7 Replies Latest reply on Jul 20, 2009 12:44 AM by smurfphy

    SCCM In-Band Provisioning


      Hi All,


      I am interested in using SCCM In Band provisioning, all of the clients that I manage have an SCCM client installed.  Do I still need a PKI instructure similar to the one required for Out Of Band provisioning?  I can't seem to find a document that describes the specific requirements for In-Band Provisioning.





        • 1. Re: SCCM In-Band Provisioning



          Whether you are doing in-band or out of band provisioning, the PKI requirements are the same.  You will still need a PKI remote configuration certificate (either generated in-house or from a 3rd party CA like verisign or godaddy) and a PKI infrastructure to issue the certificates to the provisioned AMT client (used for secure communication).

          Here is the link to Microsoft doc: http://technet.microsoft.com/en-us/library/cc161856.aspx; however, there is OOB configuration you need to do first.


          To get you from ground zero to provisioning,  I would recommend taking a look at the SCCM quick start guide.


          --Matt Royer

          • 2. Re: SCCM In-Band Provisioning

            Hi Matt,


            I have building up my lab enviornment, and I have come across a problem.  I am able to get as far as provisioning the client, however I cannot access the OOB management console or power control features.


            My SCCM Server is running Server 2008 Ent Ed 32 bit SP2, and SCCM 2007 R2 SP2.  SP2 for SCCM is currently in beta.  The server is still running IE7.  I am unable to install KB908209.  I have added the regsitry key associated with kb908209, but it has no effect.


            Can you suggest anything I can try?





            • 3. Re: SCCM In-Band Provisioning



              Are you at least getting prompted for credentials in the IE web interface, or is it not coming up at all?


              Also, go ahead and follow the directions here to enable verbose logging in your OOBconsole:




              Not that it has anything to do with it, but I'd personally recommend upgrading to IE8


              Trevor Sullivan

              Systems Engineer

              • 4. Re: SCCM In-Band Provisioning

                Have you ensured you installed all of the required hotfixes: http://communities.intel.com/docs/DOC-1897

                • 5. Re: SCCM In-Band Provisioning

                  If you are running the SCCM SP2 beta, there is no need for the SCCM SP1 hotfixes listed here: http://communities.intel.com/docs/DOC-1897


                  As alluded by Trevor, i think we need to isolate the issue down to ether a PKI or Kerberos issue.  Can you perform Collection based power control or is the issue just isolated to the Out of Band Management Console?  From the "SCCM SP1 / vPro Common Issues and Potential Resolutions" wiki (http://communities.intel.com/docs/DOC-1627)... let's see if we can isolate the problem.


                  Symptom: SCCM provisions a vPro Client successfully, but you are not able to invoke Collection power control operations or the Out of Band Console (does not connect)



                  Potential Root cause(s):


                  • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

                  • SCCM was unable to request or issue a Web Server Certificate on behalf of the vPro client during provision or the Web Server Certificates was issued to a different FQDN then the vPro Client.

                    • Verify that you have created the Web Server Certificates template on your Certificate Authority and that your SCCM Primary Site Servers has the appropriate permission. SCCM SP1 Help File Article: "[Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management|http://technet.microsoft.com/en-us/library/cc161804(TechNet.10).aspx]"; Section: "Preparing the Web Server Certificates for AMT-Based Computers".

                    • Verify that you have configured the certificate template in the Out of Band Management Properties: General Tab. SCCM SP1 Help File Article: "[How to Configure AMT Provisioning|http://technet.microsoft.com/en-us/library/cc161966(TechNet.10).aspx]"; Section: "To configure the out of band management component for AMT provisioning"; Steps: 7-8.




                  Symptom: SCCM provisions a vPro Client successfully and you are able to invoke Collection based power operation; however, the Out of Band Console does not connect to the vPro Client.



                  Potential Root cause(s):


                  • The current user logged on to the SCCM Console does not have sufficient right to perform the desired operation.

                    • Verify that the user you are logged on with is listed or in a Kerberos group that is listed in the AMT User Account list. SCCM SP1 Help File Article: “[How to Configure AMT Settings and AMT User Accounts|http://technet.microsoft.com/en-us/library/cc161918(TechNet.10).aspx]"; Section: “To configure AMT settings and AMT User Accounts".
                      SCCM has not be granted full control permissions on the out of band management OU

                    • Verify that the SCCM Primary Site Servers has been granted full control permissions on the out of band management OU. SCCM SP1 Help File Article: "[How to Prepare Active Directory Domain Services for Out of Band Management|http://technet.microsoft.com/en-us/library/cc161814(TechNet.10).aspx]“

                  • Active Directory computer object that was created for the AMT device was overwritten or deleted

                  • Kerberos User not being successfully added when provisioning 2.x AMT client and the AMTOPMGR.log is giving the following error:
                    Add ACLs..
                    ERROR: Invoke(invoke) failed: 80020009argnum = 0
                    Description: The WinRM client cannot process the request. The destination computer returned an empty response to the request
                    Error: failed to Add User Acl
                    Error: CSMSAMAMTProvTask::StartProvision Fail to call AMTWSManUtilities::AddACLs

                    • The Add user ACL fails on 2.x systems if ALL the realms are checked including the PT Admin realm in . Treat the PT Admin Realm as mutually exclusive with all the other realms. Verify that none of your Out of Band Component - AMT Settings - AMT User Accounts have PT Admin Realm selected with any other realm

                  --Matt Royer

                  • 6. Re: SCCM In-Band Provisioning

                    Here is an update on this problem...


                    I am still able to get the PC to become provisioned in the SCCM console, however I still can’t control any power settings.


                    I have confirmed I am logging in with an account specified in the AMT settings.


                    Am I however getting certificate errors when I attempt to browse to the computer via IE on the SCCM Server.  See attached Screenshot.  Also I am getting the following errors in the AMTopmgr.log.


                    Error: Failed to get CIM_AssociatedPowerManagementService instance.~  $$<SMS_AMT_OPERATION_MANAGER><Sun Jul 19 22:40:52.660 2009 E. Australia Standard Time><thread=3424 (0xD60)>

                    AMT Operation Worker: AMT machine SGH85203MZ.demo.lab can't be power off. Error code: 0x80072F8F


                    I may upgrade to IE8 on the SCCM server to see if it has any impact.


                    • 7. Re: SCCM In-Band Provisioning

                      Ok, Got it working.  My problem is that I had the wrong certificate specified on the OOB Management configuration.  I had specified AMT Provisioning Cert instead of the ConfigMgr AMT Web Server Certificate.  No wonder that the client couldn't receive the correct cert.


                      Thanks to those who helped me out.