6 Replies Latest reply on Aug 16, 2011 3:52 PM by Redstorm

    SCCM 2007 SP2 R3 vPro provisioning issue

    Redstorm

      Hi we have SCCM 2007 SP2 R3 will not provision vPro capable clients inband.

       

      Configuration - following http://www.vproexpert.com/sccm_vpro/

       

      Internal 2008 R2 Enterprise CA with a 2048bit root cert (hash entered into the MEBx on clients)

      SCCM AMT Provisioning cert issued and installed on the SCCM server.

      AMT Web Server Certificate created and published on the CA with rights for the SCCM server to enrol and manage certificates

      SCCM Collection for Unprovisioned vPro clients with "Enable automatic out of band management controller provisioning" selected.

      DNS options 06 and 15 configured on the DHCP server,

      DNS reverse lookup zone created and working as expected.

      provisionserver.domain.com published in DNS

      WSMAN traslator 1.1 installed and configured, web server cert issued and installed.

      clients can connect to https://sccm.fqdn/wstrans in IE and version 1.1 Build:00582 is displayed. SSL cert chain is OK

       

      2 Test clients

      HP 8460p with AMT 7.1.3

      Lenovo M58 with AMT 5.0.2

       

      SCCM server can resolve the test clients via hostname and fqdn and clients can resolve the sccm server by hostname and fqdn

       

      oobmgmt.log client log

       

      ON SCHEDULE OOBMgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) BEGIN oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) Retrying to activate the device. oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) Resending last OTP oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = 1CDB2B5E52CD8D1AB7A90ACF8414474083A4FE28, RetryCount = 5 oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) Successfully activated the device. oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = 2AD6B6B9C16146CF4F0703C8DC3955FCC50B58B6, AMT Core Version = 7.1.3 oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94) END oobmgmt 22/07/2011 11:51:10 a.m. 2964 (0x0B94)

       

      amtopmgr.log

       

       

      AMT Discovery Worker: Reading Discovery Instruction C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{2CCA124F-5D58-4187-B8CD-85887CFF4241}.RDC... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames 'DEV0001D', NULL, 'DEV' SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 268 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromCollection: Found machine WL30581 - 10.160.193.11 from Collection DEV0001D. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 269 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromCollection: Found machine WD20078 - 10.160.193.10 from Collection DEV0001D. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Finish reading discovery instruction C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{2CCA124F-5D58-4187-B8CD-85887CFF4241}.RDC SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: There are 4 tasks in pending list SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Send task  to completion port SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) Auto-worker Thread Pool: Current size of the thread pool is 3 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Send task  to completion port SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) Auto-worker Thread Pool: Work thread 3508 started SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 3508 (0x0DB4) Auto-worker Thread Pool: Current size of the thread pool is 4 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: 2 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=HOLLYWOOD-DEV SITE=DEV PID=2128 TID=2652 GMTDATE=Thu Jul 21 21:54:46.942 2011 ISTR0="2" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) Auto-worker Thread Pool: Work thread 5980 started SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 5980 (0x175C) AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:46 a.m. 2652 (0x0A5C) CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.10:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:52 a.m. 5844 (0x16D4) CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.11:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:52 a.m. 4888 (0x1318) CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.10:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:53 a.m. 3508 (0x0DB4) CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.160.193.11:16992. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:53 a.m. 5980 (0x175C) GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318) CSMSAMTDiscoveryTask::Execute - DDR written to C:\Program Files\Microsoft Configuration Manager\inboxes\auth\ddm.box SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318) Auto-worker Thread Pool: Succeed to run the task . Remove it from task list. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:54 a.m. 4888 (0x1318) GeneralInfo.GetProvisioningState finished with HResult = 0x0, status = 0x0, clientError = 0. SMS_AMT_OPERATION_MANAGER 22/07/2011 9:54:55 a.m. 5980 (0x175C)

       

       

      1. In the training they mention that you can provision by PSK for clients <3.2.1 and also for clients >=3.2.1 however i have also read that SP2 you can no longer provision >=3.2.1 clients using PSK and can only provision using PKI for these clients - can someone clarify this?

       

      2. on the sccm server  i can Telnet to 16993 on the client but 16992 is closed and not listening, from the log amtopmgr.log it tries to connect to 16992 and obevestly fails, why is it not trying to connect to 16993 via SSL? so inband provisioning never takes place.

       

      3. I have tried unprovisioning the client in MEBx and pulling the CMOS battery to clear the admin password and re-entered our root hash, still remains un provissioned

       

      4. Deleting the clients in SCCM and re discovering. still no success in getting a single client to provision.

       

      5. Does the CA need the web enrolment component? form the doucmentation i have read it is not listed as a requirement for OOBM and SCCM

       

      Stuck in vPro hell please help?

