SCCM SP1 / vPro Common Issues and Potential Resolutions

Version 13

    This is a living wiki to cover some of the more common configuration and setup issues that can cause SCCM SP1 and vPro interoperability issues. This is not a replacement for following steps defined in SCCM SP1 Help File Article: "[Configuring Out of Band Management|]" or referencing the "[Troubleshooting Out of Band Management|]" Article in the SCCM SP1 Help File.


    Symptom: amtproxymgr.log file indicates the following error messages:


    Found instruction file: D:\SMS\inboxes\\{50830F19-8E2D-410A-A75B-EC5F0A32F96E}.apx
    Processing Instruction: RCT 1;1;62151;3.2.1;;SMS_AMT_OPERATION_MANAGER_PROV;
    Request certificate task begin to read Site Control File.
    Changes to the site control file settings detected.
    Request certificate task success to read parameters from Site Control File.
    Request certificate task success to connect to the SQL database.
    ERROR: CertCreateCertificateContext failed: 0x80093102, msg=ASN1 unexpected end of data.~
    Error: CTaskRequestClientCert::RevokeExistedCertificate failed to get serial number from the certificate binary.
    Request certificate task disConnected to the SQL database.
    INFO: Enter process request 1
    INFO: Save Request
    INFO: Add new request
    Certificate for has been retrieved.
    ERROR: CertGetCertificateChain(...) failed: 0x1000040
    ERROR: HandleDisposition failed: the root certificate of the CA is not at the Trust List!
    INFO: Enter process request 3
    INFO: Delete Request
    INFO: Request to delete found
    STATMSG: ID=7601 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_AMT_PROXY_COMPONENT" SYS=PROVSERVER SITE=123 PID=8536 TID=2220 GMTDATE=Thu Jan 08 21:28:22.411 2009 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Failed to run instruction: RCT 1;1;62151;3.2.1;;SMS_AMT_OPERATION_MANAGER_PROV;
    Finished Executing Instruction: RCT 1;1;62151;3.2.1;;SMS_AMT_OPERATION_MANAGER_PROV;


    Potential Root cause(s): Not yet known.



    Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)



    Potential Root cause(s):


    • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

    • SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.

      • Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

      • Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.




    Symptom: SCCM provisions a vPro Client successfully and you are able to invoke Collection based power operation; however, the Out of Band Console does not connect to the vPro Client.



    Potential Root cause(s):


    • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

      • Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: “[How to Configure AMT Settings and AMT User Accounts|]"; Section: “To configure AMT settings and AMT User Accounts".
        SCCM has not be granted full control permissions on the out of band management OU

      • Verify that the SCCM Primary Site Servers has been granted full control permissions on the out of band management OU. SCCM SP1 Help File Article: "[How to Prepare Active Directory Domain Services for Out of Band Management|]“

    • Active Directory computer object that was created for the AMT device was overwritten or deleted

    • Kerberos User not being successfully added when provisioning 2.x AMT client and the AMTOPMGR.log is giving the following error:
      Add ACLs..
      ERROR: Invoke(invoke) failed: 80020009argnum = 0
      Description: The WinRM client cannot process the request. The destination computer returned an empty response to the request
      Error: failed to Add User Acl
      Error: CSMSAMAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs

      • The Add user ACL fails on 2.x systems if ALL the realms are checked including the PT Admin realm in . Treat the PT Admin Realm as mutually exclusive with all the other realms. Verify that none of your Out of Band Component - AMT Settings - AMT User Accounts have PT Admin Realm selected with any other realm



    Symptom: I can not seem to get my vPro clients with firmware version less than 3.2.1 to provision or managed through SCCM.



    Potential Root cause(s):


    • SCCM SP1 only natively supports vPro clients that are firmware version 3.2.1 or higher; to support vPro clients that have firmware versions less then 3.2.1 you are required to install and configure the Intel WS-MAN Translator.

