We are in the process of in-band provisioning ~50 vPro Clients (HP dc7900 Ultra Slim Desktop) using SCCM SP1, but having problems.
The AmtOpMgr.log shows the following failure on every client:
SecurityAdministration.SetTlsEnabled finished with HResult = 0x80004005, status = 0x0, clientError = 10.~ ...
Error: Failed to finish critical setup and configuration step. (pProvisionHelper->SetTlsEnabled) ...
Error: Can't finish provision on AMT device WS106.maklerzentrum.ch with configuration code (30)! ...
(The complete log for this machine is attached)
What we have done so far:
- Requested a Provisioning-Certificate vom Verisign (this is the content of the subject-field):
CN = srv-hq-1.mydomain.ch
OU = Intel(R) Client Setup Certificate
O = MyCompany
L = Basel
S = Basel-Stadt
C = CH
- The Verisign-Certificate was requested and installed using IIS 7. On export, the option "Include all certificates in the certification path..." was selected. The intermediate and root certificate of VeriSign are valid and installed in the local certificate store.
- We set up a Windows Server 2008 Enterprise CA and configured it according to the Technet Documentation and Intel Quickstart Install Guide 1.9
- The CA lists issued certificates for all clients that tried provisioning (this is the content of the subject field):
CN = WS106.mydomain.ch
CN = WS106
CN = WS106$iME
CN = Device (UUID: 3E061647-F28E-11DD-BBDA-7D1DFF970023)
- The internal CA-Certificate is listed under "Trusted Root Certification Authorities".
- The Computer objects in the AD are created in the OU assigned in SCCM (so the permissions for the Site-Server are set correctly on the OU)
- DHCP Options 6 and 15 are set correctly (6 to the AD DNS Server, 15 to mydomain.ch)
- The HECI Driver is installed, SCCM reports the AMT Version as "5.0.1" and AMT Status as "Not supported"
- The WS-MAN Translater is NOT installed (and has never been)
- No one ever accessed the MEBx locally
- The Ports 9971 and 16992-15995 are opened on the Clients Firewall (OS is Vista Enterprise SP1)
- The SCCM is a single site system, all roles (except some branch distribution points and the site database) are on the same server.
- The iAMT-Scan-Tool lists the AMT Setup Status as "In process" (see the attachment)
Does anyone have an idea what is wrong here?
Best Regards and thanks in advance