3 Replies Latest reply on Dec 12, 2011 5:46 PM by brunodom

    SCCM provisionning not working for some machine

    hamel_sylvain@hotmail.com

      Hi,

       

      I'm starting the provisionning of vpro with SCCM 2007 R3.  My OOB service point is running Windows 2008 R2 and my provisionning certificate is coming from godaddy.  I have been able to provisionned a few machine without problem.  Power On/Off and OOB console is working without problem for those.  However, I have machine that refuse completely to install.

       

      I don't really know what's going on.  Sometimes, I have machine with same BIOS/ME firmware and driver version and one is provisionned ok and the other one doesn't.  This one is an Dell Optiplex 755.  I'm using the factory default password, those machine were never touched.  I confirm there was no password set.

       

      Here is what I have in the log:  (I changed the name and the ip address in the log for obvious reason)

       

      Provision target is indicated with SMS resource id. (MachineId = 14262 COOL-STBION22.mydomain.com) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 8460 (0x210C)
      AMT Provision Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 8460 (0x210C)
      AMT Provision Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 8460 (0x210C)
      Start to send a basic machine property creation request to FDM. (MachineId = 14262) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='COOL-STBION22' P2='891300006702BF662377800160DC2C8E5A35C1E81485703C0D5873C11F886E8E3C1BD73981F9D4A189B8C7F71400000042000000480000000366000000000000F2A894B595CA50BA99A9C53B6B325BBF2D2177D6622DC56475CE37130C3B1EFA61AA9A24FA1029354CDA02787D369E13C639E86C63952A05EBB80AC93D72FE9CC065990EA4B3734D0000' P3='COOL-STBION22.mydomain.com' P4='admin' P5='2796BAE63F1801E277261BA0D77770028F20EEE4' SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      CStateMsgReporter::DeliverMessages - Created state message file: E:\SMS\MP\OUTBOXES\StateMsg.box\1nxdcewd.SMX SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      The provision mode for device COOL-STBION22.mydomain.com is 1. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Check target machine (version 5.2.50) is a SCCM support version. (TRUE) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      The IP addresses of the host COOL-STBION22.mydomain.com are 192.168.133.36. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Create provisionHelper with (Hash: B446B640F29567EEB9053557B0C547F7597A7FD6) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Try to use provisioning account to connect target machine COOL-STBION22.mydomain.com... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      **** Error 0x7a1b068 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Fail to connect and get core version of machine COOL-STBION22.mydomain.com using provisioning account #0. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      **** Error 0x7a1b068 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Fail to connect and get core version of machine COOL-STBION22.mydomain.com using provisioning account
      #1. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Try to use default factory account to connect target machine COOL-STBION22.mydomain.com... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      **** Error 0x7a1b068 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Fail to connect and get core version of machine COOL-STBION22.mydomain.com using default factory account. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Try to use provisioned account (random generated password) to connect target machine COOL-STBION22.mydomain.com... SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Server unexpectedly disconnected when TLS handshaking. SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      **** Error 0x7a1b068 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Fail to connect and get core version of machine COOL-STBION22.mydomain.com using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 14262) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      Error: Can NOT establish connection with target device. (MachineId = 14262) SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)
      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 16/11/2011 1:28:51 PM 6064 (0x17B0)

       

      What could be the solution ?

        • 1. Re: SCCM provisionning not working for some machine
          brunodom

          Hi,

           

              I have an ideia...

           

               - You said that you are using DELL Optiplex 755, that is ME 3.x, can you confirm the BIOS version or AMT version? I would strongly recommend you upgrade the BIOS to A20 version. There was a bug in the earlier firmware version with self-signed certificates that produce the same problem. Upgrade and see if the problem happen... unfortunately, this problem can happen due ME provision negotiation with SCCM OOB component, that is the reason that some works and some didn't.

           

          My two cents!

          -Bruno Domingues

          • 2. Re: SCCM provisionning not working for some machine

            Hi,

             

            Thanks for answering.  I did upgrade to the latest firmware available (A20).  It did not make any difference.  Same result.  I tried to force full un-provisionning from it and still same problem.

             

            Btw, I looked and I have the same problem on many different type of machine(HP, Dell) and different AMT version (AMT 3, 5, 7).  It seems actually that all exisiting machine that I had the SCCM client installed and vpro enabled are not working.  Only newly installed machine or existing machine that did not have the HECI driver installed are working.

             

            Existing machine with HECI driver already installed for months are not working.  So, to me, it looks like SCCM or something has been disabled over time.  I see there is a task in SCCM called "Reset AMT Computer password" that is enable.  Is it possible that task is locking something on my AMT machine ?.  Or the self-signed certificate is expired on local AMT ?  Is there a way to force AMT to recreate that self-signed certificate ?

             

            From SCCM, all existing machine end up with AMT Status = 1.  We never used any other tool to provisionned AMT with vpro, they are all using factory default password for AMT or an existing password that we have set in AMT Settings tab of SCCM. I saw some thread asking to try to remove the CMOS battery to reset AMT.  I did not try that as I don't want this as an option for provisionning 2200 existing computers I have !!!!

             

            Any suggestion ?

             

            -Sylvain

            • 3. Re: SCCM provisionning not working for some machine
              brunodom

              Sylvain,

               

                   In order to make the provisioning work using SCCM you must have HECI driver installed.

                   Are you able to connect to these machines using telnet at 16992 or 16993 from server? if not, try disable (only for test) the Windows Firewall/or any Av firewall on both sides, i.e. server and client and see if you can connect and provision.

                   If the machines is not provisioned yet, there isn't any job in SCCM that can change configuration in ME, it's looks that is a GPO that is enabling something that is blocking the communication.

               

              Best Regards!

              -Bruno Domingues