3 Replies Latest reply on Dec 12, 2012 11:22 AM by Joseph Oster

    AMT vpro with ConfigMgr 2012

    Mitch

      Hi all,

       

      We have a problem with the Intel AMT VPRO function. This function has always functioned in SCCM 2007. We initiated a migration to SCCM 2012. We created models correpsondants certificate for SCCM 2012. However, failing to accrue machinery, we have opened an incident with Microsoft. Manipulation by Microsoft to solve the problem was to modify the certificate template to use Web UPN. From this point, we actually managed to provision machines.

       

      The problem is, the template that was modified was the certificate template website used by SCCM 2007 and not the 2012 !

      Result : 88 machines is still clinging to the old SCCM 2007 infrastructure. Impossible to de provisioning them from the console 2007 or impossible to provision for these machines from the console in 2012! Errors specified stipulate a connection problem related to web use certificate (TLS error).

       

      Microsoft's explanation is: "The certificate housed in the "chip" AMT rejects us with a 401 (Unauthorized). Certificate is a priori wrong following the sharing of infrastructure between template ConfigMgr 2007/2012. Knows ConfigMgr 2007 not exceeded provisioned machines in this scenario "unexpected" as the template that was used was not consistent. this amounts to putting something in a box, which we do not have the key " The only solution found so far is removing the BIOS battery !!

       

      Tools intel UnprovisionEx.exe does not work! -> Error 401. Even specifying a specific certificate in the command line !

      # PSexec -i -s -d CMD.exe /k

      # UnprovisionEx.exe -hostname Machine_Name -user admin -pass ********  -full -cert XXXXXXX (Failed 401)

       

      Scenario: To simulate what SCCM tries to ...

      When we try to log on to the web portal of AMT machines problematic using the correct login and password correctly, we rejected. If you check the certificate used by the AMT portal, we do seet hat it is still linked to the old server 2007. As web template for SCCM 2007 was amended and SCCM 2012 can not access this machine, It is unmanageable !!!

       

      If we trigger the provisioning for the SCCM 2012 HASH used is actually not the one expected by the target customer ... (See the screenshot attached to this message) ; Idem from the SCCM console, 2007 model web certificate has been altered by the action of Microsoft (following the opening of the incident)

       

      My question is : Do you have a method (Tools, Script, etc..) to clear the AMT information from the chip VPRO and/or method to inject the correct certificate. A Method we avoid removing the BIOS battery, knowing that we are dealing with laptops, scattered in nature?

       

      Thank you for your help,

       

      Sincerely,

       

      Mitchawkes

        • 1. Re: AMT vpro with ConfigMgr 2012
          Joseph Oster

          Please verify that the user is able to log into the WebUI, if they can't and you get certificat errors please supply a screen shot showing the results.

           

          SCCM 2012 should be using Server TLS and not Mutual TLS. As such switch your provisioning such that the -cert option is removed and that the option to ignore cert errors is enabled.

          Let me know how things go.

          Joe

          • 2. Re: AMT vpro with ConfigMgr 2012
            Mitch

            Hello,

             

            Thank for you help !

             

            But we do not have access to the WebUI portal !

            We can no longer fast PCs, both with SCCM, or individually by accessing the AMT website !

             

            Best regards,

             

            Mitch

            • 3. Re: AMT vpro with ConfigMgr 2012
              Joseph Oster

              You will need to unprovision these clients, however the script you were using above was incorrect. You need to use a kerberose user, and not the digest user. Use a -krb switch within the command

               

              Also if you are trying to log into the webUI with admin/<password> combination this will not work as SCCM randomises the password per machine. You will need to login in using a kerberose user.