10 Replies Latest reply: Feb 21, 2012 10:30 AM by Meum RSS

    unprovisonex.exe problem

    stepland

      Hi, i am getting an error while trying to remotely unprovision clients. (see attachement)

       

      can someone advise on what could be the cause/fix?

       

      And also, is there a way i can use this tool to mass unprovision a list clients automaticaly and not just one at a time.

       

      currently my clients are autoprovisioning through sccm with a 3rd party cert...i am at about 2350 clients provisionned but now for some reason about 150 or so out of these 2350 clients (including mine) are showing up in sccm as detected even though the local client log show machine as still being provisioned, also all certificates the clients have received through provisioning process still remain and so those the associated amt AD object.

       

      because of this detected status in sccm I cannot use the delete provisioning date from the management controllers memory and try a re-provision

       

      please advise

       

      thanks

        • 1. Re: unprovisonex.exe problem

          your screen shot shows that you are specifying the admin acount credentials. This is not required if the chipset has been configured for TLS comms. Alternatively remove the -tls option

           

          so thsi should do the trick for SCCM provisioned clients

           

          Unprovisionex.exe -hostname hostname.domain.com -tls -full

           

          just make sure you are logged in with a user that was configured with pt admin rights on the chipset

           

          or you can run the command specifying the mebx account details

           

          Unprovisionex.exe -hostname hostname.domain.com -user admin -pass password -full

           

          to run against a list of computer names in a file called clients.txt create a batch file that runs

           

          for /f %%i in (clients.txt) do "unprovisionex.exe -hostname %%i.domain.com -user admin - pass password -full"

          • 2. Re: unprovisonex.exe problem
            brunodom

            Stéphane,

             

                 As far these machines were provisioned using SCCM, the actual admin password is stored into SCCM database. In this case, you must use kerberos authentication (i.e. your logon account) instead of digest authentication (i.e. admin).

             

                 There is a way that you do it in mass, try use the ACUConfig.exe that you can find into SCS 7.1 package and create a SCCM package to execute it locally in each vPro machine that you want unprovision. I don't know how you define the ACLs in these vPro machine, it can be little trick.

             

            Best Regards!

            -Bruno Domingues

            • 3. Re: unprovisonex.exe problem
              stepland

              ok thanks, i got this working logged in as myself on a desktop and passing this line to a remote mebx.

               

              unprovisionex.exe -hostname hostname.fqdn -tls -full

               

              but i noticed that it does not remove the AD amt object and it does not revoke the certificate issued from my CA server.

               

              this seems normal to me as it seems to just target the mebx but is there anyway i can automate the AD object and certificate revocation along with this task like the sccm task that is available "Delete Provisioning Data from Management Controller Memory"

               

              for the problem i am having with 150 provisoned clients or so the Delete Provisioning Data from Management Controller Memory option is not there any longer as they show up as detected status in sccm even though all the provisioning info is still there.

               

              so by using the unprovisionex it will un-provision the client and it will then get re-provisioned again and in turn the status in sccm becomes provisioned again  (in this case i don't have to delete the amt object or revoke the cert)

               

              but if our service desk needs to rename pc that has a amt status of detected and was previously provisioned they will need to delete the AD account and revoke the cert automaticaly like in sccm does for clean up purposes.

               

              please advise if someone has an easy way of doing this in conjonction with the unprovisionex tool.

               

              thanks

              • 4. Re: unprovisonex.exe problem
                Meum

                Hi,

                 

                I also got problems with unprovisioning clients. I accidently provisioned all my client with the wrong certificate through SCCM, and now I can't connect to them or unprovision them unless I do it manually from the MEBx bios.

                 

                I have tried to use the unprovisionex.exe utility, both remotely and locally from the client, but keep getting error messages.

                 

                I have tried the following command parameter:

                 

                 

                Excecuted from remote computer:

                UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

                 

                ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

                The Intel(R) AMT device, lab7.astrupfearnley.net, is invalid.

                 

                and

                 

                UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

                 

                Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent

                An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

                 

                Also tried to specify user and password, both the local admin/pw and the domain user that was granted access during provisioning, but still get the same error message.

                 

                Excecuted form local computer

                 

                UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

                 

                ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

                The Intel(R) AMT device, lab7.fqdn, is invalid.

                 

                and

                 

                UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

                 

                ERROR: Unable to connect with the AMT device. No connection could be made becaus

                e the target machine actively refused it 192.168.205.5:16993

                The Intel(R) AMT device, lab7.fqdn, is invalid.

                 

                 

                Anyone got a solution for this? Or du I actually have to put on a pair of sneakers and do it the hard way?

                 

                • 5. Re: unprovisonex.exe problem
                  brunodom

                  Stéphane,

                   

                       Usually, not removing the AD object and revoking the certificate is not an operational problem.

                       Before I joined Intel, I worked 8 years at Microsoft, mainly with AD deployments and is very common creation of some kind of procedure to periodically clean up old computer and users account not used for a period of time, and you can use since vb scripts until utilities like this.

