15 Replies Latest reply on Apr 1, 2015 3:47 PM by brunodom

    Valid certificate for PKI configuration not found - Intel SCS 9.1

    Amd64

      Hello,

       

      I am using Intel SCS 9.1. Machines are listed in SCS console but with status "Configuration Failed" and connection status "Not Discovered". I tried manual discovery by selecting the machine and "Discover data", I am getting below error.

       

      Failed while calling

      WS-Management call

      GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

      0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

      Valid certificate for PKI configuration not found.

       

      What i did so far

      1. Certificates are created in Subordinate CA. I went trough the certificate and validated the settings. Looks like verification are good. I used two documents as a reference to created certificates.

           a) SCCMGuru - Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority | SCCM GURU

           b) Intel SCS user guide - Section "9.2.5 Defining Enterprise CA Templates"

       

      2. Did some research on this form and followed the suggestion of creating a basic low security profile

      acuconfig.exe /lowsecurity /output console /verbose ConfigureViaRCSOnly <$SCSServerName> <ProfileName> /wmiuser domain\AMTAdmin /wmiuserpassword P@ssw0rd

      (Valid certificate for PKI configuration not found during vPro Provisioning)

           This test failed as well. I get below error

       

      Exit with code

      75.

      Details: Failed to complete remote configuration of this Intel(R) AMT device.

      Failed while calling

      WS-Management call

      GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

      0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

      Valid certificate for PKI configuration not found.


      My final intention is to get it working from SCCM 2012. Since i am unable to do it from SCCM, Started with SCS console to get at-lest few machines going and then think of getting it to work from SCCM.

       

      Any suggestion to right direction is appreciated.

       

      Thank you

        • 1. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
          brunodom

          Hi,

          What is going on in your case is that these machines are not yet provisioned. Those guidelines that you mentioned are related with certificate issue to *each* vPro machine in order to allow integration with SCCM, however for provision, you have two course of action: Use a 3rd party certificate for provision, e.g. GoDaddy, that is the reason that you are getting this error, *or* adopt Host Based Configuration that is available since AMT 6.2. Bboth cases, I would suggest you use the Intel SCS Add-on for System Center Configuration Manager, and inside this .zip file you will find documentation how to provision in order to allow integration with SCCM.

           

          Best Regards!

          -Bruno Domingues

          • 2. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
            Amd64

            Thank you. I have already installed SCS Add-on for SCCM. I am using a domain CA for certificates. I will go trough the documentation and update my findings.

            • 3. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
              Amd64

              Hi Brunodom,

               

              Thanks again for your suggestion. I went trough the document that you suggested. Its pretty detailed.

               

              Here is what i did.

              1. I have downloaded "intelscs_9.1.2.74", "IntelSCS_SCCMAddon_2.1.6.3"

              2. I have my Microsoft Enterprise CA. Certificates are prepared in Subordinate CA following the instructions specified in Section 2.0 prerequisites in "Intel(R)_SCS_Addon_SCCM_2012.pdf". This includes disabling "Disabling OOB Management Controller Provisioning" in all SCCM collections

              3. User groups are prepared as specified in the document section 2.6.6. In my case "Kerberos Admin User Group" and "Redirection User Group" has same user. Created two groups so i can allocate approprite permission when creating profile - hope this is okay.

              4. Our requirement is to use "Remote Configuration" in "Admin Control mode" with SCS integration

              5. SCS is installed in Database mode

              6. I have created a profile within SCS console follwing instructions in "3.2 Creating a Profile for Remote Configuration"

              7. Installed SCCM Addon and pointed it to use the profile within SCS

              8. I have enabled "Intel AMT: Discover and Report" and "Intel AMT: Remote Configuration". This populated few machines and i am targeting only to few test machines now.

              9. When "Intel AMT: Remote Configuration" is run, it fails again with same error given above

               

              Failed while calling

              WS-Management call

              GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

              0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable.

              Valid certificate for PKI configuration not found.

               

              You have mentioned the requirement of a 3rd party cert in previous post. This is the only thing that i did not do as the guide "Intel(R)_SCS_Addon_SCCM_2012.pdf" did not specify that. However certificate issued by microsoft enterprise CA is used in the AMT profile created withing SCS console.

