SCCM SP2 / vPro Common Issues and Potential Resolutions

Version 2

    This is a living wiki to cover some of the more common configuration and setup issues that can cause SCCM SP1 and vPro interoperability issues. This is not a replacement for following steps defined in SCCM SP2 Help File Article: "[Configuring Out of Band Management|http://technet.microsoft.com/en-us/library/cc161822(TechNet.10).aspx]" or referencing the "[Troubleshooting Out of Band Management|http://technet.microsoft.com/en-us/library/cc161834(TechNet.10).aspx]" Article in the SCCM SP2 Help File.

     

    System Center Configuration Manager Configuration

    Symptom: AMT provisioning and management can take a significantly long time when Windows Server 2008 R2 is configured for both IPv4 & IPv6

    Work Around: On the SCCM Server Primary Site Server, run the following command

    netsh interface ipv6 delete prefix ::ffff:0/96

    netsh interface ipv6 add prefix prefix=::ffff:0/96 precedence=45 label=4

     

     

    Symptom: If you are performing an IDER or SOL session with the OOB Console on Windows Server 2008 R2 with a user that does not have Administrator permission, the SOL or IDER session will fail.

    Work Around: Ensure the user that local logged in user is an Administrator of the Windows Server 2008 OS you are running the Out of Band Management Console from.

     

     

    Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)

    Potential Root cause(s):

    The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation. 

    ·         Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: “[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: “To configure AMT settings and AMT User Accounts".

     

    SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.

    o   Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

    o   Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.

     

     

    Symptom: SCCM provisions a vPro Client successfully and you are able to invoke Collection based power operation; however, the Out of Band Console does not connect to the vPro Client

    Potential Root cause(s):

    The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

    ·         Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: “[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: “To configure AMT settings and AMT User Accounts".

    SCCM has not be granted full control permissions on the out of band management OU

    ·         Verify that the SCCM Primary Site Servers has been granted full control permissions on the out of band management OU. SCCM SP1 Help File Article: "[How to Prepare Active Directory Domain Services for Out of Band Management|http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx]“

    ·         Active Directory computer object that was created for the AMT device was overwritten or deleted

    ·         Kerberos User not being successfully added when provisioning 2.x AMT client and the AMTOPMGR.log is giving the following error:

    Add ACLs..
    ERROR: Invoke(invoke) failed: 80020009argnum = 0
    Description: The WinRM client cannot process the request. The destination computer returned an empty response to the request
    Error: failed to Add User Acl
    Error: CSMSAMAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs

    The Add user ACL fails on 2.x systems if ALL the realms are checked including the PT Admin realm in . Treat the PT Admin Realm as mutually exclusive with all the other realms. Verify that none of your Out of Band Component - AMT Settings - AMT User Accounts have PT Admin Realm selected with any other realm

     

     

    Symptom: I can not seem to get my vPro clients with firmware version less than 3.2.1 to provision or managed through SCCM.

    Potential Root cause(s):  SCCM SP1 & SP2 only natively supports vPro clients that are firmware version 3.2.1 or higher; to support vPro clients that have firmware versions less then 3.2.1 you are required to install and configure the Intel WS-MAN Translator.

     

     

    Symptom: When I do a "Discovery of Management Controller" within SCCM on a vPro client, on an entire collection, or as part of a Network Discovery, it does not appear to provision the vPro client.

    Potential Root cause(s):  Performing a Discovery of Management Controller only determines if the vPro client is able to be provisioned. You still need to provision the vPro client either through the Out of Band Import Wizard or through the Client Agent.

     

     

    Symptom: I recieve the following the message when I try to provision a vPro Client; "Warning: AMT device is a SMS client. Reject hello message to provision".

    Potential Root cause(s):  SCCM has detected that the SCCM Client agent is installed on the vPro Client. If the Client Agent is present, you are required to provision the vPro through the in-band agent.

     

     

    Symptom: The AMT status states that it is "Detected" instead of "Not Provisioned" and I can not provision it.

    Potential Root cause(s):

    ·         The Out of Band Service Point is able to determine that the client is AMT/vPro capable; however, it does not does know the AMT Remote Admin or the MEBx account password.  Verify that your AMT Remote Admin or the MEBx account are either "admin" (factory default) or what you have configured as the MEBx password in the Component Configuration -> Out of Band Management. The vPro MEBx password can be reset by logging into the MEBx local on the vPro client (via the ctrl-p during post) while the remote admin password can be reset by performing a full unprovision within MEBx. Please reference SCCM SP1 Help File Article: "[About the AMT Status and Out of Band Management|http://technet.microsoft.com/en-us/library/cc431387(TechNet.10).aspx]"

    ·         Another similar cause of this behavior is that the vPro device has already been provisioned using another ISV console. ConfigMgr was able to detect that the vPro hardware exists, but is unable to communicate with it. In this scenario, reset the MEBx to the factory defaults by performing a local Full Unprovision, resetting the BIOS, or using the unprovisionex.exe Intel executable to automate it from a remote system.

     

     

    Symptom: Not able to provision a vPro client through SCCM SP1 Client Agent based provision.