      • Verify that you have installed and configured WS-MAN Translator properly. Please reference the following blog on how to configure and install the Intel WS-MAN Translator.



    Symptom: When I do a "Discovery of Management Controller" within SCCM on a vPro client, on an entire collection, or as part of a Network Discovery, it does not appear to provision the vPro client.



    Potential Root cause(s):


    • Performing a Discovery of Management Controller only determines if the vPro client is able to be provisioned. You still need to provision the vPro client either through the Out of Band Import Wizard or through the Client Agent.




    Symptom: I recieve the following the message when I try to provision a vPro Client; "Warning: AMT device is a SMS client. Reject hello message to provision".



    Potential Root cause(s):




    Symptom: The AMT status states that it is "Detected" instead of "Not Provisioned" and I can not provision it.



    Potential Root cause(s):


    • The Out of Band Service Point is able to determine that the client is AMT/vPro capable; however, it does not does know the AMT Remote Admin or the MEBx account password.

      • Verify that your AMT Remote Admin or the MEBx account are either "admin" (factory default) or what you have configured as the MEBx password in the Component Configuration -> Out of Band Management. The vPro MEBx password can be reset by logging into the MEBx local on the vPro client (via the ctrl-p during post) while the remote admin password can be reset by performing a full unprovision within MEBx. Please reference SCCM SP1 Help File Article: "[About the AMT Status and Out of Band Management|]"

    • Another similar cause of this behavior is that the vPro device has already been provisioned using another ISV console. ConfigMgr was able to detect that the vPro hardware exists, but is unable to communicate with it. In this scenario, reset the MEBx to the factory defaults by performing a local Full Unprovision, resetting the BIOS, or using the unprovisionex.exe Intel executable to automate it from a remote system.



    Symptom: Not able to provision a vPro client through SCCM SP1 Client Agent based provision.



    Potential Root cause(s):


    • The oobmgmt.log on the vPro Client states "AutoProvision policy disabled".

    • The oobmgmt.log on the vPro Client states "No compatible device detected".

      • Verify that the client you are trying to provision is vPro Client and that the AMT HECI driver is installed. HECI driver should be available from your OEM driver support website.



    Symptom: Not able to perform an IDER or SOL session on and AMT client from the SCCM Out Of Band Management Console.



    Potential Root cause(s):


    • The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.

      • Full certificate chain is not being passed correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.

    • oobconsole.log has the following error when initiating a SOL connection: Launch terminal with " XXXXX -t ansi" fail

      • Ensure that you have telnet.exe installed on the computer that you are trying to run the SCCM out of Band Management Console from.

      • On Windows Server 2008 machines, enable the telnet client by selecting Administrative Tools --> Server Manager --> Features --> Add Features, and selecting the Telnet Client checkbox.



    Symptom: Not able to accessing the Intel vPro / AMT Web console on a vPro client



    Potential Root cause(s):


    • Required hot from IE6 and Registry Entry for IE 6 and IE 7 has not been added

      • Verify you have KB908209 installed for IE 6 and that the required FEATURE_INCLUDE_PORT_IN_SPN_KB908209 registry entry is added for both IE 6 and IE 7 to address Kerberos authentication protocol that uses a non-standard port:

    • Verify you are connecting to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie.

    • Enable Web Interface has not been configured in Out of Band Management Properties

      • Verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab

    • The Kerberos user does not have sufficient access

      • Verify that the Kerberos user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab

    • Please reference Supplement Blog



    Symptom: When performing a SOL or IDER function within the SCCM Out of Band Management Console it fails and i recieve the following error in the OOBConsole.log: IMR_SOLOpenTCPSession2 with user = domain\user fail with result:?x??



