2 Replies Latest reply on Dec 15, 2017 10:36 PM by zachshaver_csit

    Cannot provision Intel AMT 11.x devices?

    zachshaver_csit

      I'm having a problem provisioning Intel AMT 11.x devices.

       

      It's a relatively new setup with SCS. I've been able to provision AMT 7.x, 9.x devices without much problems. I'm using host-based configuration running "ACUConfig.exe ConfigAMT profile.xml /DecryptionPassword xxxxxxx" to do it. 

      For the 7.x and 9.x machines I saw the "Wire support 1 **************" messages in the ACUConfig logs, and the provisioning completed  successfully.

       

      With the 11.x machines we just got (ASUS Q270M-C motherboards), when I try to provision them I get an error in the log about the certificate.

       

      2017-12-15 10:51:27:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2017-12-15 10:51:27

      2017-12-15 10:51:27:(INFO) : ACU Configurator, Category: : ACUConfig 11.2.0.35

      2017-12-15 10:51:27:(INFO) : ACU Configurator, Category: -Unknown Operation-: HOSTNAME.FQDN: Starting to configure AMT...

      2017-12-15 10:52:34:(INFO) : ACU Configurator , Category: Information message: Active certificate hashes have the following names: (0xc000005a)

      2017-12-15 10:52:35:(INFO) : ACU Configurator , Category: Information message: Active certificate hashes have the following names: (0xc000005a)

      2017-12-15 10:52:42:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (retry set to = 0)

      2017-12-15 10:52:43:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (RCS not busy.)

      2017-12-15 10:52:43:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (RCS is currently handling = 0 threads)

      2017-12-15 10:52:44:(ERROR) : ACU Configurator , Category: ConfigAMT failed: A call to this function has failed - (0xc000278b) (Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.  (0xc000521f). )

      2017-12-15 10:52:44:(ERROR) : ACU Configurator, Category: Exit: ***********Exit with code 74. Details: Failed to complete the Setup operation on this Intel(R) AMT device.  The status of Intel(R) AMT on the system might have changed. Use the "Status" command to see the current system configuration.  Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

       

      The cert has been added to the PKI configuration in MEBx setup, remote configuration is enabled, etc. I can't figure out what the error is. I've tried enabled verbose logging but that wasn't helpful either.  Any ideas would be greatly appreciated.

        • 1. Re: Cannot provision Intel AMT 11.x devices?
          zachshaver_csit

          Just to expand on this some more, the Subject's CNis the fqdn of the server. I used the OU-method to identify the cert as AMT, I did not add the extended key usage OID. The cert is sha256, 2048 bit.

          The server cert also has subject alternative name of DNS entry (fqdn) and IP address.

           

          The  OS on the AMT machines is Windows 10 64 bit, they have the latest management engine installed from asus's site with the LMS enabled,

           

          The AMT devices are bound to a domain. The SCS/RCS server is Windows Server 2016, not bound to the domain, using a standalone CA.

           

          Verbose output of the command says:

           

          A call to this function has failed -

          (0xc000278b) (Failed while calling

          WS-Management call

          GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

          0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

          (0xc000521f). )

           

           

          This worked for 7.x and 9.x systems, so it seems strange that it doesn't work for these other systems.

          • 2. Re: Cannot provision Intel AMT 11.x devices?
            zachshaver_csit

            I figured out the problem and will post my findings so others may benefit.

             

            In this case it was because in the SCS profile creation, it asks to specify a user to use for "contacting the ca and active directory" but it appears the RCS server uses the same credentials to contact the AMT device to perform this wsman query. Because my server and CA are not bound to the domain, the CA credentials don't work to authenticate against the PC. It's strange that this doesn't happen for 7.x or 9.x devices but I'm somewhat of a late entrant so lacking on the history of host-based configurations.

             

            The solution was to create local admin account temporarily during the provisioning, with matching credentials specified as a local limited user account on the RCS server and giving it permission to RCS namespace with RCSUtils.

            Now that user has access to the CA and to the RCS and admin privileges on the AMT device and this error is gone.

            This temporary account was created for provisioning and immediately deleted afterwards on the AMT device. The user account on the server is limited and can be disabled when not in use or be scripted to be created/deleted with randomized password as a part of a provisioning process initiated by the server.