    Potential Root cause(s):

    ·         The oobmgmt.log on the vPro Client states "AutoProvision policy disabled".  Verify that your vPro Client is in a collection that is configured for "Enable automatic out band management controller provisioning". Please reference "[Collection Name Settings: Out of Band Tab|http://technet.microsoft.com/en-us/library/cc161955(TechNet.10).aspx]" in the SCCM SP1 Help

    ·         The oobmgmt.log on the vPro Client states "No compatible device detected". Verify that the client you are trying to provision is vPro Client and that the AMT HECI driver is installed. HECI driver should be available from your OEM driver support website.

    ·         Client is not identified as Approved within the SCCM Site Server

     

     

    Symptom: Not able to perform an IDER or SOL session on and AMT client from the SCCM Out Of Band Management Console.

    Potential Root cause(s):

    ·         The OOBConsole.log states the following error "IMR_SOLOpenTCPSession2 with user = <user> fail with result:0x20, description:Failed to Establish TLS Connection" and your AMT Web Certificates are being issued from a Subordinate Certificate Authority.

    o   Full certificate chain is not being passed correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer - "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.

    ·         oobconsole.log has the following error when initiating a SOL connection: Launch terminal with "127.0.0.1 XXXXX -t ansi" fail.

    o   Ensure that you have telnet.exe installed on the computer that you are trying to run the SCCM out of Band Management Console from.

    o   On Windows Server 2008 machines, enable the telnet client by selecting Administrative Tools --> Server Manager --> Features --> Add Features, and selecting the Telnet Client checkbox.

     

     

    Symptom: Not able to accessing the Intel vPro / AMT Web console on a vPro client

    Potential Root cause(s):

    ·         Required hot from IE6 and Registry Entry for IE 6 and IE 7 has not been added

    o   Verify you have KB908209 installed for IE 6 and that the required FEATURE_INCLUDE_PORT_IN_SPN_KB908209 registry entry is added for both IE 6 and IE 7 to address Kerberos authentication protocol that uses a non-standard port: http://support.microsoft.com/default.aspx/kb/908209

    ·         Verify you are connecting to the vPro Client with the following URL https://FQDN:16993 where the FQDN is the full qualified domain name of the vPro client (ie. https://vpro-client.vprodemo.com:16993/).

    ·         Enable Web Interface has not been configured in Out of Band Management Properties

    o   Verify that "Enable Web Interface" is checked within the SCCM "Out of Band Management Properties" - "AMT Settings" Tab

    ·         The Kerberos user does not have sufficient access

    o   Verify that the Kerberos user you are trying to authenticate with is listed in the AMT User Accounts in the "Out of Band Management Properties" - "AMT Settings" tab

     

    AMT / vPro Client Use Cases

    Symptom: Serial Over LAN session cannot be established when you power on or restart the AMT client to boot to PXE

    Behavior Expected: Not being able to establish a Serial Over LAN connection when you perform a reboot to PXE is an expected behavior for AMT firmware version 2.x thru 5.x

     

     

    Symptom: When you connect a Serial Over LAN session when the AMT client is connected over the wireless connection, the Operating System will lose its wireless network connection.  When you disconnect the Serial Over LAN session, the OS wireless connection will return.

    Behavior Expected: This is expected behavior for AMT firmware 2.x and 4.x.  There is not work around to change the behavior.

     

     

    Symptom: When the Out of Band Console is open, you unable to perform AMT Power Off operation from the collection.

    Behavior Expected: This results is expected for AMT firmware 2.x - 5.x when an active connection is already open (i.e. Out of Band Management Console)

     

     

    Symptom: System ID does not display on the Out of Band Management Console and AMT power control operation do not work after a Partial unprovision and reprovisioning for AMT firmware 4.x

    Resolution: Issue address in AMT firmware version 4.2.  Work with your OEM to obtain the latest firmware version with the fix.

     

     

    Symptom: AMT client machine continuously sends access request every 2 minutes when 802.1x authentication fails

    Behavior Expected:  This is an expected behavior since AMT is trying to reestablish 802.1x authentication.

     

     

    Symptom: Unable to unprovision AMT client 4.x or 5.x from the MEBx when AMT Audit Log is enabled

    Behavior Expected: This behavior is expected. 

    Work Around: Prior to performing and unprovision, you should disable the AMT audit log by right clicking on the AMT client and select “Out of Band Management” -> “Disable Audit Log”.  Once cleared, you should be able to unprovision the AMT client.  If unable to disable the AMT Audit Log, you will be required to perform a CMOS reset to unprovision the AMT client.

     

     

    Symptom: AMT 4.x / 5.x Error code is not consistent for AMT Audit Log full when you perform an AMT operation and the AMT Audit is full.

    Work Around: If you are unable to perform an AMT action, you make what confirm that they AMT Audit Log is not full.  To clear the AMT Audit Log with SCCM SP2, right click on the AMT client and select “Out of Band Management” -> “Clear Audit Log”.  Once cleared, AMT operation should be allowed.

     

     

    Symptom: You are unable to perform an IDER session when the AMT client is S3 sleep state

    Behavior Expected: This behavior is expected. 

