3 Replies Latest reply on Oct 23, 2015 5:25 AM by aschemmelmann

    Intel AMT vPro Provisioning problems - Cannot get machines to provision

    meltdowner Apprentice

      For the past 6 months I've been trying to figure out the cause of this.  I'm going to list out some details of my current environment and answer any questions you may have if you decide to help me with this.

       

      Zero Touch Provisioning.

      An Intel AMT vPro certificate was purchased through godaddy for our LANDESK Server.

      The Certificate was added to the LANDesk server properly, LANDesk verified.

      Our DNS system does keep the hostname matched up with the DNS record.

      DHCP option 15 is enabled.  DNS option 15 is enabled but NOT at the router level.  They are enabled on the Windows 2008 R2 box that hosts those services.

      No machines successfully provision to ADMIN CONTROL MODE.  Nor do they Provision to Client Control Mode.

      Under LDMS 9.6 R2 CONFIGURE -> Intel vPro Options -> *

                All settings are configured.  The password is 8 char with uppercase, number and a special character.

      All clients have AMT version 6.2 or higher.

      All clients are in AMT Configuration State of PKI

      All Client FQDN are matching up with the Device Name/Hostname

      All clients have AMT enabled in BIOS

      All clients are able to syncronize the password from LDMS

      All clients are in a "Provisioned" mode of 2

       

       

      I don't know what the provisioned mode of 2 means.  I'm wondering how the password is syncronized but it doesnt finish provisioning.  Here is a snippet of my log of AMTConfigDll.log:

      7/8/2015 10:31:22 AM : Main Thread AMTConfig.WinUI.CheckAndWarnForLotsOfMachines() - MachineCount: 1

      7/8/2015 10:31:23 AM :

      7/8/2015 10:31:23 AM :  **************************MassManage*****************************

      7/8/2015 10:31:23 AM :  AMTConfig.MassManage() - Cmd, ImportFile: masscheckforconfigchanges, C:\Program Files (x86)\LANDesk\ManagementSuite\AMTConfig.MassUpdate.txt

      7/8/2015 10:31:23 AM : 0 AMTConfig.ParseComputerData() - AMTGUID : 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:31:23 AM : 0 AMTConfig.ParseComputerData() - ComputerName : *,,

      7/8/2015 10:31:23 AM : 0 AMTConfig.Business.MassCheckConfiguration() - Need to (re)provision

      7/8/2015 10:31:23 AM : 0 AMTConfig.Business.ShouldClientBeHostBasedProvisioned() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55,  AMTMajorVersion: 9,  AMTMinorVersion: 5,  PID: 00000000

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.ZeroTouchCertificateExists() pfx cert: True  pem cert: True  fullCertChain: True

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.ProvisionAMT() - AMTGuid: 8181D5FD-7853-CB11-BA63-FCEA4F432D55   HostName: CHI-ASCHULTE-K8   PID: 0

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:31:23 AM : 0 AMTConfig.Data.ProvisionDirectlyToAdminControlMode() - Read cert

      7/8/2015 10:31:24 AM : 0 AMTConfig.Data.ProvisionDirectlyToAdminControlMode() - Call wsman.Provision   HostName: CHI-ASCHULTE-K8

      7/8/2015 10:31:24 AM : 0 AMTConfig.Data.Provision() - Starting provisioning session

      7/8/2015 10:32:06 AM : 0 AMTConfig.Data.Provision() Exception: Unable to connect

      7/8/2015 10:32:06 AM : 0 AMTConfig.Data.ProvisionDirectlyToAdminControlMode() - Call wsman.Provision   IPaddress: 10.44.5.128

      7/8/2015 10:32:06 AM : 0 AMTConfig.Data.Provision() - Starting provisioning session

      7/8/2015 10:32:49 AM : 0 AMTConfig.Data.Provision() Exception: Unable to connect

      7/8/2015 10:32:49 AM : 0 AMTConfig.Data.GeneralAMTCalls.ProvisionAMT() - Failed to get the Credentials for: CHI-ASCHULTE-K8  GUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:50 AM : 0 AMTConfig.Business.RunAMTConfigOnClient() rc: 0

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.GeneralAMTCalls.GetAMTCodeVersions() - Failed to get the Credentials for: CHI-ASCHULTE-K8  GUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Business.GetAMTVersionsFromAMT() - Unable to retrieve AMT versions from the client.

