locked
AMT status is detected not provisioned RRS feed

  • Question

  • Hi All,

    I've run out-of band management controller detection. All controllers have been discovered with a status of "detected". I'm not able to have this marked has provisioned:

    Here is an excerpt of the amtopmgr.log for a particular machine:

    AMT Discovery Worker: Reading Discovery Instruction E:\Apps\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{688E4632-32FA-4582-92E9-B5D345ECAF3D}.RDC... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Execute query exec AMT_GetThisSitesNetBiosNames NULL, 'GUID:87C21462-4D15-49CB-96E1-3502E0B91293', 'SI1' SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: CSMSAMTDiscoveryWorker::RetrieveInfoFromResource - Found machine PC080035612 (ComputerName.Domain.com), ID: 97280 - 11.4.7.49 from Resource GUID:87C21462-4D15-49CB-96E1-3502E0B91293. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Execute query exec AMT_GetAMTMachineProperties 97280 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Execute query exec AMT_GetProvAccounts SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Finish reading discovery instruction E:\Apps\Microsoft Configuration Manager\inboxes\amtopmgr.box\disc\{688E4632-32FA-4582-92E9-B5D345ECAF3D}.RDC SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Parsed 1 instruction files SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: There are 3 tasks in pending list SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Send task to completion port SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: 1 task(s) are sent to the task pool successfully. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    STATMSG: ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=SITESERVER SITE=SI1 PID=98724 TID=20400 GMTDATE=do mrt 12 14:19:21.010 2009 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Wakes up to process instruction files SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    AMT Discovery Worker: Wait 20 seconds... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 20400 (0x4FB0)
    CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 11.4.7.49:16992. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error 0x80090325 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    **** Error 0x4ceb300 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error 0x80090325 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    **** Error 0x4ceb300 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error 0x80090325 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    **** Error 0x4ceb300 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(put) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description:The WS-Management service cannot process the request because the encoding of the request exceeds an internal encoding limit. Reconfigure the client to send messages which fit the encoding limits of the service. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to put changes to client. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    session params : http://ComputerName.Domain.com:16992 , 111001 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig". SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(put) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description:The WS-Management service cannot process the request because the encoding of the request exceeds an internal encoding limit. Reconfigure the client to send messages which fit the encoding limits of the service. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to put changes to client. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    session params : http://ComputerName.Domain.com:16992 , 111001 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig". SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(put) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description:The WS-Management service cannot process the request because the encoding of the request exceeds an internal encoding limit. Reconfigure the client to send messages which fit the encoding limits of the service. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to put changes to client. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    session params : http://ComputerName.Domain.com:16992 , 111001 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    ERROR: Invoke(get) failed: 80020009argNum = 0 SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Description: The client cannot connect to the remote host specified in the request. Verify that the service on the remote host is running and is accepting requests. You may use the following command to analyze the state of the WinRM service and to configure the service, if necessary: "winrm quickconfig". SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Error: Failed to get AMT_SetupAndConfigurationService instance. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    CSMSAMTDiscoveryTask::Execute - DDR written to E:\Apps\Microsoft Configuration Manager\inboxes\auth\ddm.box SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)
    Auto-worker Thread Pool: Succeed to run the task . Remove it from task list. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 24676 (0x6064)


    The machine is an HP dc7900 with amt 5.0.5.0008
    If I enter MEBX on the machine, I can see a provisioning record with information like FQDN, provisioning IP but hashdata contains only Null values (0000-0000-0000- ....)

    On The client I've foud the following Log

    ON SCHEDULE OOBMgmt 12/03/2009 12:24:22 1220 (0x04C4)
    BEGIN oobmgmt 12/03/2009 12:24:22 1220 (0x04C4)
    CAMTProvisionEndpoint::GetProvisionSettings: GetObject() failed: 80041002 oobmgmt 12/03/2009 12:24:22 1220 (0x04C4)
    !! AutoProvision policy disabled. oobmgmt 12/03/2009 12:24:22 1220 (0x04C4)
    END oobmgmt 12/03/2009 12:24:22 1220 (0x04C4)
    BEGIN oobmgmt 12/03/2009 13:06:00 3068 (0x0BFC)
    Retrying to activate the device. oobmgmt 12/03/2009 13:06:00 3068 (0x0BFC)
    Raising event:
    [SMS_CodePage(850), SMS_LocaleID(2057)]
    instance of SMS_OOBMgmt_StartConfig_Failure
    {
    ClientID = "GUID:87C21462-4D15-49CB-96E1-3502E0B91293";
    DateTime = "20090312120600.114000+000";
    ErrorCode = "1";
    FailureCategory = "None certificate is valid between device and server certificate hash.";
    MachineName = "ComputerName";
    ProcessID = 336;
    SiteCode = "SI1";
    ThreadID = 3068;
    };
    oobmgmt 12/03/2009 13:06:00 3068 (0x0BFC)
    Failed to Call CheckCertificate provider method, 80041001 oobmgmt 12/03/2009 13:06:00 3068 (0x0BFC)
    END oobmgmt 12/03/2009 13:06:00 3068 (0x0BFC)


    Help welcome !


