5 Replies Latest reply: Jul 17, 2012 9:31 PM by teaseler RSS

Cant auto-provision computers via SCCM

teaseler Community Member
Currently Being Moderated

Hello Experts - Im really hoping that someone can help me with this!

 

Our company is using OOB provisioning via SCCM to enable remote power management at our remote and local sites. SCCM has been configured to provision new computers and has been working fine until recently. We are using lenovo machines and I have found the most recent computers that we have been receiving for some reason have not been auto provisioning as required. We have been running with the same model of computer(5205), so nothing has changed there, latest drivers, have tested un-configuring one of the older computers and that auto reconfigured ok. I have tested configuring other model computers and they work fine. So i dont think its a issue with SCCM Infrastructure. We are using Go Daddy certificates.

 

I am getting errors on logs on the amtopmgr.log file like:

>>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Provision target is indicated with SMS resource id. (MachineId = 16814 5205S6044VW.domain.com.au) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Found valid basic machine property for machine id = 16814. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

The provision mode for device 5205S6044VW.domain.com.au is 1. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Check target machine (version 6.2.20) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

The IP addresses of the host 5205S6044VW.domain.com.au are 10.64.5.48. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Create provisionHelper with (Hash: C12DE4692395AE1C89701006AD537138AB0BA28F) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Try to use provisioning account to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:56 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioning account #0. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:57 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioning account #1. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:58 PM 345124 (0x54424)

Try to use default factory account to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:58 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using default factory account. SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:59 PM 345124 (0x54424)

Try to use provisioned account (random generated password) to connect target machine 5205S6044VW.domain.com.au... SMS_AMT_OPERATION_MANAGER 21/06/2012 12:43:59 PM 345124 (0x54424)

Fail to connect and get core version of machine 5205S6044VW.domain.com.au using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16814) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

Error: Can NOT establish connection with target device. (MachineId = 16814) SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

>>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/06/2012 12:44:00 PM 345124 (0x54424)

 

 

When ME bios is unconfigured I cannot telnet to the host name via either 16992 and 16993 port. If i go into the bios and manually configure it i can then telnet to port 16992 and i can web browse remotely to the AMT device. I have tried disabling AMT and re-enable several times, and resetting AMT all with no luck.

 

I have tried ZTClocalagent -activate and get these errors at the bottom of the log which I think is a good clue but dont know how or what to do from here? Im hoping someone here can help? I have over 200 computers that need configuring at over 200 sites, and obviously would need to rely on remote configuration.

 

Provisioning TLS Mode:
NOT READY

Failed performing Start Configuration command:
PT_STATUS_INVALID_PT_MODE: Command is not permitted in current operating mode.

Activate Intel AMT configuration:
Failure

  • 1. Re: Cant auto-provision computers via SCCM
    gfuestonx Community Member
    Currently Being Moderated

    It looks like the mebx password has been changed and not reflected in the sccm.

    Can you check and see if the password has been changed to one that is not used in the sccm?

  • 2. Re: Cant auto-provision computers via SCCM
    teaseler Community Member
    Currently Being Moderated


    Hi gfuestonx - I have tried various different things in an attempt to get it working on a test computer. Using default password, setting a password that is configured in SCCM, resetting everything back to default, none of it works. Other model computers dont have a issue with provisioning straight after imaging has taken place... The previous batch of computers from Lenovo with the same model didnt have a issue with this either. Im wondering if it could be hardware related..

  • 3. Re: Cant auto-provision computers via SCCM
    gfuestonx Community Member
    Currently Being Moderated

    Have you tried updating the BIOS and ME firmware?

  • 4. Re: Cant auto-provision computers via SCCM
    teaseler Community Member
    Currently Being Moderated


    Hi - I have tried updating the ME firmware from 6.0.31 to 6.2.0 but still had no joy. I will try update the bios tomorrow..

