14 Replies Latest reply on Nov 25, 2014 12:56 PM by brunodom

    Configuration Failed during provisioning

    adovb

      Hi,

      We started deployment of Intel vPro technology via GPO:

      client computers were never provisioned before, some of them in secured networks.

      Such command is used:

      ACUConfig.exe /verbose /lowsecurity ConfigViaRCSOnly 192.168.253.35 ProfileMain  /WMIuser domain\rcsuser /WMIuserpassword password

       

      In result we got 60 from 490 clients have status "Configuration Failed":

      problem AMT versions:

       

      AMT 5

      5.0.2 anyone of successfully configured client.(~30)

      Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

       

      AMT6/7

      6.0.3/6.1.1/7.1.13 rest computers status "Configuration Failed":

      Initial connection to the Intel(R) AMT device failed. Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

       

       

      Questions:

      about AMT5

      What should I do with clients AMT version 5.0.2?  I suppose that issue with AMT version

      about 6/7

      What are network requirements for client and server(protocols/ports) for such kind of deployment? It might be some core firewall misconfiguration(routes,rules..). I didnt find network requirements in deployment guide.

        • 1. Re: Configuration Failed during provisioning
          Alan Alderson

          adovb,

           

          To help with diagnosing these issues please do the following.

           

          • On one of the AMT 5 systems update the BIOS and ME firmware to the latest available.

           

          • For the AMT 6 and 7 systems can you confirm you're using DHCP.

           

          • 2. Re: Configuration Failed during provisioning
            ErhanArda

            Hi all,

             

            I have the same problem.

             

            Is there any solution.

            • 3. Re: Configuration Failed during provisioning
              brunodom

              May have several reasons for this issue, the first one to start is define: AMT versions that is failing, what is the error message that you are facing, are you using a 3rd party certificate? which one? can you share a little more about your environment?

              BTW: GPO is not recommended to be used to vPro provisioning.

               

              Best Regards!

              -Bruno Domingues

              • 4. Re: Configuration Failed during provisioning
                ErhanArda

                Hi Bruno,

                Thank you for your interest. I have 5 different model PCs. And I have different type of errors. All my computers has static IP adress.


                C:\Configuration\AMT\Remote Configuration Files>ACUConfig.exe /lowsecurity /verb

                ose /output console ConfigViaRCSOnly amtsrv01.cb.testbank.com.tr rconfig-basic

                /WMIUser cb\amtadmin /WMIUserPassword P@ssw0rd

                Starting log 2014-11-21 10:15:06

                Set compatibility mode to 9.0.

                Connected to the Intel(R) Management Engine Interface driver, version

                9.5.15.1730

                Intel(R) AMT  in PROVISIONING_MODE_ENTERPRISE

                Calling function Discovery...

                Calling function GetLocalSystemAccount over MEI...

                Connected to the Intel(R) Management Engine Interface driver, version

                9.5.15.1730

                Function GetLocalSystemAccount over MEI ended successfully

                Host Based Setup is supported

                Current Control Mode: 0 (Not provisioned)

                Allowed Control Modes: 2 (Admin) and  1 (Client)

                Function Discovery ended successfully

                GetHostAndMEInfo output data:

                        IsAMT:True,

                        isAmtCapable:False,

                        isEnterpriseMode:True,

                        configurationMode:0,

                        isRemoteConfigEnabled:True,

                        AMTversion:9.0.20,

                        isMobile:False,

                        provisioningTlsMode:2,

                        uuid:1258C380-B86D-11E3-A91C-F0921CF686AC,

                        isClientConfigEnabled:True,

                        hostBasedSupport:True,

                        configurationState:0,

                        FQDN:,

                        embeddedConfigurationAllowed:False.

                        isLANLessPlatform:False.

                        PKIDNSSuffix: Empty.

                :Starting Remote configuration...

                ***** Start RemoteConfiguration ******

                 

                ***** Start StartConfigurationInt ******

                 

                 

                Connected to the Intel(R) Management Engine Interface driver, version

                9.5.15.1730

                Active certificate hashes have the following names:

                (0xc000005a)

                15

                VeriSign Class 3 Primary CA-G1

                VeriSign Class 3 Primary CA-G3

                Go Daddy Class 2 CA

                Comodo AAA CA

                Starfield Class 2 CA

                VeriSign Class 3 Primary CA-G2

                VeriSign Class 3 Primary CA-G1.5

                VeriSign Class 3 Primary CA-G5

                GTE CyberTrust Global Root

                Baltimore CyberTrust Root

                Cybertrust Global Root

                Verizon Global Root

                Entrust.net CA (2048)

                Entrust Root CA

                VeriSign Universal Root CA

                Activate Intel(R) AMT configuration:

                (0xc0000050) (Success.

                )

                Waiting for FW to move to In-Provision state(0)...

                The Start configuration operation completed successfully.

                 

                ***** END StartConfigurationInt ******

                 

                RCSaddress=amtsrv01.cb.testbank.com.tr, RCSWMIUser=cb\amtadmin, RCSProfileName=

                rconfig-basic

                SGW-34-182-222.cb.testbank.com.tr

                RCSaddress=amtsrv01.cb.testbank.com.tr, RCSWMIUser=cb\amtadmin, UUID=1258C380-B

                86D-11E3-A91C-F0921CF686AC, ConfigMode=2, PID=, RCSProfileName=rconfig-basic, AM

                TVersion=9.0.20, OldADOU=, Configure AMT Name= True. Configure AMT IPv4= True. S

                ource For AMT Name= Host Name- SGW-34-182-222 Domain Name- cb.testbank.com.tr .

