Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AMT vpro with ConfigMgr 2012

idata
Employee
1,692 Views

Hi all,

We have a problem with the Intel AMT VPRO function. This function has always functioned in SCCM 2007. We initiated a migration to SCCM 2012. We created models correpsondants certificate for SCCM 2012. However, failing to accrue machinery, we have opened an incident with Microsoft. Manipulation by Microsoft to solve the problem was to modify the certificate template to use Web UPN. From this point, we actually managed to provision machines.

The problem is, the template that was modified was the certificate template website used by SCCM 2007 and not the 2012 !

Result : 88 machines is still clinging to the old SCCM 2007 infrastructure. Impossible to de provisioning them from the console 2007 or impossible to provision for these machines from the console in 2012! Errors specified stipulate a connection problem related to web use certificate (TLS error).

Microsoft's explanation is: "The certificate housed in the "chip" AMT rejects us with a 401 (Unauthorized). Certificate is a priori wrong following the sharing of infrastructure between template ConfigMgr 2007/2012. Knows ConfigMgr 2007 not exceeded provisioned machines in this scenario "unexpected" as the template that was used was not consistent. this amounts to putting something in a box, which we do not have the key " The only solution found so far is removing the BIOS battery !!

Tools intel UnprovisionEx.exe does not work! -> Error 401. Even specifying a specific certificate in the command line !

# PSexec -i -s -d CMD.exe /k

# UnprovisionEx.exe -hostname Machine_Name -user admin -pass ******** -full -cert XXXX...

0 Kudos
3 Replies
Joseph_O_Intel
Employee
433 Views

Please verify that the user is able to log into the WebUI, if they can't and you get certificat errors please supply a screen shot showing the results.

SCCM 2012 should be using Server TLS and not Mutual TLS. As such switch your provisioning such that the -cert option is removed and that the option to ignore cert errors is enabled.

Let me know how things go.

Joe

0 Kudos
idata
Employee
433 Views

Hello,

Thank for you help !

But we do not have access to the WebUI portal !

We can no longer fast PCs, both with SCCM, or individually by accessing the AMT website !

Best regards,

Mitch

0 Kudos
Joseph_O_Intel
Employee
433 Views

You will need to unprovision these clients, however the script you were using above was incorrect. You need to use a kerberose user, and not the digest user. Use a -krb switch within the command

Also if you are trying to log into the webUI with admin/ combination this will not work as SCCM randomises the password per machine. You will need to login in using a kerberose user.

0 Kudos
Reply