    Thursday, March 12, 2009 2:37 PM

Answers

  • Yes. Root hash of provisioning certificate will be included in client policy. Once client retrieve this policy, SCCM client agent will detect AMT provisioning status and attempt to match the root hash in policy with root hashes in AMT Bios. If failed, it will report "None certificate is valid between device and server certificate hash." in log.
    Configuration Manager China R&D Blog:http://blogs.technet.com/msdchina/
    • Marked as answer by LMichel Monday, March 16, 2009 12:02 PM
    Saturday, March 14, 2009 6:18 AM

All replies

  • Hi, from the log you might miss a provisioning certificate. You need to set an AMT provisioning certificate on admin console.
    http://technet.microsoft.com/en-us/library/cc161804.aspx


    Configuration Manager China R&D Blog:http://blogs.technet.com/msdchina/
    Friday, March 13, 2009 5:55 AM
  • I agree with you Jerry. The problem is certificate related. 

    We choose to use our own internal CA to creaate the certificat. And I think that the certificate thumbprint is not configured in the bios extension.

     http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/744180d4-e63d-44fb-9306-576596ca4852/

    I'll try the following procedure :

    Entering a Root Certificate Hash Manually in the AMT Platform’s Firmware

    Normally the certificate hashes are programmed in the AMT platform’s firmware by the OEM. However, there is an option of entering the root certificate’s hash manually via the MEBx.

    To enter the certificate hash via the MEBx:

    1Open the Root certificate and tab to Details. Keep the Root certificate thumbprint from the thumbprint field for later use in step 7.

    2Power on the AMT platform and press <ctrl-p> during boot.

    3When the MEBx menu is displayed, perform a full unprovisioning.

    4Select Setup and Configuration and choose TLS PKI.

    5Choose Manage Certificate Hashes.

    6Press <Insert> and enter a name for the hash.

    7Enter the Root certificate thumbprint from step 1.

    8Exit the MEBx and reboot the platform.

    Friday, March 13, 2009 9:57 AM
  • Yes. Root hash of provisioning certificate will be included in client policy. Once client retrieve this policy, SCCM client agent will detect AMT provisioning status and attempt to match the root hash in policy with root hashes in AMT Bios. If failed, it will report "None certificate is valid between device and server certificate hash." in log.
    Configuration Manager China R&D Blog:http://blogs.technet.com/msdchina/
    • Marked as answer by LMichel Monday, March 16, 2009 12:02 PM
    Saturday, March 14, 2009 6:18 AM
  • Ok, I'm now a step further !

    SCCM is trying to provision the device. But it's seems there is a problem with the connection account.

    >>>>>>>>>>>>>>>Provision task begin<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Provision target is indicated with SMS resource id. (MachineId = 97280 Computer.Mydomain.com) SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 19600 (0x4C90)
    **** Error 0x3e2b480 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 19600 (0x4C90)
    Fail to connect and get core version of machine PC080020464.msnet.railb.be using provisioning account #0. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 19600 (0x4C90)
    Found valid basic machine property for machine id = 97280. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Warning: Currently we don't support mutual auth. Change to TLS server auth mode. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    The provision mode for device Computer.Mydomain.com is 1. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Attempting to establish connection with target device using SOAP. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Found matched certificate hash in current memory of provisioning certificate SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Create provisionHelper with (Hash: <Hash> ) SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Set credential on provisionHelper... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Try to use provisioning account to connect target machine Computer.Mydomain.com... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Fail to connect and get core version of machine Computer.Mydomain.com using provisioning account #0. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Fail to connect and get core version of machine Computer.Mydomain.com using provisioning account #1. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Try to use default factory account to connect target machine Computer.Mydomain.com... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Fail to connect and get core version of machine Computer.Mydomain.com using default factory account. SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Try to use provisioned account (random generated password) to connect target machine Computer.Mydomain.com... SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Fail to connect and get core version of machine Computer.Mydomain.com using provisioned account (random generated password). SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 97280) SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    Error: Can NOT establish connection with target device. (MachineId = 97280) SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)
    >>>>>>>>>>>>>>>Provision task end<<<<<<<<<<<<<<< SMS_AMT_OPERATION_MANAGER 1/01/1601 0:00:00 17216 (0x4340)

    I've entered in the sccm console the two passwords that have been used as Intel ME account but I don't know if we are talking about the same accounts.

    Monday, March 16, 2009 12:07 PM
  • Did you ever get this issue figured out?  I am having the same problem.  The only way I can get the cleints to provision is to log into the MEBX ( makes you change the password from the default), and do a full unprovision of the client.  Since it is making me change the default password there should be no reason that SCCM cannot connect using the default account.  When I get into the Mebx it does not show as being provisioned.  Not sure where to go from here.  I know my OOB site server is setup correctly, or I wouldn't be able to provision any of the clients.  It is not realistic to do this for over 400 client machines. 
    Thursday, September 24, 2009 8:29 PM