3 Replies Latest reply on Oct 15, 2009 9:16 PM by Trevor.Sullivan

    AMT Status stuck at "Detected"

    DoAsFan

      SCCM SP1 (6221)

      HP 2530p / ME firmware 4.1.1

       

      We are currently setup with an internal certificate, and the hash has been inserted into the MEBx. ME password set a to P@ssw0rd and added as an AMT Provisioning and Discovery Account. The SCCM client is installed on the laptop and the AMT version is being reported. AMT Status is stuck at Detected, no matter how many times I do a partial or full unprovision, or even a AMT reset from the BIOS.

       

      Everytime I attempt to discover OOB management controllers on this machine, the AMTOPMGR.LOG reports:

       

      Auto-worker Thread Pool: Work thread 2592 started
      CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.1.25.233:16992.
      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
      **** Error 0x2afb8a8 returned by ApplyControlToken
      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
      **** Error 0x2afb8a8 returned by ApplyControlToken
      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
      **** Error 0x2afb8a8 returned by ApplyControlToken
      session params : http://CND910154G.eweisel.com:16992   ,  111001
      ERROR: Invoke(get) failed: 80020009argNum = 0
      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
      Error: Failed to get AMT_SetupAndConfigurationService instance.
      session params : http://CND910154G.eweisel.com:16992   ,  111001
      ERROR: Invoke(get) failed: 80020009argNum = 0
      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
      Error: Failed to get AMT_SetupAndConfigurationService instance.
      session params : http://CND910154G.eweisel.com:16992   ,  111001
      ERROR: Invoke(get) failed: 80020009argNum = 0
      Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig".
      Error: Failed to get AMT_SetupAndConfigurationService instance.
      CSMSAMTDiscoveryTask::Execute - DDR written to D:\Microsoft Configuration Manager\inboxes\auth\ddm.box
      Auto-worker Thread Pool: Succeed to run the task . Remove it from task list.

      Any suggestions appreciated. Thanks.

        • 1. Re: AMT Status stuck at "Detected"
          Trevor.Sullivan

          Hello,


          I'm guessing it's going go to be one of two things, if we're dealing with the 4.x platform:


          1. Can you please validate the forward/reverse DNS records for the client (using nslookup from the site server)? Please be sure to query the FQDN of the client (eg. amtclient.mydomain.com)

          2. Have you configured option 15 on your DHCP scope to match your Active Directory domain name (eg. mydomain.com)?


          If both of these are looking ok, can you run the MEinfowin tool on your machine and provide the output?


          MEinfowin Download Link: http://www-307.ibm.com/pc/support/site.wss/MIGR-67953.html


          Hope this helps!


          -Trevor Sullivan

          • 2. Re: AMT Status stuck at "Detected"
            DoAsFan

            Thanks for the suggestions.

             

            1. Have confirmed nslookup successful from both directions, from client and from SCCM.

            2. Confirmed that option 15 configured for our test domain.

             

            After a full unprovision, re-entering the internal cert hash, deleting the machine from SCCM, rediscovering, the machine now shows up in SCCM as Not Provisioned. The collection is set to perform an automatic Out of Band provisioning, but no progress.

             

            I've initiated machine policy retrieval, and the logs now say:

            Warning: AMT device 5DC865B1-F3D1-11DC-819D-7BAF9D3B0883 is a SMS client. Reject hello message to provision

             

            meinfowin says:

            Copyright(C) 2005-08 Intel Corporation. All Rights Reserved.

            AMT SKU Found.
            Intel(R) MEInfo Win Version:  4.1.0.1023

            BIOS Version:                68PSU Ver. F.0D

            Intel(R) AMT code versions:
                    Flash:                       4.1.1
                    Netstack:                    4.1.1
                    Apps:                        4.1.1
                    Intel(R) AMT:                4.1.1
                    SKU:                         IAMT Tdt
                    VendorID:                    8086
                    Build Number:                1028

            Intel(R) AMT Mode:
            Link status:                 Link up
            Cryptography fuse:           Enabled
            Flash protection:            Enabled
            Last ME reset reason:        Global system reset
            Configuration state:         In process
            BIOS boot State:             Post Boot
            Host Mac Address:            00-23-5a-31-2a-92
            Wireless MAC address:       00-00-00-00-00-00
            FWU Override Counter:        Always
            FWU Override Qualifier:      Always
            Wireless Driver Version:     Not Available
            Wireless Hardware Version:   Not Available
            UNS Version:                 4.0.5.1103
            LMS Version:                 4.0.6.1103
            MEI Driver version:          4.0.1.1074
            MEBx Version:                4.0.4.6
            FT Version:                  4.1
            FT Build Number:             1028
            Manageability Mode:          AMT
            Local FWUpdate:              Enabled
            Secure FWUpdate:             Enabled
            TPM fuses (MCH/ICH/soft strap MCH/ soft strap ICH):      Disabled
            FW behavior on Flash Descriptor Override Pin-Strap:      Halt

            TPM is disabled or The SKU does not support TPM..Hence TPM Values cannot be retrieved

            • 3. Re: AMT Status stuck at "Detected"
              Trevor.Sullivan

              Hello,


              Glad to hear you got the "Detected" part sorted out


              Try running the below PowerShell code against the AMT system. This should force the auto-provision policy to be enabled, and should trigger an immediate provisioning attempt. Let me know how it works! Just change the text in blue to the name of the target system, or just a period if you're running it locally.

               

              -------------------------------------------------------------------------

               

              Function Trigger-Provision ([string] $TargetSystem = ".")
              {
                  if ($TargetSystem -gt "")
                  {
                      $ScheduleId = "{00000000-0000-0000-0000-000000000120}"
                      $SmsClient = [wmiclass]"\\$($TargetSystem)\root\ccm:SMS_Client"
                      Write-Host "Triggering provision attempt on $TargetSystem"
                      $SmsClient.TriggerSchedule($ScheduleId)
                  }
              }

               

              Function Set-AutoProvisionPolicy ([string] $TargetSystem = ".", [bool] $AutoProvision = $True)
              {
                  if ($TargetSystem -le "") { return $null }

               

                  #$TargetSystem = "."
                  $WmiNs = "root\ccm\policy\machine\requestedconfig"
                  $WmiClass = "CCM_OutOfBandManagementSettings"
                  $WmiPath = "\\$TargetSystem\$WmiNs`:$WmiClass"
                  $WmiPath = "\\$TargetSystem\root\ccm\policy\machine\actualconfig:CCM_OutOfBandManagementSettings"
                  Write-Host "WMI Path is: $WmiPath"
                  $Global:OobSettings = [wmiclass]($WmiPath)
                  $Global:OobSettingsInstance = $OobSettings.CreateInstance()
                  $OobSettingsInstance.AutoProvision = $AutoProvision
                  $OobSettingsInstance.SiteSettingsKey = 1
                  if ($OobSettingsInstance) { $OobSettingsInstance.Put() }
                 
                  trap
                  {
                      Write-Host "Error occurred setting auto-provision policy"
                      if ($OobSettingsInstance) { $OobSettingsInstance.Put() }
                  }
              }

               

              Set-AutoProvisionPolicy "targetsystem"
              Trigger-Provision "targetsystem"

               

              -------------------------------------------------------------------------


              Cheers!

              Trevor Sullivan