                   

                       Certificate revocation is another subject: If the private key is destroyed when you make a full unprovision there is no real reason to revoke it, because revoking will not free space, it will increase the size of the CRL.

                   

                       I know that each one has his own administrative policies, but if you want, a script for unprovision can be tailored to orchestrate these activities.

                   

                  My two cents!

                  -Bruno Domingues

                  • 6. Re: unprovisonex.exe problem
                    brunodom

                    Hi,

                     

                         If you provisioned your machines using SCCM, that is debug flow:

                     

                         The correct procedure is using a domain account with PT administrator rights in the ME ACL, using this syntax:

                     

                         UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

                     

                         Based on response that you got, it can be a kerberos authentication issue. Are you able to connect to this machine by IE and ignoring the certificate warning? if so, and you got the pop-up to enter username & password, try these setting in your IE:

                     

                         - Configure the IE to recognize the Intranet vPro machines as "Local Intranet" zone;

                         - In "Local Intranet" zone > click in "Custom Level..." > In the "User Authentication" and sub seccion "Logon", select "Automatic logon with current user name and password"

                         - Make sure that in "Internet Options" > Advanced > the "Enable Integrated Windows Authentication" is marked;

                         - And what is most important: you must create this registry key in order to send a kerberos ticket in a non-80 port, that is our case.

                     

                         Try again access the machine using IE, ignoring the certificate warning should work... now try again:

                     

                         UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

                     

                         and let us know about your progress.

                     

                    Best Regards!

                    -Bruno Domingues

                    • 7. Re: unprovisonex.exe problem
                      stepland

                      Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly.  If no license is provided, you should contact the submitter.

                       

                      Thanks for your input Bruno much appreciated.

                       

                      Here is the vbs script i created to run the unprovisionex.exe tool against a list of clients within a txt file for people that are new to vbs or like myself have limited vbs skills, it will save you some time

                       

                       

                      vbs code

                       

                       

                      Const ForReading = 1


                      Set objFSO = CreateObject("Scripting.FileSystemObject")

                          If (objFSO.FileExists("enter path to your clients.txt file here")) Then
                              Set SearchList = objFSO.OpenTextFile("enter path to your clients.txt file here", ForReading)
                          Else
                              WScript.echo "Bad input file, exiting"
                              WScript.Quit 1
                          End If


                      Do While Not SearchList.AtEndOfStream
                          strSearch = SearchList.ReadLine
                          if strSearch <> "" then
                              Set objWSHShell = CreateObject("WScript.Shell")
                              Set oExec = objWSHShell.Exec("enter path to your unprovisionex.exe tool here\unprovisionex.exe -hostname " & strSearch & ".fqdn.ca -tls -full")
                              Do While oExec.Status = 0
                                  WScript.Sleep 100
                              Loop
                          End If
                      Loop

                       

                       

                      Thanks

                       

                      Stéphane

                      • 8. Re: unprovisonex.exe problem
                        Meum

                        Thanks for your reply, and sorry for the late response, but I still get the same Unauthorized error message.

                         

                        I had already added the hotfix and the registry tweak. And have also configured IE as you specified.

                        I am able to connect to the client from IE with the address "https://lab7.fqdn:16993", I get an error message regarding the certificate "There is a problem with this website's security certificate" but are able to click on "Continue to this website (not recommended)".

                        I can now see the "Log On.." button, but are still unable to log on. Have tried with both the Mebex admin user/password and the domain user I specified in SCCM Out of Band Management before provisioning the clients, both login failes.

                         

                        If I try to unprovision the client i still get the unauthorized message:

                         

                        UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full


                        Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent
                        An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

                         

                         

                        Have tried to manually unprovision a few clients from the BIOS, and that works, and I can confirm that my Mebex password is correct.

                         

                        Any other tricks that might get me going? Would be nice to not have to do it manually on every client in the company.

                        • 9. Re: unprovisonex.exe problem
                          brunodom

                          It looks to be a kerberos issue.

                          did you try these procedure in order to see if is not a problem with kerberos token size? it should be good see if you have these AMT objects in Active Directory. The easiest way to debug kerberos issue is using WebUI.

                          You mentioned that you faced a certificate error accessing the WebUI, can you see in certificate details if the certificate subject name match with computer name?

                           

                          Best Regards!

                          -Bruno Domingues

                          • 10. Re: unprovisonex.exe problem
                            Meum

                            Hi Bruno,

                             

                            It's like you say. the cerrtificate is the problem. I by accident provisend the clients with a wrong certificate, so all the clients got a certificate with the name of the SCCM server, and the certificate subject name do not match the computer.

                            But since I know the username and password for the MEBx account I thought I would be able to unprovison the clients and ignor the certificate mismatch error.

                            So far the only workaround I have found is to manually unprovision the client from the MEBx BIOS.