1 Reply Latest reply on Oct 17, 2014 3:00 AM by TKremer

    vPro Provisioning issues in SCCM 2012 R2

    Fraeco

      Hi!

       

      I work as a sysadmin for my company. Some time ago we decided to switch to Intel NUC systems for our workstations. They're small, affordable and fast. What's there not to like.

       

      We also have an SCCM 2012  R2 in place and for the past few days I've been trying to get vPro/AMT/Out of Band management to work. To no great success I might add.

       

      I followed Microsoft's howto on OoB that can be found here: http://technet.microsoft.com/en-us/library/gg712319.aspx

      I was able to setup and configure the the OoB managment point but the provisioning isn't happening.

      This is an excerpt from my atmopmgr.log on the SCCM machine.

       

      >>>>>>>>>>>>>>>Provision task (In Band Provision) begin<<<<<<<<<<<<<<<6684 (0x1A1C)
      Provision target is indicated with SMS resource id. (MachineId = 16777232 W0009.my.company.com)6684 (0x1A1C)
      Found valid basic machine property for machine id = 16777232.6684 (0x1A1C)
      Warning: Currently we don't support mutual auth. Change to TLS server auth mode.6684 (0x1A1C)
      The provision mode for device W0009.my.company.com is 1.6684 (0x1A1C)
      AMT Provision Worker: 1 task(s) are in the pending list.7360 (0x1CC0)
      The IP addresses of the host W0009.my.company.com are 10.1.1.21.6684 (0x1A1C)
      Root hash of provisioning certificate is MYROOTPROVHASH.6684 (0x1A1C)
      Attempting to establish connection with target device using SOAP.6684 (0x1A1C)
      Create provisionHelper with (Hash: MYROOTPROVHELPERHASH)6684 (0x1A1C)
      Set credential on provisionHelper...6684 (0x1A1C)
      Try to use provisioning account to connect target machine 10.1.1.21...6684 (0x1A1C)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine 10.1.1.21 using provisioning account #0.6684 (0x1A1C)
      Try to use default factory account to connect target machine 10.1.1.21...6684 (0x1A1C)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine 10.1.1.21 using default factory account.6684 (0x1A1C)
      Try to use provisioned account (random generated password) to connect target machine 10.1.1.21...6684 (0x1A1C)
      AMT Provision Worker: There are 2 tasks in pending list7360 (0x1CC0)
      AMT Provision Worker: Wait 15 seconds...7360 (0x1CC0)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine 10.1.1.21 using provisioned account (random generated password).6684 (0x1A1C)
      Error: Device internal error. This may be caused by: 1. Incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 2. Provisioning certificate's root hash is not in AMT firmware's root certificate trust list. 3. Provisioning certificate is not configured with SHA1RSA as signature algorithm or 1024 or 2048 bits as public key length. It might not be able to provision some versions of AMT machine. 4. AMT firmware self signed certificate issue(date zero). 5. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 6. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16777232)6684 (0x1A1C)
      Error: Can NOT establish connection with target device. (MachineId = 16777232)6684 (0x1A1C)
      Use FQDN to try again6684 (0x1A1C)
      Root hash of provisioning certificate is MYROOTPROVHASH.6684 (0x1A1C)
      Attempting to establish connection with target device using SOAP.6684 (0x1A1C)
      Create provisionHelper with (Hash: MYROOTPROVHELPERHASH)6684 (0x1A1C)
      Set credential on provisionHelper...6684 (0x1A1C)
      Try to use provisioning account to connect target machine W0009.my.company.com...6684 (0x1A1C)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine W0009.my.company.com using provisioning account #0.6684 (0x1A1C)
      Try to use default factory account to connect target machine W0009.my.company.com...6684 (0x1A1C)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine W0009.my.company.com using default factory account.6684 (0x1A1C)
      Try to use provisioned account (random generated password) to connect target machine W0009.my.company.com...6684 (0x1A1C)
      Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.6684 (0x1A1C)
      Fail to connect and get core version of machine W0009.my.company.com using provisioned account (random generated password).6684 (0x1A1C)
      Error: Device internal error. This may be caused by: 1. Incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 2. Provisioning certificate's root hash is not in AMT firmware's root certificate trust list. 3. Provisioning certificate is not configured with SHA1RSA as signature algorithm or 1024 or 2048 bits as public key length. It might not be able to provision some versions of AMT machine. 4. AMT firmware self signed certificate issue(date zero). 5. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 6. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. (MachineId = 16777232)6684 (0x1A1C)
      Error: Can NOT establish connection with target device. (MachineId = 16777232)6684 (0x1A1C)
      CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=13 MUF=0 PCNT=1, P1='W0009.my.company.com' P2='' P3='' P4='' P5=''6684 (0x1A1C)
      CStateMsgReporter::DeliverMessages - Created state message file: D:\Microsoft Configuration Manager\inboxes\auth\statesys.box\incoming\f4jqjxf1.SMX6684 (0x1A1C)
      >>>>>>>>>>>>>>>Provision task (In Band Provision) end<<<<<<<<<<<<<<<6684 (0x1A1C)

       

      The created AD OU is being filled with <COMPUTERNAME>$iME objects.

      The clients are in my normal DHCP scopes and these have options 6 and 15 configured.

      I'm using a certificate issued by DigiCert as AMT Provisioning certificate. According to DigiCert their root CA's are in the store. How can I verify this?

      The AMT Provisioning certificate was signed using these parameters: Intel(R) AMT SDK Implementation and Reference Guide

      This is the first time the machines will be provisioned. I haven't the MEBx before.

       

      I'm fresh out of ideas right now. What can I do to make work?

      Any help would be greatly appreciated!

        • 1. Re: vPro Provisioning issues in SCCM 2012 R2
          TKremer

          Hello Fraeco,

           

           

          You can verify that the DigiCert certificate is in the root certificate store by looking in the MEBx on one of the machines.

          You will find a Option to list the certificate store there.

           

          Are you trying to Provision the Clients via SCCM 2012 R2?

           

          If that is the case and the AMT Version of your Clients is greater Version 8 SCCM can't provision them.

          You Need to get the Intel SCS Tool (Version 9 or greater, download via the Intel Download Center) and the SCCM2012 Add-On(Version 2.1.5 atm, i think ).

           

          With these in combination you can Provision the clients with Tasksequenzes. The Clients will be shown as 'Externally Provisioned' but you

          can use Wake-Up and other Features afterwards.

          The cause for this is, that Intel stopped using the SOAP and uses WS-Managment instead. SCCM 2012 seems to have some problems with that.

           

          You will find a great Installation Guide in the package, that helped me a lot. A little tipp, read the Manual first before trying to install the SCS.

          There are some things you have to think about, before choosing if Database-Mode or not.