               

              Is a 3rd party cert required? Is there a doc that i can refer to on information that i would need to provide to 3rd party to get certificate. Guess i can follow instructions in this link to get certificate imported The specified item was not found.

               

              Thanks for your assistance.

              • 4. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                Amd64

                Update:

                 

                found a post that will guide in cert creation process. Intel® Download Center

                But this doc is written in 2012 might be out of date. Cert request file was created and when uploaded to godaddy, got warning that cert for internal domain name will expire in September. my sccm server that runs SCS is sccm.domain.pri but external name is domain.com

                • 5. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                  brunodom

                  The 3rd party certification is required for Remote Configuration, i.e. allow admin control mode. In this case, you can follow these instructions (GoDaddy) to issue the certificate: https://support.godaddy.com/help/article/5260/setting-up-a-ssl-for-intel-vpro You must pay attention that you must generate the certificate request for your Intel SCS and using your internal domain. Actually, Certificate Authorities can't issue certificates for private domains, must be those that can publicly verified.

                   

                  Best Regards!

                  -Bruno Domingues

                  • 6. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                    Amd64

                    Thank you! Does this mean we cannot implement Remote based configuration method as our internal domain name is different than the one registered in public. Our DHCP option 15 returns internal domain name and Public CA's cannot issue certificate for internal domain name. is there a way around to implement this. Thank you

                    • 7. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                      brunodom

                      Yes, if you aren't a public owner of your internal domain, you won't be allowed to issue a certificate for this purpose - unfortunately. However, there are others methods that you can follow but all these methods require that you 'touch' your machines. Here are two high level strategies to overcome this limitation:

                      1. Inject a PID/PSS (aka. PSK method) pair into each vPro machine (manually or using a USB key);

                      2. Issuing an internal provisioning certificate to Intel SCS and injecting the hash of root CA into each vPro machine (manually or using a USB key)

                       

                      In addition to these strategies, there are several OEMs that offer the service to customize BIOS/ME and they can deliver from factory vPro machine with PSK or PKI using your internal certificate.

                       

                      If you believe that these methods are viable and would like further details, let me know.

                       

                      Best Regards!

                      -Bruno Domingues

                      • 8. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                        Amd64

                        Thanks again. We are yet to decide if we should go with manually touching each machine. I was wondering how other organizations will end up doing. Say a company has 50,000 machines with OOBM and internal domain name. when their cert expires 1st Nov 2015, they can no longer manage unless they touch each machine?

                         

                        Please share details on implementing with a USB, i will go trough the doc and a decision will be made today or tomorrow. Thanks again for your assistance.

                         

                        Regards,

                        Jegadesh

                        • 9. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                          brunodom

                          Jagadesh,

                           

                               Actually, most companies are relying their activation on Host Based Configuration method that is much simpler and I'm also assuming that majority of companies that activated using PKI (using internal domain) will shift to HBC. For security reasons, there are several companies that even activating using Admin Control Mode, decided to enable User Consent. Even those that required Admin Control Mode using internal domain, are in conversation with OEMs to inject their own root certificate into ME to keep with this capability.

                              

                               In order to use USB key, you will need the USBFile.exe utility that can found into Intel AMT SDK. Here is an example of syntax to create the USB key using CA root certificate:

                           

                               USBFile.exe -create setup.bin admin <new-password> -consume 0 -amt  -kvm 1 -oHash 1 -oHash 0 -hash cca-ca.pem CCA-CA -prov 1

                           

                               The setup.bin file is generated and must be placed in a USB key formatted with FAT16 - basically with USB key created, you need only boot the machine with USB connected and you will asked if you allow to inject the hash of root CA into ME. Some OEMs requires you to enable this capability into BIOS.

                           

                          Best Regards!