        • 1. Re: SCCM 2007 SP2 R3 vPro provisioning issue
          jjcopela

          Sorry to hear you are having trouble getting your systems provisioned!

           

          Just a quick review of the logs here are a few things to check / answers to your questions:

           

          1. When using clients >=3.2.1, SCCM will default to PKI provisioning natively. If it sees a provisioning attempt from a system <3.2.1, it will kick the request over to the WSMAN Translator, which will then attempt the provision. So while it is physically possible to provision a system >3.2.1 using PSK, it is unsupported in SCCM.

           

          2. I believe SCCM is having trouble connecting to the client natively, and therefore cannot query AMT for the version number. After it attempts to connect and fails, it kicks it over to the WSMAN translator where it is attempting a connection to 16992.

           

          3. Make sure you are entering the HASH of the ROOT CA of your internal provisioning certificate chain into the MEBx. Also make sure you are entering the user/password (that you just created) into the provisioning settings tab inside SCCM --->Site settings --->component config--->out of band management--->provisioning accounts.

           

          4. Have you tried re-installing the SCCM client agent on the machine? Sometimes after a machine is moved to/from another domain or renamed, a re-install of the client agent helps the provisioning process.

           

          5. You are correct, the CA Web Enrollment component is not needed.

           

          a few more things to check:

          • Make sure you are using a wired connection.
          • Also, because you have changed the MEBx password, make sure you are entering that new password in the SCCM site Settings--->component config--->OOB settings--->provisioning accounts tab.
          1 of 1 people found this helpful
          • 2. Re: SCCM 2007 SP2 R3 vPro provisioning issue
            Redstorm

            I have had some success,

             

            The Lenovo M58 provisioned on Friday and can manage it out of band.

            Which is good news as it means the SSL Cert AD OU and delegation is all working.

             

            One issue is that SOL is not working this fails with error 0xc (and may be related to kerberos ticket size) but i have not got to the bottom of that yet.

             

             

            The HP 8460p  still will not provision inband, it has an option "Activate Network" in the MEBx that when turned on it puts it into Admin mode ( AMT status reported Admin) where it should be Enterprise.

             

            Our root CA hash is entered into each test machine MEBx

             

            I am trying reinstalling the SCCM agent on the HP machine to see if provisioning start and succeeds.

            • 3. Re: SCCM 2007 SP2 R3 vPro provisioning issue
              Redstorm

              Update - I installed XP on the second client and it got provisioned straight away, so it appears to be related to Windows 7 so we are opening a premier case to see what MS have to say about it.

              • 4. Re: SCCM 2007 SP2 R3 vPro provisioning issue
                jjcopela

                Good to hear that you got your other machine provisioned!

                 

                I hope you are able to resolve the Windows 7 issue.

                 

                Josh

                • 5. Re: SCCM 2007 SP2 R3 vPro provisioning issue
                  Redstorm

                  Some progress,

                   

                  I have 3 test clients in the lab, i can get all three to provision but all require manual intervention to get the magic to happen.

                   

                  HP 2560p AMT 7.1.3

                  HP 2760p AMT 7.1.3

                  Lenovo M58p AMT 5.0.2

                   

                  Ive been working with Microsoft using the HP 2760p that was fresh and never provisioned before.

                   

                  Steps taken.

                   

                  Imported the machine into SCCM to our OSD collection for inital deployment of our Windows 7 image. (build process via PXE)

                  Before building enter MEBx and enter our Root CA cert Hash into the MEBx

                  Restart to PXE and let the machine build.

                   

                  After the build has finished it has SCCM Client version 4.00.6487.2157 and AMT Status = 0

                   

                  Run a Management Controller detection and wait, Ran a System Discovery Cycle and wait, eventually it detects the management controller gets detected and Status is set to 2

                   

                  Update collections so the vPro Unprovissioned collection picks up the machine , this collection is enabled for Automatic OOBM Controller provisioning.

                   

                  Force AMT policy detection cycle by running

                  SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

                   

                   