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.GeneralAMTCalls.GetDomainFromME() - Failed to get the Credentials for: CHI-ASCHULTE-K8  GUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.GeneralAMTCalls.GetHostName() - Failed to get the Credentials for: CHI-ASCHULTE-K8  GUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Business.CheckDBAndConfigureHostNameOnClient() - rc: 1

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunication.CertificatesMatch() - Exception: Object reference not set to an instance of an object.

      7/8/2015 10:32:51 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - AMTGUID: 8181D5FD-7853-CB11-BA63-FCEA4F432D55

      7/8/2015 10:32:52 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - Failed

      7/8/2015 10:32:52 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - fnGetOOBCredentials() - Current Credentials GUID: 00000000-0000-0000-0000-000000000001

      7/8/2015 10:32:52 AM : 0 AMTConfig.Data.AMTCommunications.ReadOOBCredentialsRecord() - success.  CommunicationType: TLS  HostName: AMTCredentials  IPAddress: 1.0.0.1

      7/8/2015 10:32:52 AM : 0 AMTConfig.Data.AMTCommunications.GetAMTCredentialsByGUID() - rc: 0

       

       

      (none of the machines referenced in this log completed the provisioning process.)

       

      It looks like that the computers that will NOT provision do not have an AMT FQDN set.  This could be the problem but I do not know what to do to resolve this.

       

      Well, it looks like it may be my certificate.  It does not contain the AMT unique OID (2.16.840.1.113741.1.2.3).  I will report back with results after I talk to GoDaddy

        • 1. Re: Intel AMT vPro Provisioning problems - Cannot get machines to provision
          meltdowner Apprentice

          Recreated the cert.  Followed LANDesks documentation perfectly and the machines still won't provision.

           

          The provisioning process seems to contain less errors, however it still does not successfully provision.

           

          I'm going to open a call but will update this thread with the solution in hopes it helps someone else in the future.

          • 2. Re: Intel AMT vPro Provisioning problems - Cannot get machines to provision
            meltdowner Apprentice

            A little more information to anyone wanting to go through this.

             

            We finally got machines to provision after LANDesk created a secondary intermediate .pem file that we placed in the cert_1 folder.  I did not see this anywhere in the documentation for the record.  I also don't think it is in the documentation.  After that was done, we were able to provision machines.  Also, the GoDaddy core cert needed to be loaded into the Operating Systems "trusted root certificate authorities".   It is possible that my server did not have updated root certificates for godaddy causing a failure.  However, that seems strange considering the logs saying the certificate chain was good.

             

            Read the documentation thoroughly and I also suggest reading the intel documentation.

             

            1)  It is very important to create a DNS entry pointing "ProvisionServer" to your Core Server.

            2)  Option 15 must be enabled on your DHCP server.

            3)  The certificate must have a lot of very specific information to the intel vPro software.  Do not breeze through this.  One mistake and you'll be re-keying that cert and wasting hours of your day.

            4)  The supported systems on the client end must support KVM control in the BIOS and be version 6.2-9.x.  10 is not currently supported by LANDesk.

            5)  If your core server is virtualized, then the KVM control may not work directly from the core server.  This has to do with the network setup of the host machine.

            6)  Read all the documenation LANDesk is listing on this forum and go through it step by step.

            7)  Know that KVM control isn't perfect but is certainly nice when it works.

            8) KVM control is not supported under windows 8.1 or later at the time of writing this.  That means you need to be using Windows 7 or Server 2008 R2 to KVM into machines.  It does not meat the machine itself doesnt work, just the host controller machine.

            • 3. Re: Intel AMT vPro Provisioning problems - Cannot get machines to provision
              aschemmelmann Rookie

              It seems, that i have the same problem with my Comodo cert. how is the Filename of the second intermediate .pem?