                          -Bruno Domingues

                          • 10. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                            Amd64

                            One step closure to solution. We have decided to go with host based configuration. Profile and plugin's are configured for this. Enabled discovery and configuration TS. configure 2 machines without error using configure.bat. These machines are now showing up in "Intel AMT: Configured" collection. Right clicked on machine --> Manage Out of Band --> Discover AMT Status, looks like this runs successfully. On My OOB server, amtopmgr.log looks good (below are the content). However, "AMT Provisioning" column in SCCM is still empty. All Out of band management options except "Discover AMT Status" are grayed out. updated machine policies and hardware inventory on test machines and still no go. Any idea ? Thank you

                             

                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Reading Discovery Instruction C:\SMS\inboxes\amtopmgr.box\disc\{D58DF5A3-A2AC-44BE-85BB-86DB1D167E79}.RDC...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, '16777710', 'XYZ'SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine TestMachine (TestMachine.Domain.local), ID: 16777710 IP: 192.168.1.3 from Resource 16777710.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 16777710SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            Discovery will use ip resolved from netbios:SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            192.168.1.3SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetProvAccountsSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Finish reading discovery instruction C:\SMS\inboxes\amtopmgr.box\disc\{D58DF5A3-A2AC-44BE-85BB-86DB1D167E79}.RDCSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Parsed 1 instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Send task TestMachine.Domain.local to completion portSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            General Worker Thread Pool: Current size of the thread pool is 1SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SCCMOOBM.domain.local SITE=XYZ PID=3364 TID=2388 GMTDATE=Mon Feb 16 20:39:43.465 2015 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            General Worker Thread Pool: Work thread 3092 startedSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)
                            Discover TestMachine using IP address 192.168.1.3SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)
                            DoPingDiscoveryForAMTDevice succeeded.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)
                            Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)
                            session params : https://TestMachine.Domain.local:16993   ,  2011001SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM3092 (0x0C14)
                            AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:43 PM2388 (0x0954)
                            DoWSManDiscovery succeeded with user name: admin. AMTStatus = 1.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            Start Kerberos DiscoverySMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            session params : https://TestMachine.Domain.local:16993   ,  2484001SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            DoKerberosWSManDiscovery succeeded. AMTStatus = 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            Discovery to IP address 192.168.1.3 succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CSMSAMTDiscoveryTask::Execute, discovery to TestMachine succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CSMSAMTDiscoveryTask::Execute - DDR written to C:\SMS\MP\OUTBOXES\ddr.boxSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='TestMachine' P2='' P3='TestMachine.Domain.local' P4='' P5=''SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CStateMsgReporter::DeliverMessages - Created state message file: C:\SMS\MP\OUTBOXES\StateMsg.box\i024cvkw.SMXSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=10 MUF=0 PCNT=1, P1='TestMachine.Domain.local' P2='' P3='' P4='' P5=''SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            CStateMsgReporter::DeliverMessages - Created state message file: C:\SMS\MP\OUTBOXES\StateMsg.box\k186fis2.SMXSMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            General Worker Thread Pool: Succeed to run the task TestMachine.Domain.local. Remove it from task list.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            General Worker Thread Pool: Work thread 3092 has been requested to shut down.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            General Worker Thread Pool: Work thread 3092 exiting.SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3092 (0x0C14)
                            General Worker Thread Pool: Current size of the thread pool is 0SMS_AMT_OPERATION_MANAGER2/16/2015 2:39:44 PM3528 (0x0DC8)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:03 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:03 PM2388 (0x0954)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Reading Discovery Instruction C:\SMS\inboxes\amtopmgr.box\disc\{65FF8643-1A68-4035-9334-A86352EB14B1}.RDC...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Error, CSMSAMTDiscoveryWorker::ParseInstructionFile failed - open fileSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Reading Discovery Instruction C:\SMS\inboxes\amtopmgr.box\disc\{65FF8643-1A68-4035-9334-A86352EB14B1}.RDC...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, '16777289', 'XYZ'SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine TestMachine2 (TestMachine2.OMG.PRI), ID: 16777289 IP: 192.168.2.160 from Resource 16777289.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 16777289SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            Discovery will use ip resolved from netbios:SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            192.168.2.160SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Execute query exec AMT_GetProvAccountsSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Finish reading discovery instruction C:\SMS\inboxes\amtopmgr.box\disc\{65FF8643-1A68-4035-9334-A86352EB14B1}.RDCSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Parsed 1 instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Send task TestMachine2.OMG.PRI to completion portSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            General Worker Thread Pool: Current size of the thread pool is 1SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: 1 task(s) are sent to the task pool successfully.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SCCMOOBM.domain.local SITE=XYZ PID=3364 TID=2388 GMTDATE=Mon Feb 16 20:40:38.946 2015 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            General Worker Thread Pool: Work thread 2920 startedSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2920 (0x0B68)