    Work Around: Power on the AMT client first and then perform an AMT Power Restart with IDE Redirection enabled.

     

     

    Symptom: You are unable to power off the AMT client when the AMT client is in S3 sleep state

    Behavior Expected: This behavior is expected. 

    Work Around: Power on the AMT client first and then perform an AMT Power Off.

     

     

    Symptom: When you reboot into BIOS and connect to the Serial Over LAN, you are unable to interact with the BIOS over the Serial Over LAN interface.

    Work Around: Establish the Serial Over LAN connection prior to initiating the reboot into BIOS command

     

     

    Symptom: Initiating a Force Boot option (Local Hard-drive, Local CD ROM, PXE) does not work on AMT version 5.1.

    Resolution: Issue address in AMT firmware version 5.2.  Work with your OEM to obtain the latest firmware version with the fix.

     

     

    Symptom: Out of Band Management functions do not work on a client that s running RRAS services

    Behavior Expected: Out of Band Management is not supported if the client is running RRAS Services. 

     

     

     

    AMT / vPro Client Configuration

    Symptom: FQDN longer than 51 bytes will prevent wireless profiles from be set during AMT client provisioning & configuration (Second Stage Provisioning / Update Management Control)

    Resolution: Issue address in AMT firmware version 4.2 and 5.2.  Work with your OEM to obtain the latest firmware version with the fix.

     

     

    Symptom: AMT HECI and SOL drivers are not available for Windows 2000

    Not Supported: AMT drivers are not supported on Windows 2000

     

     

    Symptom: FQDN longer than 44 bytes will prevent Second Stage provisioning from finishing properly making AMT client unmanageable

    Resolution: Issue address in AMT firmware version 4.2 and 5.2.  Work with your OEM to obtain the latest firmware version with the fix.

     

     

    Symptom: AMT Client Provisioning fails when AMT Certificate is being issued by Certificate Authority hash Algorithm is set to Sha256

    Behavior Expected: AMT TLS certificates signed by sha256 is not supported.  Use the supported signed certificate types as defined in the SCCM SP2 documentation

     

     

    Symptom: Provisioning of 2.x & <=3.2.1 client within SCCM SP2 is not completing successfully.

    Resolution: Ensure you are running Intel WS-MAN Translator Build 568

     

     

     

    External Infrastructure

    Symptom: AMT wireless may not authenticate properly when using Cisco ACS Radius server

    Potential Root cause(s):  There are known issue with Cisco ACS version less than 4.2.  It is recommended that you upgrade you Cisco ACS environment to at least version 4.2 with all critical Hotfixes installed.

     

     

    Symptom: The AMT machine can't be authenticated by Cisco ACS if the SCCM Radius security group is in parent domain & client is in child domain

    Work Around: Because of a limitation in ACS, AD security groups for the AMT AD Object must be in the same domain.  SCCM supports the ability to place the AMT AD objects in any AD group (root, child, etc); however, it can only be configured to support one domain and it does not evaluate the domain to determine which sub domain group to stick it in.  to Work around the limitation, create the security group on the child domain. Then add the security group from root domain as a member of this child security group. The key is to use universal instead of global security groups. The child security group should contain only one member: the security group from root domain.  Configuration SCCM to place the AD objects in the Parent domain security group.

     

     

    Symptom: You are unable to perform AMT OOB management of an AMT client, if you SSID Key is not set to Mandatory

    Behavior Expected: The wireless SSID key needs to be set to Mandatory to ensure proper AMT wireless out of band management.

     

     

    Symptom: You are unable to provision an AMT client that has DBCS or Unicode characters

    Behavior Expected: DBCS or Unicode computer name are not supported on AMT.

     

     

    Symptom: If Organizational Unit configured for AMT within SCCM contains Unicode string, OOB Service Point fails to set wired profile with the error indicating the enumeration of certificate failed.

    Behavior Expected: No DBCS or Unicode OU are supported.

     

     

     

    OEM Specific

    Symptom: When you power on a Dell E6400 using an AMT power on command within SCCM SP2, the keyboard remains lock.

    Work Around: Issue can be worked around by manually rebooting the client. 

    Resolution: Dell has the addressed with the A14 Dell E6400 BIOS

    Symptom: On a Dell Optiplex 960DT remote keyboard is always locked in BIOS/IDER mode and NOT locked in the OS no matter the "lock remote keyboard" checkbox is checked or not.

    Resolution: Contact Dell for a status on resolution

    Symptom: SCCM Discovery will wake a Dell E6400 client out of sleep state.

    Resolution: Dell has the addressed with the A17 Dell E6400 BIOS

     

     

    Symptom: If you perform an AMT CD/DVD boot on a HP client, it will not continue to boot if media is not in the bay

    Expected Behavior: This is by design; contact HP for question about this implementation.

     

     

    Symptom: Depending on the OEM, pressing ESC to exit the BIOS when connected via the Serial Over LAN does not exit you out of the BIOS.

    Work Around: Press ESC key Twice instead of just once

     

     

    Symptom: On some OEM platforms, the Page up and page down does not work over Serial Over LAN interface when booted into BIOS

    Work Around: Use the + / - keys in substitute of the Page Up or Page down key