                  BEGIN   oobmgmt            4/08/2011 10:09:44 a.m.                4804 (0x12C4)
                  Retrying to activate the device. oobmgmt            4/08/2011 10:09:44 a.m.                4804 (0x12C4)
                  New OTP generated       oobmgmt            4/08/2011 10:09:44 a.m.                4804 (0x12C4)
                  Upload provisioning data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, OTPHash = B3778F04A73A170405264F4800EE20F9DD7E460A, RetryCount = 0  oobmgmt            4/08/2011 10:09:44 a.m.                4804 (0x12C4)
                  Raising event:
                  [SMS_CodePage(850), SMS_LocaleID(5129)]
                  instance of SMS_OOBMgmt_StartConfig_Success
                  {
                                  ClientID = "GUID:62D2E79C-DC30-410A-8F5F-924201BA38C8";
                                  ConfigurationStartTime = "2011-08-04 10:09:45";
                                  DateTime = "20110803220945.353000+000";
                                  MachineName = "WL02760";
                                  ProcessID = 2280;
                                  SiteCode = "DEV";
                                  ThreadID = 4804;
                  };
                                  oobmgmt            4/08/2011 10:09:45 a.m.                4804 (0x12C4)
                  Successfully activated the device.            oobmgmt            4/08/2011 10:09:45 a.m.                4804 (0x12C4)
                  Upload manufacturing data state message sent successfully. TopicType = STATE_TOPICTYPE_AMT_CLIENT_DATA_SYNCHRONIZE, Root Certificate Hash = DA5FBC2E613BF1C25FE7C7250AC78FBB08C57D80, AMT Core Version = 7.1.3       oobmgmt            4/08/2011 10:09:45 a.m.                4804 (0x12C4)
                  END       oobmgmt            4/08/2011 10:09:45 a.m.                4804 (0x12C4)
                  


                  It appears to generate the new OTP and send it to the SCCM server, this is where it starts to fall apart.

                  I would now expect to see in the amtopmgr.log the incoming ResourceID.OTP file dropped in the "C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov" inbox

                   

                  Incoming instruction file C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\289.OTP to Provision Worker.

                   

                  This OTP file never gets generated.

                   

                  Eventually to get the machine to provision i uninstalled the SCCM client using

                   

                  c:\windows\system32\ccmsetup\ccmsetup /uninstall
                  and
                  c:\windows\system32\ccmsetup\ccmsetup /mp:sccm.fqdn SMSSITECODE=DEV


                  After the sccm client has been re-installed the version is 4.00.6487.2000 (We deploy the R3 client patch as part of our OSD TS)

                   

                  From this point issue another

                  SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

                   

                  In the oobmgmt.log we can see a new OTP generated and in amtopmgr.log the incoming ResourceID.OTP file and provisioning starts and completes.

                   

                   

                  Incoming instruction file C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\289.OTP to Provision Worker. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  Found one 'ZTC Provision' task with type 'Machine Resource' and target ID '289' and IP address '0'. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  Target machine 289 is a AMT capable machine. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  Succeed to add new task to pending list. SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  AMT Provision Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  AMT Provision Worker: There are 1 tasks in pending list SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  AMT Provision Worker: Send task WL02760.devtranzrail.co.nz to completion port SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  Auto-worker Thread Pool: Current size of the thread pool is 1 SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 6048 (0x17A0)
                  Auto-worker Thread Pool: Work thread 5428 started SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 5428 (0x1534)
                  >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 5/08/2011 8:42:16 a.m. 5428 (0x1534)
                  
                  
                  


                  From this point I deployed the newer SCCM Client, 4.00.6487.2157

                  Unprovissioned the machine by deleting the provisioning data using SCCM.

                  Updated my collection so it moved back into the "vPro Unprovissioned"

                  Force a AMT Policy Detection SendSchedule.exe {00000000-0000-0000-0000-000000000120} WL02760

                  And the Machine generates a new OTP and provissions.

                   

                  So on the surface it does not look like a client version problem,

                   

                  Questions:

                  1. What is the best way to get the AMT Status in SCCM (Discover Management Controllers , System Discovery?)
                  2. When a New OTP is generated is this the trigger for the "C:\Program Files\Microsoft Configuration Manager\inboxes\amtopmgr.box\prov\ResourceID.OTP" to be created?
                  3. If OTP generation is the trigger, why would this file fail to be created on the SCCM server?
                  4. Microsoft have said that version 7.1.3 was not around for testing but it appears to work as I can get them to provision just not without intervention.
                  5. As the initail provisioning does not take place untill removing and reinstalling the client to the older version is this a potential client issue?
                  6. I would like to hear from anyone that has SCCM 2007 SP2 R3 and AMT 7.1.3 Clients that have reliable automatic provisioning happening?

                   

                  At the moment im running a test with the R3 Client patch removed from our OSD TS so the client after OS deployment will be the older one and see if provissioning will take place without intervention. (prepeared the client by removing provissioning using SCCM, deleting the SCCM record, reset MEBx to factory defaults and entered our root CA hash back into the MEBx then PXE boot to deploy the OS a fresh)

                   

                  Any ideas as to why the Automatic bit is failing would be greatly appreciated, we also have a case open with MS to help figure out whats going wrong here..

                  • 6. Re: SCCM 2007 SP2 R3 vPro provisioning issue
                    Redstorm

                    The machine we tested with provisioned after 1 week,

                     

                    Every day it would generate a new OTP and send it off to SCCM which appears to ignore it. Then spontaineously on the firday it generated the new OTP for the day, and low and behold SCCM provisioned it.