  • 5. Re: Cant auto-provision computers via SCCM
    Currently Being Moderated

    Based on the output of ztclocalagent, it appears this may be FW problem. To help isolate:

    1. Please download SCS8 here: http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20921

    2. Access the configurator directory and run the following on the client: ACUConfig /output console systemdiscovery.

    3. Paste resulting XML file.

  • 6. Re: Cant auto-provision computers via SCCM
    teaseler Community Member
    Currently Being Moderated

    Hi Kyle - Thanks for the help. Here is the resulting information in the xml file.

    - -   8.0.0   2012-07-01 23:23:54   8.0.13.27   9BKT41AUS   Corporate; Desktop;   645B4A46-8340-DC5B-409E-5C68315A5CA8   LENOVO   ThinkCentre M90z     Desktop   S6044VW   -   Intel(R) Full AMT Manageability   6.2.20   6.2.20.1035   True -   True   True   True   True   False   False   True   False   True   True   True   True   True   True   -   Enterprise Mode   Pre Provisioning   False   Not Ready   False   VeriSign Class 3 Primary CA-G1, 742c3192e607e424eb4549542be1bbc53e6174e2, Enabled, Default; VeriSign Class 3 Primary CA-G3, 132d0d45534b6997cdb2d5c339e25576609b5cc6, Enabled, Default; Go Daddy Class 2 CA, 2796bae63f1801e277261ba0d77770028f20eee4, Enabled, Default; Comodo AAA CA, d1eb23a46d17d68fd92564c2f1f1601764d8e349, Enabled, Default; Starfield Class 2 CA, ad7e1c28b064ef8f6003402014c3d0e3370eb58a, Enabled, Default; VeriSign Class 3 Primary CA-G2, 85371ca6e550143dce2803471bde3a09e8f8770f, Enabled, Default; VeriSign Class 3 Primary CA-G1.5, a1db6393916f17e4185509400415c70240b0ae6b, Enabled, Default; VeriSign Class 3 Primary CA-G5, 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5, Enabled, Default; GTE CyberTrust Global Root, 97817950d81c9670cc34d809cf794431367ef474, Enabled, Default; Baltimore CyberTrust Root, d4de20d05e66fc53fe1a50882c78db2852cae474, Enabled, Default; Cybertrust Global Root, 5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6, Enabled, Default; Verizon Global Root, 912198eef23dcac40939312fee97dd560bae49b1, Enabled, Default; VeriSign Universal Root CA, 3679ca35668772304d30a5fb873b0fa77bb70d54, Enabled, Default;   True   None   False   True   True   True   False     -   6.0.0.1179   True   domain.com.au   5205S6044VW   Microsoft Windows 7 Enterprise   6.0.30.1202   6.0.0.1202   - -   5205S6044VW   domain.com.au -   10.64.5.48, fe80::91b2:c19c:b10b:68e2   255.255.255.0, 64   True   10.64.65.4   10.64.65.2, 10.64.65.3, 10.14.4.31   10.64.5.1   domain.com.au   5205s6044vw.domain.com.au       - -   True   False   5205S6044VW.domain.com.au   True -   True   True   04:7D:7B:62:E7:E4   On S0 in AC; On SX in AC; -   0.0.0.0   255.255.255.0   10.64.5.1   10.64.65.2   10.64.65.3       -   True   True   False   -   False   -       

  • 7. Re: Cant auto-provision computers via SCCM
    teaseler Community Member
    Currently Being Moderated

    has anyone got any ideas for this?

  • 8. Re: Cant auto-provision computers via SCCM
    teaseler Community Member
    Currently Being Moderated

    Found an answer to this.

    Basically ran ZTCLocalAgent.exe -activate and found that Zero Touch Configuration was set to disabled by default for these computers and setup and configuration was set to not completed. After much more research through the Intel SDK found that a setting in the ME bios was incorrect. Changed the TLS PKI Remote COnfiguration to Enabled. Then logged back into the computer and ran the ZTCLocalAgent.exe -activate which had changed the Zero Touch COnfiguration to enabled, and changed provisioning TLS mode to PKI. SCCM then configured oob for this computer instantly!!

     

    Im glad that its fixed, however this is hardly Zero Touch Configuration and now i have to work out how to deploy this bios change remotely to over 200 sites. Cant believe that this setting would be set to disabled in the bios but its caused a massive headache for me.

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points