10 Replies Latest reply: Feb 21, 2012 10:30 AM by Meum RSS

unprovisonex.exe problem

stepland Community Member
Currently Being Moderated

Hi, i am getting an error while trying to remotely unprovision clients. (see attachement)

 

can someone advise on what could be the cause/fix?

 

And also, is there a way i can use this tool to mass unprovision a list clients automaticaly and not just one at a time.

 

currently my clients are autoprovisioning through sccm with a 3rd party cert...i am at about 2350 clients provisionned but now for some reason about 150 or so out of these 2350 clients (including mine) are showing up in sccm as detected even though the local client log show machine as still being provisioned, also all certificates the clients have received through provisioning process still remain and so those the associated amt AD object.

 

because of this detected status in sccm I cannot use the delete provisioning date from the management controllers memory and try a re-provision

 

please advise

 

thanks

  • 1. Re: unprovisonex.exe problem
    Currently Being Moderated

    your screen shot shows that you are specifying the admin acount credentials. This is not required if the chipset has been configured for TLS comms. Alternatively remove the -tls option

     

    so thsi should do the trick for SCCM provisioned clients

     

    Unprovisionex.exe -hostname hostname.domain.com -tls -full

     

    just make sure you are logged in with a user that was configured with pt admin rights on the chipset

     

    or you can run the command specifying the mebx account details

     

    Unprovisionex.exe -hostname hostname.domain.com -user admin -pass password -full

     

    to run against a list of computer names in a file called clients.txt create a batch file that runs

     

    for /f %%i in (clients.txt) do "unprovisionex.exe -hostname %%i.domain.com -user admin - pass password -full"

  • 2. Re: unprovisonex.exe problem
    brunodom Community Member
    Currently Being Moderated

    Stéphane,

     

         As far these machines were provisioned using SCCM, the actual admin password is stored into SCCM database. In this case, you must use kerberos authentication (i.e. your logon account) instead of digest authentication (i.e. admin).

     

         There is a way that you do it in mass, try use the ACUConfig.exe that you can find into SCS 7.1 package and create a SCCM package to execute it locally in each vPro machine that you want unprovision. I don't know how you define the ACLs in these vPro machine, it can be little trick.

     

    Best Regards!

    -Bruno Domingues

  • 3. Re: unprovisonex.exe problem
    stepland Community Member
    Currently Being Moderated

    ok thanks, i got this working logged in as myself on a desktop and passing this line to a remote mebx.

     

    unprovisionex.exe -hostname hostname.fqdn -tls -full

     

    but i noticed that it does not remove the AD amt object and it does not revoke the certificate issued from my CA server.

     

    this seems normal to me as it seems to just target the mebx but is there anyway i can automate the AD object and certificate revocation along with this task like the sccm task that is available "Delete Provisioning Data from Management Controller Memory"

     

    for the problem i am having with 150 provisoned clients or so the Delete Provisioning Data from Management Controller Memory option is not there any longer as they show up as detected status in sccm even though all the provisioning info is still there.

     

    so by using the unprovisionex it will un-provision the client and it will then get re-provisioned again and in turn the status in sccm becomes provisioned again  (in this case i don't have to delete the amt object or revoke the cert)

     

    but if our service desk needs to rename pc that has a amt status of detected and was previously provisioned they will need to delete the AD account and revoke the cert automaticaly like in sccm does for clean up purposes.

     

    please advise if someone has an easy way of doing this in conjonction with the unprovisionex tool.

     

    thanks

  • 4. Re: unprovisonex.exe problem
    Meum Community Member
    Currently Being Moderated

    Hi,

     

    I also got problems with unprovisioning clients. I accidently provisioned all my client with the wrong certificate through SCCM, and now I can't connect to them or unprovision them unless I do it manually from the MEBx bios.

     

    I have tried to use the unprovisionex.exe utility, both remotely and locally from the client, but keep getting error messages.

     

    I have tried the following command parameter:

     

     

    Excecuted from remote computer:

    UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

     

    ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

    The Intel(R) AMT device, lab7.astrupfearnley.net, is invalid.

     

    and

     

    UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

     

    Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent

    An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

     

    Also tried to specify user and password, both the local admin/pw and the domain user that was granted access during provisioning, but still get the same error message.

     

    Excecuted form local computer

     

    UnprovisionEx.exe -hostname lab7.fqfn -ignoreCert -full

     

    ERROR: Unable to connect with the AMT device. No connection could be made because the target machine actively refused it 192.168.205.5:16992

    The Intel(R) AMT device, lab7.fqdn, is invalid.

     

    and

     

    UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

     

    ERROR: Unable to connect with the AMT device. No connection could be made becaus

    e the target machine actively refused it 192.168.205.5:16993

    The Intel(R) AMT device, lab7.fqdn, is invalid.

     

     

    Anyone got a solution for this? Or du I actually have to put on a pair of sneakers and do it the hard way?

     

  • 5. Re: unprovisonex.exe problem
    brunodom Community Member
    Currently Being Moderated

    Stéphane,

     

         Usually, not removing the AD object and revoking the certificate is not an operational problem.

         Before I joined Intel, I worked 8 years at Microsoft, mainly with AD deployments and is very common creation of some kind of procedure to periodically clean up old computer and users account not used for a period of time, and you can use since vb scripts until utilities like this.

