7 Replies Latest reply on Apr 22, 2010 4:29 PM by mveerama

    Yet Another AMT Thread

      Looking for help now, I've been fighting with this for some time now. I believe everything is setup correctly because a handful of our AMT enabled machines are actually provisioned (18 of them). I've got another 43 machines that are simply just stuck at detected. These are AMT versions ranging from 3.3.2 to 5.2.10. I am also running WS-MAN Translator for machines that I know we have for AMT firmware versions older than 3.0. We are using a cert from GoDaddy. Like I said I assume stuff is setup correctly as I had some clients provision correctly. And have gone over all the SCCM + vPro setup over and over. Below is an example of a client machine failing the provision from the AMTOPMGR.log

      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Provision target is indicated with SMS resource id. (MachineId = 992 RDWS14.lonkar.com) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Found valid basic machine property for machine id = 992. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      The provision mode for device RDWS14.lonkar.com is 1. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Check target machine (version 5.2.0) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      The IP addresses of the host RDWS14.lonkar.com are 192.168.26.59. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Create provisionHelper with (Hash: 5DE565FE440C4067BEFAD938A1682BB405242D90) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Try to use default factory account to connect target machine RDWS14.lonkar.com... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      **** Error 0x46babe4 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Fail to connect and get core version of machine RDWS14.lonkar.com using default factory account. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Try to use provisioned account (random generated password) to connect target machine RDWS14.lonkar.com... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      **** Error 0x46babe4 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Fail to connect and get core version of machine RDWS14.lonkar.com using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 992) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      Error: Can NOT establish connection with target device. (MachineId = 992) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)
      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/04/2010 8:42:01 AM 1868 (0x074C)

      Another example from a different machine...similar message but different error after the TLS handshake

      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Provision target is indicated with SMS resource id. (MachineId = 1027 LKR108.lonkar.com) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Found valid basic machine property for machine id = 1027. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      The provision mode for device LKR108.lonkar.com is 1. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Check target machine (version 5.0.1) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      The IP addresses of the host LKR108.lonkar.com are 192.168.102.15. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Create provisionHelper with (Hash: 5DE565FE440C4067BEFAD938A1682BB405242D90) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      Try to use default factory account to connect target machine LKR108.lonkar.com... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 9288 (0x2448)
      AMT Provision Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 4224 (0x1080)
      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:49:45 AM 4224 (0x1080)
      Auto-worker Thread Pool: Current size of the thread pool is 1 SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:05 AM 9344 (0x2480)
      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:05 AM 4224 (0x1080)
      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:05 AM 4224 (0x1080)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:06 AM 9288 (0x2448)
      **** Error 0x3d0b050 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:06 AM 9288 (0x2448)
      Fail to connect and get core version of machine LKR108.lonkar.com using default factory account. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:06 AM 9288 (0x2448)
      Try to use provisioned account (random generated password) to connect target machine LKR108.lonkar.com... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:06 AM 9288 (0x2448)
      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:25 AM 4224 (0x1080)
      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:25 AM 4224 (0x1080)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)
      **** Error 0x3d0b050 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)
      Fail to connect and get core version of machine LKR108.lonkar.com using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)
      Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 1027) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)
      Error: Can NOT establish connection with target device. (MachineId = 1027) SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)
      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 21/04/2010 8:50:27 AM 9288 (0x2448)

      single site server, Windows 2008, SCCM 2007R2

      HELP please!!!!

        • 1. Re: Yet Another AMT Thread
          mveerama

          I am not sure if you are running non-Microsoft DHCP server.  If you are running a Linux DHCP server there are several version of AMT that are impacted by a FW bug.  The FW fix is in the latter versions listed here and the corresponding prior versions are impacted.  Ex: 2.2.x is impacted until 2.2.10.1037 where the fix is provided.