                            Discover TestMachine2 using IP address 192.168.2.160SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2920 (0x0B68)
                            AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:38 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2388 (0x0954)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2388 (0x0954)
                            AMT Discovery Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2388 (0x0954)
                            DoPingDiscoveryForAMTDevice succeeded.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            session params : https://TestMachine.Domain.local:16993   ,  2011001SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            DoWSManDiscovery succeeded with user name: admin. AMTStatus = 1.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            Start Kerberos DiscoverySMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            Flag iWSManFlagSkipRevocationCheck is set.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            session params : https://TestMachine.Domain.local:16993   ,  2484001SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:39 PM2920 (0x0B68)
                            DoKerberosWSManDiscovery succeeded. AMTStatus = 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            Discovery to IP address 192.168.2.160 succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CSMSAMTDiscoveryTask::Execute, discovery to TestMachine2 succeed. AMT status is 4.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CSMSAMTDiscoveryTask::Execute - DDR written to C:\SMS\MP\OUTBOXES\ddr.boxSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Fill Machine Property' SID=1 MUF=0 PCNT=5, P1='TestMachine2' P2='' P3='TestMachine2.OMG.PRI' P4='' P5=''SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CStateMsgReporter::DeliverMessages - Created state message file: C:\SMS\MP\OUTBOXES\StateMsg.box\f15gy7y7.SMXSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=10 MUF=0 PCNT=1, P1='TestMachine2.OMG.PRI' P2='' P3='' P4='' P5=''SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            CStateMsgReporter::DeliverMessages - Created state message file: C:\SMS\MP\OUTBOXES\StateMsg.box\71676ife.SMXSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            General Worker Thread Pool: Succeed to run the task TestMachine2.OMG.PRI. Remove it from task list.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            General Worker Thread Pool: Work thread 2920 has been requested to shut down.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            General Worker Thread Pool: Work thread 2920 exiting.SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM2920 (0x0B68)
                            General Worker Thread Pool: Current size of the thread pool is 0SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:40 PM3528 (0x0DC8)
                            AMT Discovery Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:40:59 PM2388 (0x0954)
                            AMT Discovery Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:40:59 PM2388 (0x0954)
                            Succeed to add new health check task to pending list.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:03 PM3780 (0x0EC4)
                            AMT Provision Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:03 PM3780 (0x0EC4)
                            AMT Provision Worker: Send task  to completion portSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:03 PM3780 (0x0EC4)
                            General Worker Thread Pool: Current size of the thread pool is 1SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:03 PM3780 (0x0EC4)
                            AMT Provision Worker: 1 task(s) are sent to the task pool successfully.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3780 (0x0EC4)
                            STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SCCMOOBM.domain.local SITE=XYZ PID=3364 TID=3780 GMTDATE=Mon Feb 16 20:41:04.004 2015 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3780 (0x0EC4)
                            General Worker Thread Pool: Work thread 3152 startedSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            Test https://SCCMOOBM.domain.local:443/EnrollmentService/AmtEnrollmentService.svcSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: SCCMCertCredentials - finding self signed sms cert by thumbprintSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - finding in LocalMachine, store Sms, find type FindByThumbprint, validOnly = FalseSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - there are 5 certs in the specified storeSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - Found certs via FindByThumbprint, count = 1SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - cert[0].FriendlyName = Site System Identification CertificateSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - cert[0].Subject = CN=Site System IdentificationSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            [EnrollmentWrapper]: FindCertificate - cert[0].Issuer = CN=Site System IdentificationSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3152 (0x0C50)
                            AMT Provision Worker: There are 1 tasks in pending listSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3780 (0x0EC4)
                            AMT Provision Worker: Wait 20 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:04 PM3780 (0x0EC4)
                            TestEnrollmentService succeed.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3152 (0x0C50)
                            STATMSG: ID=7220 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SCCMOOBM.domain.local SITE=XYZ PID=3364 TID=3152 GMTDATE=Mon Feb 16 20:41:05.082 2015 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3152 (0x0C50)
                            General Worker Thread Pool: Succeed to run the task . Remove it from task list.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3152 (0x0C50)
                            General Worker Thread Pool: Work thread 3152 has been requested to shut down.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3152 (0x0C50)
                            General Worker Thread Pool: Work thread 3152 exiting.SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3152 (0x0C50)
                            General Worker Thread Pool: Current size of the thread pool is 0SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:05 PM3528 (0x0DC8)
                            AMT Provision Worker: Wakes up to process instruction filesSMS_AMT_OPERATION_MANAGER2/16/2015 2:41:24 PM3780 (0x0EC4)
                            AMT Provision Worker: Wait 3600 seconds...SMS_AMT_OPERATION_MANAGER2/16/2015 2:41:24 PM3780 (0x0EC4)
                            • 11. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                              brunodom