    Potential Root cause(s):





    Hex CodeCodeValue or Description
    result: 0x00IMR_RES_OKThe requested operation was successfully executed.
    result: 0x01IMR_RES_ERRORSome unspecified error has occurred while executing the operation.
    result: 0x02IMR_RES_INVALID_PARAMETERAn invalid parameter was specified to the function.
    result: 0x03IMR_RES_NOT_INITIALIZEDThe Redirection Library was not yet initialized.
    result: 0x04IMR_RES_ALREADY_INITIALIZEDThe Redirection Library has already been initialized.
    result: 0x05IMR_RES_MEMALLOC_FAILEDMemory allocation has failed; not enough memory.
    result: 0x06IMR_RES_UNSUPPORTEDThe requested operation is unsupported by the library.
    result: 0x07IMR_RES_CLIENT_NOT_FOUNDThe specified client ID does not exist in the library’s list.
    result: 0x08IMR_RES_DUPLICATE_CLIENTA client with the specified properties (e.g. IP address)already exists in the library’s list.)
    result: 0x09IMR_RES_CLIENT_NOT_ACTIVEThe specified client has not been initialized by the library, although it exists in its list. This indicates an internal error in the library.
    result: 0x0AIMR_RES_CLIENT_ACTIVEThe specified client has already been initialized by the library. This indicates an internal error in the library.
    result: 0x0BIMR_RES_SESSION_ALREADY_OPENA session of the requested type (either SOL or IDER) is already opened with the specified client.
    result: 0x0CIMR_RES_SESSION_CLOSEDThere is no open session of the requested type (either SOL or IDER) with the specified client.
    result: 0x0DIMR_RES_SOCKET_ERRORA socket error has occurred.
    result: 0x0EIMR_RES_UNKNOWN_PROTOCOLAn internal error has occurred in the protocol handlers in the library.
    result: 0x0FIMR_RES_PROTOCOL_ALREADY_REGISTEREDAn internal error has occurred in the protocol handlers in the library.
    result: 0x10IMR_RES_PENDINGAn internal error has occurred while trying to send a packet.
    result: 0x11IMR_RES_UNEXPECTED_PACKETAn unexpected protocol packet has been received.
    result: 0x12IMR_RES_TIMEOUTA timeout has occurred while trying to execute the operation.
    result: 0x13IMR_RES_CORRUPT_PACKETA corrupted or malformed protocol packet has been received.
    result: 0x14IMR_RES_OS_ERRORAn operating system error has occurred.
    result: 0x15IMR_RES_IDER_VERSION_NOT_SUPPORTEDThe client uses an IDER protocol of a version incompatible with the library’s version.
    result: 0x16IMR_RES_IDER_COMMAND_RUNNINGAn IDER command is in progress.
    result: 0x17IMR_RES_STORAGE_FAILUREAn error occurred while trying to store client information.
    result: 0x18IMR_RES_UNKNOWNAn unknown library result code was specified.
    result: 0x19IMR_RES_AUTH_FAILEDAuthentication with the client has failed.
    result: 0x1AIMR_RES_CLIENT_TYPE_UNKNOWNUnknown Client Type
    result: 0x1BIMR_RES_CLIENT_BUSYThe client already has an open session of the relevant function (either SOL or IDER) with some other application.
    result: 0x1CIMR_RES_CLIENT_UNSUPPORTEDThe library attempted to connect to a host capability that does not support IDER.
    result: 0x1DIMR_RES_CLIENT_ERRORGeneral error return when trying to establish an IDER session.
    result: 0x1EIMR_RES_NOT_ENOUGH_SPACEThe function was provided with a buffer with insufficient space to successfully complete the operation.
    result: 0x1FIMR_RES_SESSION_LOOPBACKThe requested operation cannot be executed because the SOL session is in loopback mode.
    result: 0x20IMR_RES_TLS_CONNECTION_FAILEDThe library has failed to establish a TLS connection with the client. There might be a problem verifying the client’s certificate.
    result: 0x21IMR_RES_SOCKS_ERRORSOCKv5 proxy returned an error.
    result: 0x22IMR_RES_SOCKS_AUTH_FAILLibrary failed to connect due to authentication error.