. Jun 29, 2009 8:04 AM in response to: Bob321
Re: AMT Provisioning hell

Bob,

 

Are you still seeing the ApplyControlToken error? If so, can you double-check your DNS records (A and PTR) for these clients?

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Report Abuse
Bob321  
Bob321
12 posts since
Jun 17, 2009
Currently Being Moderated
20. Jun 30, 2009 7:24 PM in response to: Trevor Sullivan
Re: AMT Provisioning hell

Yes, still seeing that error. I have completely rebuilt the CA and performed a full unprovision on the clients. Still no change, the M10 client provisions fine, but the other one do not. I have checked DNS and the records are correct,

Report Abuse
Trevor Sullivan  
Trevor Sullivan
231 posts since
Jul 25, 2008
Currently Being Moderated
21. Jul 1, 2009 11:40 PM in response to: Bob321
Re: AMT Provisioning hell

Well, assuming you've checked all your network configuration (DHCP, DNS), done a factory reset on the problem unit(s), applied Microsoft hotfix KB960804, and triple-checked your root CA's certificate hash, I'm probably going to have to defer to Microsoft Premiere Support on this one.

 

By the way, have you opened the AMT Provisioning certificate from your site server, and validated the certificate chain up to your root CA? An invalid certificate chain caused a problem for me a while back. See this blog post for more details:

 

http://communities.intel.com/community/openportit/vproexpert/blog/2008/11/18/intel-amt-provisioning-issues-with-configmgr-sp1

 

Edit: Fixed URL

 

Trevor Sullivan

Systems Engineer

OfficeMax Corporation

Report Abuse
Bob321  
Bob321
12 posts since
Jun 17, 2009
Currently Being Moderated
22. Jul 1, 2009 11:02 PM in response to: Trevor Sullivan
Re: AMT Provisioning hell

OK, thanks for your help, I'll post the solution once I find it.

 

Bob

Report Abuse
Go to original post 1 2 Previous Next

More Like This

  • Retrieving data ...