           

          • 2.2 prior to 2.2.10.1037
          • 2.6 prior to 2.6.20.1044
          • 3.x prior to 3.2.2.1033
          • 4.1 prior to 4.1.3.1031
          • 5.x prior to 5.1

          To work around this problem please run Activator on these clients and reboot the client.  Make sure you reboot the client after running the Activator utility.  For details on Activator and the syntax refer to similar thread

           

           

          http://communities.intel.com/message/68926#68926

           

          Thanks, Mohan.

           

           



          • 2. Re: Yet Another AMT Thread

            I actually got one of the troublesome clients to provision. I had to reset the BIOS and do an unprovision in the AMT firmware. Strange because these are new machines out of the box. It's unfortunate this has to be done because there are a lot to do. However I can't log into the web interface on the AMT client https://hostname.domain.com:16993. I get the page and it all looks good, just can't log into it using any of the accounts I've setup in the OOB component in SCCM. Everything else works, I can connect to the machine using the OOB tools in SCCM. A machine account is created in the OOB active directory container...so it seems like everything is working great. This particular client machine is a windows 7 box. I see that other posts say to confirm the forward and reverse PTR records and that there are no duplicates. However, we have records for IPV4 and IPV6 for this client.....is this the issue?

            • 3. Re: Yet Another AMT Thread
              mveerama

              If OOB Console works and WEbUI does not work you might need a Browser fix for this.  First try to connect to WebUI from a Vista/Win7 based machine with IE 7 or above.  You may still need the registry fix listed in KB908209 for your browser.  WebUI is really the simplest except you need this browser fix and registry change sometimes depending on the version of the IE browser you are using.

               

              On a different subject, Activator would have achieved the same result as your local full unprovision in your case.  Are you running Linux DHCP server?

              • 4. Re: Yet Another AMT Thread

                No, this is a full Microsoft enviroment. Can I still investige this "activator" as a work around to physically visiting each machine? I did see the kb article with regards to I.E 6, but assumed it didn't apply since I've tried with I.E 8 and Firefox.

                • 5. Re: Yet Another AMT Thread
                  mveerama

                  Yes, Activator can be used remotely as a script instead of local touch.  Try this but I can't guarantee it will work in your scenario.  Activator has nothing to do with Linux DHCP bug.  It is just a tool to open a closed AMT port.  Local unprovision also sets AMT to initial state so the port is opened for 24 hours again.

                   

                  Although you are using IE 8 You may need the registry fix for WEBUI to work.  Try the fix.

                   

                  For 32-bit computers
                  Click Start, click Run, type regedit, and then click OK.
                  In the left pane, locate and then click the following registry subkey:
                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl
                  On the Edit menu, point to New, and then click Key.
                  Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
                  On the Edit menu, point to New, and then click DWORD Value.
                  Type iexplore.exe, and then press ENTER.
                  On the Edit menu, click Modify.
                  Type 1 in the Value data box, and then click OK.
                  Exit Registry Editor.

                  For 64-bit computers
                  Click Start, click Run, type regedit, and then click OK.
                  In the left pane, locate and then click the following registry subkey:
                  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl
                  On the Edit menu, point to New, and then click Key.
                  Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209, and then press ENTER.
                  On the Edit menu, point to New, and then click DWORD Value.
                  Type iexplore.exe, and then press ENTER.
                  On the Edit menu, click Modify.
                  Type 1 in the Value data box, and then click OK.
                  Exit Registry Editor.

                  • 6. Re: Yet Another AMT Thread

                    Believe it or not the registry fix was the key. Although the web interface is a little underwhelming. lol. I appreciate all your help on this. If you have a quick and dirty on running the Activator to unprovision and set AMT back to default I'd love to hear it. I'm just going over the activator user guide now

                    • 7. Re: Yet Another AMT Thread
                      mveerama

                      Follow the usage scenario given in this link towards the end.  I gave an example here.

                       

                      http://communities.intel.com/message/68926#68926

                       

                      Activator will not not unprovision but it will reopen the port.  Most of the time that's all you would need to do for initiating the provision process.