                              Jagadesh,

                               

                              Based on the logs that you shared, looks like that SCCM is correctly discovering these machines:

                               

                              Discovery to IP address 192.168.1.3 succeed. AMT status is 4.

                               

                              *and*

                               

                              Discovery to IP address 192.168.2.160 succeed. AMT status is 4

                               

                              AMT status 4 means that is Externally Provisioned, i.e. Using Intel SCS in your case. What happens is that SCCM takes some time to refresh the status and in order to speed this process, you can force an "Update Collection Membership" following with a F5 (refresh).

                               

                              For this discovery (i.e. SCCM native that shows in column), SCCM doesn't use the agent to update the status, it's done directly from OOB Service Point, connecting remotely to vPro machine, that is the reason that Inventory policy didn't make any change in this status.

                               

                              Please, let me know if worked.

                               

                              Best Regards!

                              -Bruno Domingues

                              • 12. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                                excelsi

                                Hi,

                                 

                                same problem on my side.

                                Discovery says succeed with Status 4, but no AMT Status and Version appearing in the SCCM Console for that device. No possibility to start out of band Management Console (greyed out).

                                AMT Configuration itself looks correct.

                                I use:

                                Intel SCS 10.0.11.35

                                Intel SCS SCCM Addon 2.1.6.3

                                AMT Firmware Version (saw throug web Interface): 6.2.50 build 1062

                                SCCM 2012 R2

                                 

                                Any help would be great. Thanks!

                                • 13. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                                  excelsi

                                  I found the solution to my Problem here on TechNet:

                                  Problem with Out of Band Discovery resulting with Out of Band features not available in SCCM console for computers with …

                                  Add the Computer Account which has the Out of Band Management Role to the Local Group SMS_SiteSystemToSiteServerConnection_MP_XXX on the SCCM 2012 R2 Primary Site Server and restart the SMS_Executive on the Out of Band Management Server.

                                  • 14. Re: Valid certificate for PKI configuration not found - Intel SCS 9.1
                                    brunodom

                                    Hi,

                                    Usually, this problem happens with kerberos authentication issues - that unfortunately, doesn't work without properly configuration.

                                    1st. In SCCM you have to make sure that kerberos is working, so you have to open IE and point to a vPro machine provisioned using FQDN:16993 (e.g. https://vPromachine.prodemolab.com:16993) - at this point you probably will see the Intel ME log in page. Clock on log in bottom and see what happens . if you get in, we have another problem, but by experience you probably will be prompted to fill your credentials - that means that kerberos is not working. so, to fix it:

                                    1. Create these two registry keys in SCCM server (32bits and 64bits). by default, IE doesn't allow send a kerberos token over a port non-80, and we need to send over 16993;

                                    2. Configure your IE Intranet zones to recognize your local domain, i.e. Internet Options -> Security -> Sites -> Advanced -> put here your domain, e.g. https://*.suffix

                                    3. While in Intranet zone -> Custom Level... -> User Authentication -> Logon - > select "Automatic Logon with current user name and password"

                                     

                                    Test again the authentication using IE... now it should works.

                                     

                                    Best Regards!

                                    -Bruno Domingues