                Default OS Name= Host Name- SGW-34-182-222 Domain Name- cb.testbank.com.tr . H

                ost Static IPv4= IPv4 Address- 10.100.182.222 IPv4 SubNet- 255.255.255.0 IPv4 Ga

                teway- 10.100.182.1 IPv4 Primary DNS- 10.12.12.60 IPv4 Secondary DNS- 10.12.12.7

                0 . Host IPv4= IPv4 Address- 10.100.182.222 IPv4 SubNet- 255.255.255.0 IPv4 Gate

                way- 10.100.182.1 IPv4 Primary DNS- 10.12.12.60 IPv4 Secondary DNS- 10.12.12.70

                . Configure AMT IPv4 to DHCP mode= False.

                ***** END RemoteConfiguration ******

                 

                 

                ***********

                 

                Exit with code

                75.

                Details: Failed to complete remote configuration of this Intel(R) AMT device.

                Initial connection to the Intel(R) AMT device failed.

                Failed while calling

                WS-Management call

                GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

                0xc000521c: A TCP error occurred. Make sure that the destination settings are c

                orrect and that a network connection exists to the target.

                • 5. Re: Configuration Failed during provisioning
                  Igor_Terlevic

                  Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.

                  I had the same problem.

                  We're using our custom certificate so there is no valid root certificate hash in the intel mbex on the system you want to provision.

                  After I added our root cert hash (thumbprint) - ctrl+p while booting, it started provisioning successfully.

                   

                  I'm still looking for a solution how to insert root cert hash remotely.

                   

                  Regards,

                  Igor

                  • 6. Re: Configuration Failed during provisioning
                    brunodom

                    I noted that you are using "ConfigViaRCSOnly" parameter, it means that you are provisioning using PKI provisioning method, right? in this case, you should use DHCP instead of static IP, at least ME must receive the DNS suffix (i.e. option 15) through DHCP in order to validate the certificate.

                    Also, another point, that often happen on provisioning, Windows Firewall usually drop connection from Intel SCS to AMT, ports: 16992/16993, can you check if you are able to telnet from Intel SCS to theses ports? in case not, you must create an exception rule to allow.

                     

                    Best Regards!

                    -Bruno Domingues

                    • 7. Re: Configuration Failed during provisioning
                      ErhanArda

                      Hi Igor,

                       

                      I have buy a certificate from Comodo. I think there is not a way to add hash remotely.

                       

                      Best Regards,

                      • 8. Re: Configuration Failed during provisioning
                        brunodom

                        Igor,

                         

                        Unfortunately, for security reasons you can't inject a root certificate in ME trusted list remotely, but you can do it using USB key, see further details in this usage case: https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=20979&lang=eng&OSVersion=&DownloadType=

                         

                        Best Regards!

                        -Bruno Domingues

                        • 9. Re: Configuration Failed during provisioning
                          ErhanArda

                          Hi Bruno,

                          There is no firewal between SCS and client computer. I tried to configure client with Acu wizard. After client mode configuration tried again with Configurator.exe and configuration was success. But this time have to start Acu Wizard manually.

                          • 10. Re: Configuration Failed during provisioning
                            brunodom

                            In the log that you sent, I'm understanding that you are trying PKI provisioning, i.e. do you have a 3rd party certificate, right? So, in order to make it work and based on your scenario, DHCP is a requirement to certificate validation and allow PKI provisioning. Also doing telnet test you can make sure that is no issue also on both side, not only in between.

                             

                            If you are not using PKI provisioning, you can export you profile from RCS and use this command line to provision:

                            ACUConfig.exe /output console /verbose ConfigAMT <path and name of profile> /DecryptionPassword <password> /AbortOnFailure

                             

                            Best Regards!

                            -Bruno Domingues

                            • 11. Re: Configuration Failed during provisioning
                              ErhanArda

                              Yes I have a certificate from comodo.

                              What I have to do exacly for provision static IP AMT clients.

                              Best Regards,

                              • 12. Re: Configuration Failed during provisioning
                                brunodom

                                Ok, you can't configure vPro using certificate (i.e. PKI mode) without DHCP, you must have a DHCP working in your network that deliver your DNS suffix (i.e. option 15) that match with certificate that you acquired from Comodo. If you have it, you can use static IP. If you don't have DHCP with this option or that your DNS suffix doesn't match with your certificate, you have to use Host Based Configuration.

                                 

                                The biggest difference between HBC and PKI, is that PKI you can control the vPro machines without user consent while with HBC, user must consent to allow gain control over vPro machine.

                                 

                                Best Regards!

                                -Bruno Domingues

                                • 13. Re: Configuration Failed during provisioning
                                  ErhanArda

                                  Hi Bruno,

                                   

                                  I managed to configure some remote machines with HBC method. But user consent is not undesirable for me. What is the minimal settings on dhcp and SCS profile. We want to use static IPs on host operating systems.

                                   

                                  Best Regards,

                                  • 14. Re: Configuration Failed during provisioning
                                    brunodom

                                    Basically, what do you need in DHCP, is define the suffix DNS - DNS option 15, that match with your domain and in profile select this option:

                                    Screenshot 2014-09-09 14.23.15.png

                                    It should work, I already tested this scenario and worked pretty well.

                                     

                                    Best Regards!

                                    -Bruno Domingues