Skip navigation

A while back I ran into an issue configuring an AMT system in TLS mode. I wanted to walk you through the issue and one potential solution in the event you are seeing similar issues with TLS.

 

I did a quick overview of my environment and everything appeared to be set up correctly. I was able to provision using a non-TLS profile in SCS, but when I switched to a TLS profile I kept getting this error on the vPro client while running ACUConfig.exe:

 

“Exit with code 75.

Details: Failed to complete remote configuration of this Intel(R) AMT device. Failed to get the certificate from the CA. (Certificate ID: 3310051103).  (0xc0002825). The certificate chain could not be built. Please make sure that the root certificate is installed properly. (0xc0003e93). Intel(R) AMT Operation failed. (Request Certificate). (0xc00007d5). The RCS failed to process the request.”


I checked out the SCS server and made sure the root Cert was installed correctly and everything looked normal. Then accessing the MMC cert snap-in on the SCS server, I created a test request to the CA for the AMT TLS cert and it issued it to me:

 

1.png

 

2.png

3.png

 

4.png

 

5.png

 

And as you can see, the OS had no issues with the certificate, but I was still seeing the errors on the vPro client while running ACUConfig.exe.

 

Taking a closer look at the acuconfig error message, it seemed like the SCS was having trouble building the certificate chain. So I decided to take a look at the CRL. After some digging around a bit, I decided to copy the CRL from the Cert Authority. To do this I just ran this command from a PowerShell prompt on the Certificate Authority:

 

6.png

 

Then I copied the crl.crl file over to the SCS server and installed it:

 

7.png

 

After I finally got the CRL installed on the SCS server, I restarted the SCS service and attempted the provision again. Sure enough, I was able to complete the process and the Cert Authority issued the TLS certificate for the AMT device.

 

Capture3.PNG

 

There are quite a few different methods of publishing / referencing the CRL in your environment, for more information see this technet page: http://technet.microsoft.com/en-us/library/cc737760(v=ws.10).aspx

 

Instead of relying on the SCS error messages, you could also use a utility like certutil to check the validity of the CRL. Here is a blog post on TechNet on Basic CRL Checking with certutil: http://blogs.technet.com/b/pki/archive/2006/11/30/basic-crl-checking-with-certutil.aspx

 

Bill York also has some information related to expired CRLs and SCCM: http://communities.intel.com/thread/20138

 

If you suspect you are having issues with the CRL in your environment, this manual workaround will get you back up and running, but for a long term fix you should bring it up with your PKI team.

Intel® IT Center Talk to an Expert Webinar:
PC Refresh in the Consumerized IT Environment
Tuesday, February 12, 2013
9:00 - 10:00 a.m. Pacific Standard Time

Talk Live with Intel Experts:
David Buchholz, Director of Consumerization, Intel IT
John Mahvi, Business Client Product Line Manager, Intel IT

Moderator: Chris Peters, Global Business Marketing Strategist, Intel

In this live video webinar, Intel experts will share the insights their teams have gained through firsthand experience with PC refresh in a complex, fast-changing consumerized IT environment.

David and John will cover the positive impact of PC refresh on:

  • Security and manageability
  • Decisions regarding services and devices to be supported
  • User productivity and satisfaction
  • TCO plus support, repair, and energy costs

 
With an efficient, strategic PC refresh program that includes PCs featuring Intel® vPro™ technology, you can dramatically enhance the user experience on company-issued PCs and laptops. And, by doing so, you can resolve many of the issues that arise due to BYO in particular, and consumerization in general.

So, bring your most pressing questions, and take advantage of this opportunity to ask the experts.

Register now >

Intel vPro Platform Solution Manager:

A plug-in designed to target  Intel vPro Technology usages

 

  • Receive the latest and greatest Intel vPro functionality as soon as its launched!
  • Improve time to market for platform feature availability for end customers
  • Provides a solution for the Help Desk to utilize Intel vPro Technology
  • Increase your ROI by providing more use cases to your IT Department and Help Desk
  • No cost

 

Allow your IT Department to focus on innovation and not the traditional every day tasks!

Download NOW! http://www.intel.com/vprosolutions

Download Now

 

First American.jpgFirst American Financial Corporation is one of the largest title insurance companies in the U.S., with desktop and laptop computers that support employees who facilitate title and escrow closing for real estate sales. To improve remote PC management, the company’s desktop management group worked with Allied Digital Services to activate the Intel® vPro™ platform in HP computers equipped with Intel® Core™ i5 vPro™ processors. First American anticipates improving employee productivity by reducing the time to resolve computer problems, streamlining software provisioning, and using remote power management to drive down energy consumption.

 

“With the Intel vPro platform, we can diagnose and solve complex issues, like OS failures and boot problems, all remotely," explained Dale Hiser, manager of desktop management at First American. "As a result, we can save the shipping costs of replacing systems, avoid expensive deskside visits, and significantly reduce the productivity loss and frustration that downtime can cause employees.”

 

Learn all about it in our new First American business success story. Find more like this one on the Intel.com Business Success Stories for IT Managers page or the Business Success Stories for IT Managers channel on iTunes.  And to keep up to date on the latest business success stories, follow ReferenceRoom on Twitter.

Filter Blog

By date: By tag: