5 Replies Latest reply on Jun 29, 2009 5:16 AM by kin.dim@gmail.com

    Intel AMT Provisioning Error


      Hello All,

      we are trying to test Intel AMT technology with SCCM 2007 R2. The current version on the Lenovo machine M58, which we are using for testing is the following:


      Intel(R) MEInfo Win Version:


      BIOS Version:                5CKT48AUS


      Intel(R) AMT code versions:
              Flash:                       5.1.0
              Netstack:                    5.1.0
              Apps:                        5.1.0
              Intel(R) AMT:                5.1.0
              Sku:                         18462
              VendorID:                    8086
              Build Number:                1167
              Recovery Version:            5.1.0
              Recovery Build Num:          1167
              Legacy Mode:                 False


      Link status:                 Link up
      Cryptography fuse:           Enabled
      Flash protection:            Enabled
      Last reset reason:           Power up
      Setup and Configuration:     Not started
      BIOS Mode:                   Post Boot


      Error: The operation failed due to an internal error.
      FWU Override Counter:        Always
      FWU Override Qualifier:      Always
      FW on Flash Desc Override:   Disable
      Kedron Driver Version:       Not Available
      Kedron HW Version:           Not Available
      UNS Version:       
      LMS Version:       
      HECI Version:      


      We are using internal CA and have entered manually the thumbprint of our Root Test CA. We have tried with different passwords and we are sure that they are the same on both place SCCM and MEBx, but when we are trying to provision the machine we receive the following message:


      >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<<
      Provision target is indicated with SMS resource id. (MachineId = 9 <machine FQDN>)
      Found valid basic machine property for machine id = 9.
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode. 
      The provision mode for device
      <machine FQDN> is 1.   
      Attempting to establish connection with target device using SOAP.  
      Found matched certificate hash in current memory of provisioning certificate   
      Create provisionHelper with (Hash: 7FE17D626D37ACF378A39A93194C4842F80DDE4E)   
      Set credential on provisionHelper...
      Try to use provisioning account to connect target machine
      <machine FQDN>...  
      Fail to connect and get core version of machine
      <machine FQDN> using provisioning account #0.
      Try to use default factory account to connect target machine
      <machine FQDN>...
      Fail to connect and get core version of machine
      <machine FQDN> using default factory account.
      Try to use provisioned account (random generated password) to connect target machine
      <machine FQDN>...
      Fail to connect and get core version of machine
      <machine FQDN> using provisioned account (random generated password).
      Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 9)
      Error: Can NOT establish connection with target device. (MachineId = 9) 
      >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<<


      We have posted this error and on the following MS forum:


      According to discussions there we have prepared a DHCP server with options 6 and 15 and have checked the DNS server for the forward (A) and reverse (PTR) DNS records for the client and ConfigMgr site server. The certificate templates we have prepared according to the following MS guide: http://technet.microsoft.com/en-us/library/cc161804.aspx


      So what we are doing wrong. Can anyone help us in order to solve this problem.


      Thanks in advance.

        • 1. Re: Intel AMT Provisioning Error

          Welcome to the forums and the road to vPro.


          From the logs it looks like your One Time Password is not set properly in the OOB Management Component Config. Since

          you are using a self singed cert, you need to enter the hash for it in the MEBx which you are doing correctly. By default, when

          you first log into the MEBx, the password is admin. You then must change that password after you connect.


          What you need to do is make note of that password and then set it up in the Out Of Band Management.

          To do this, navigate to Site Database>Site Management>%Site Name%>Site Settings>Component Configuration.

          When you go to that node, right click on Out of Band Management, click Properties.

          You will then see Provisioning Settings section in that dialog box. I am going to assume that everything else is set up properly.

          Where you see MEBx Account: it should read "admin" in the box.

          You need to click "Set..." and enter the password that you changed the MEBx PW when you entered your cert hash.


          Let me know if this helps.

          • 2. Re: Intel AMT Provisioning Error

            Hello Johny,


            thank you for you quick response. I have already set up this account, as you already mention i should change the default password in order to input the thumbprint of the certificate. I tried with different passwords, also to reinstall the patch KB94284, but that didn't help me in order to have successfull provisioning. I am wondering if the username for the MEBx is not the default one "admin", how can i see it ? Is there any possibilities for that.


            Thanks in advance for you reply

            • 3. Re: Intel AMT Provisioning Error

              Under "Site Database" -> "Site Management" -> <Site Code> -> "Site Settings" -> "Component Configuration" -> "Out of Band Management" -> "Provisioning Account" Tab, try adding a provisioning account of "admin" with a password of what ever you made the MEBx password.


              --Matt Royer

              • 4. Re: Intel AMT Provisioning Error

                Hello Matt,


                thanks for your answer.

                I already did this but without success.




                • 5. Re: Intel AMT Provisioning Error

                  Hello All,

                  we have found the problem. It appears that the problems came's from nested groups. As soon as we allow permissions for the computer account of the configuration manager server instead of the group we had no problems to make the provisioning.
                  The other problem with the client, which we saw in BIOS was the following:

                  Machine Type: Invalid
                  System Serial Number: Invalid

                  We had to update the BIOS with the boot CD image, downloaded from the manufacturer.

                  After that everything worked as expected.

                  With best Regards