     

         Certificate revocation is another subject: If the private key is destroyed when you make a full unprovision there is no real reason to revoke it, because revoking will not free space, it will increase the size of the CRL.

     

         I know that each one has his own administrative policies, but if you want, a script for unprovision can be tailored to orchestrate these activities.

     

    My two cents!

    -Bruno Domingues

  • 6. Re: unprovisonex.exe problem
    brunodom Community Member
    Currently Being Moderated

    Hi,

     

         If you provisioned your machines using SCCM, that is debug flow:

     

         The correct procedure is using a domain account with PT administrator rights in the ME ACL, using this syntax:

     

         UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

     

         Based on response that you got, it can be a kerberos authentication issue. Are you able to connect to this machine by IE and ignoring the certificate warning? if so, and you got the pop-up to enter username & password, try these setting in your IE:

     

         - Configure the IE to recognize the Intranet vPro machines as "Local Intranet" zone;

         - In "Local Intranet" zone > click in "Custom Level..." > In the "User Authentication" and sub seccion "Logon", select "Automatic logon with current user name and password"

         - Make sure that in "Internet Options" > Advanced > the "Enable Integrated Windows Authentication" is marked;

         - And what is most important: you must create this registry key in order to send a kerberos ticket in a non-80 port, that is our case.

     

         Try again access the machine using IE, ignoring the certificate warning should work... now try again:

     

         UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full

     

         and let us know about your progress.

     

    Best Regards!

    -Bruno Domingues

  • 7. Re: unprovisonex.exe problem
    stepland Community Member
    Currently Being Moderated

    Any user submitted code or materials posted on this blog is supplied under license from the submitter, and should be used or downloaded in accordance with any license terms specified. Intel is not responsible for user submitted code nor warrants that it will work correctly.  If no license is provided, you should contact the submitter.

     

    Thanks for your input Bruno much appreciated.

     

    Here is the vbs script i created to run the unprovisionex.exe tool against a list of clients within a txt file for people that are new to vbs or like myself have limited vbs skills, it will save you some time

     

     

    vbs code

     

     

    Const ForReading = 1


    Set objFSO = CreateObject("Scripting.FileSystemObject")

        If (objFSO.FileExists("enter path to your clients.txt file here")) Then
            Set SearchList = objFSO.OpenTextFile("enter path to your clients.txt file here", ForReading)
        Else
            WScript.echo "Bad input file, exiting"
            WScript.Quit 1
        End If


    Do While Not SearchList.AtEndOfStream
        strSearch = SearchList.ReadLine
        if strSearch <> "" then
            Set objWSHShell = CreateObject("WScript.Shell")
            Set oExec = objWSHShell.Exec("enter path to your unprovisionex.exe tool here\unprovisionex.exe -hostname " & strSearch & ".fqdn.ca -tls -full")
            Do While oExec.Status = 0
                WScript.Sleep 100
            Loop
        End If
    Loop

     

     

    Thanks

     

    Stéphane

  • 8. Re: unprovisonex.exe problem
    Meum Community Member
    Currently Being Moderated

    Thanks for your reply, and sorry for the late response, but I still get the same Unauthorized error message.

     

    I had already added the hotfix and the registry tweak. And have also configured IE as you specified.

    I am able to connect to the client from IE with the address "https://lab7.fqdn:16993", I get an error message regarding the certificate "There is a problem with this website's security certificate" but are able to click on "Continue to this website (not recommended)".

    I can now see the "Log On.." button, but are still unable to log on. Have tried with both the Mebex admin user/password and the domain user I specified in SCCM Out of Band Management before provisioning the clients, both login failes.

     

    If I try to unprovision the client i still get the unauthorized message:

     

    UnprovisionEx.exe -hostname lab7.fqdn -tls -ignoreCert -full


    Unprovisioning (FULL) the system. New provisioning mode: ProvisioningModeCurrent
    An exception occurred while attempting to unprovision (FULL) the system. The request failed with HTTP status 401: Unauthorized.

     

     

    Have tried to manually unprovision a few clients from the BIOS, and that works, and I can confirm that my Mebex password is correct.

     

    Any other tricks that might get me going? Would be nice to not have to do it manually on every client in the company.

  • 9. Re: unprovisonex.exe problem
    brunodom Community Member
    Currently Being Moderated

    It looks to be a kerberos issue.

    did you try these procedure in order to see if is not a problem with kerberos token size? it should be good see if you have these AMT objects in Active Directory. The easiest way to debug kerberos issue is using WebUI.

    You mentioned that you faced a certificate error accessing the WebUI, can you see in certificate details if the certificate subject name match with computer name?

     

    Best Regards!

    -Bruno Domingues

  • 10. Re: unprovisonex.exe problem
    Meum Community Member
    Currently Being Moderated

    Hi Bruno,

     

    It's like you say. the cerrtificate is the problem. I by accident provisend the clients with a wrong certificate, so all the clients got a certificate with the name of the SCCM server, and the certificate subject name do not match the computer.

    But since I know the username and password for the MEBx account I thought I would be able to unprovison the clients and ignor the certificate mismatch error.

    So far the only workaround I have found is to manually unprovision the client from the MEBx BIOS.

More Like This

  • Retrieving data ...