Export (0) Print
Expand All

AMT Provisioning Issues for Out of Band Management

Updated: July 1, 2011

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

This topic provides troubleshooting information to help you resolve issues when out of band management in Configuration Manager 2007 SP1 and later fails to provision AMT-based computers.

noteNote
The information in this topic applies only to Configuration Manager 2007 SP1 and later.

If you need help with deploying the PKI certificates for out of band management, see the following:

For issues related to using the out of band management console after computers are successfully provisioned for AMT, see Out of Band Management Console Issues.

noteNote
For issues that are specific to AMT, such as behavioral differences between versions, how to install and configure the Intel translator, and how to configure AMT, refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001).

For additional troubleshooting information, see The Out of Band Management Support Team blog (http://go.microsoft.com/fwlink/?LinkId=183661).

Out of band management has a number of prerequisites that must be met before Configuration Manager can successfully provision computers for AMT. Before investigating specific errors, ensure that all these prerequisites have been met.

Solution

To verify that you have met all the prerequisites, see Prerequisites for Out of Band Management.

When you provision AMT-based computers, some configuration of infrastructure servers, such as DNS and DHCP, is usually required. This configuration is required so that the AMT-based computers can be configured with their DNS domain suffix and register their host name in DNS. Out of band provisioning might also require an entry in DNS so that AMT-based computers can locate their provisioning server. If these actions fail, AMT provisioning will fail.

When infrastructure servers are not configured correctly, the following error in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log could occur:

  • For Configuration Manager 2007 SP1 only: Error: Device internal error. Check Schannel, provision certificate, network configuration, device.

  • For Configuration Manager 2007 SP2 and later: Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection.

Solution

For in-band provisioning and out of band provisioning, make sure that you have an active DHCP scope with options for DNS servers (006) and Domain name (015). The DHCP server must also be configured to dynamically update DNS with the computer resource record.

In addition, for out of band provisioning only, you might have to register an alias in DNS for the out of band service point. For more information about whether you must register an alias in DNS, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.

Installing hotfix 942841 is one of the prerequisites for out of band management when the out of band service point role is installed on Windows Server 2003 Service Pack 2.

The files installed with this hotfix might be overwritten by another software installation, which results in AMT provisioning failure.

If the correct files are missing, this could be one of the reasons for the following error in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:

  • For Configuration Manager 2007 SP1 only: Error: Device internal error. Check Schannel, provision certificate, network configuration, device.

  • For Configuration Manager 2007 SP2 and later: Error: Device internal error. This may be caused by: 1. Schannel hotfix applied that can send our root certificate in provisioning certificate chain. 2. incorrect network configuration(DHCP option 6 and 15 required for AMT firmware). 3. AMT firmware self signed certificate issue(date zero). 4. AMT firmware is not ready for PKI provisioning. Check network interface is opening and AMT is in PKI mode. 5. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection.

Solution

Check that the file version listed for the hotfix matches the file information on the out of band service point site system server. If it does not match or if you are in doubt about the files being overwritten, reinstall the hotfix.

For more information about this hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.

If you specify an Active Directory OU or container in the out of band management component properties that does not exist in the AMT-based computer’s domain, provisioning will fail with the following logged in the file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:

CActiveDirectoryUtils::CreateObject - failed to get container.

AD Task - CreateObject failed.

Immediately after the CreateObject failed message, you will see the FQDN of the AMT-based computer and the OU or container name that was tried during the provisioning attempt.

Failure to create the AMT-based computer object might occur in one of the following scenarios:

  • The originally specified OU or container has been renamed in Active Directory Domain Services.

  • The originally specified OU or container has been deleted in Active Directory Domain Services.

  • The out of band service point is attempting to provision AMT-based computers from different domains, and not all the domains have been configured with the specified OU or container.

Solution

If the value specified as the OU or container in the out of band management component does not match the OU or container in Active Directory Domain Services, correct this misconfiguration so that the values match.

For a procedure showing how to configure the OU or container in Active Directory Domain Services, see How to Prepare Active Directory Domain Services for Out of Band Management.

For a procedure showing how to configure the OU or container in the out of band management component properties, see How to Configure AMT Provisioning.

Out of band management does not support AMT provisioning of computers that have a disjointed namespace. An example of a disjointed namespace is when an AMT-based computer has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com instead of in an Active Directory domain named corp.fabrikam.com.

Solution

There is no workaround to this requirement other than to align the DNS namespace with the Active Directory namespace.

Configuration Manager clients must be approved before they can be provisioned in-band in a mixed mode Configuration Manager 2007 SP2 site. When in-band provisioning fails because a client is not approved, the following error is displayed in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:

Error: Cannot provision computer in-band because the Configuration Manager client is not approved.

Solution

Approve the client. For more information, see How to Approve Configuration Manager Clients. For more information about approval, see About Client Approval in Configuration Manager.

If you run the Configuration Manager console from a primary site and connect to a child primary site, the option to configure the AMT provisioning certificate for the child site is disabled.

Configuration Manager prevents you from configuring the AMT provisioning certificate for a child primary site from a parent primary site because this would result in overwriting the AMT provisioning certificate in the parent site.

Solution

Configure the AMT provisioning certificate directly from the child site.

Configuration Manager cannot natively provision AMT-based computers that have a version of AMT that is not supported by Configuration Manager. For information about supported versions, see Configuration Manager 2007 SP1 Supported Configurations and Configuration Manager 2007 SP2 Supported Configurations.

It might be possible to provision these computers if you install and configure the Intel WS-MAN translator and then configure Configuration Manager to enable support for the translator. These computers must then be provisioned using the out of band provisioning method.

Solution

For more information about the Intel translator, see http://go.microsoft.com/fwlink/?LinkId=108363.

You can confirm the AMT version information in a number of ways, including viewing the value in the AMT Version column in the Configuration Manager console and by running the report Status of out of band management provisioning.

To enable the option to support the Intel translator, use the following procedure.

To enable support for the Intel WS-MAN translator

  1. Navigate to System CenterConfiguration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.

  2. Right-click Out of band management component, and then click Properties.

  3. Click the AMT Settings tab, select Enable support for Intel WS-MAN translator, and then click OK.

The site server computer requires the Windows security permissions of Read and Enroll on the certificate template that you are using for the AMT Web server certificate. If these permissions are not set correctly, the following error is logged in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:

Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certificate is required.

The issuing certification authority will list the rejected certificate requests in the Failed Requests node in the Certification Authority console.

noteNote
If you are using the default Web Server certificate template without modification, the site server computer will be unable to use it for provisioning AMT-based computers.

Solution

Either configure the certificate template you are using so that the site server has Read and Enroll permissions or use another certificate template for this nondefault configuration.

If you need procedural steps for configuring the AMT certificate template correctly, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.

If the primary site server does not have the appropriate DCOM permissions to request certificates from the issuing CA, provisioning will fail. In this scenario, the log file Amtproxyomgr.log will display multiple retries to provision the AMT-based computer, eventually failing with the following access denied error:

ERROR: ICertRequest2->Submit failed: 0x80070005

Solution

Ensure that the site server computer is a member of the security group CERTSRV_DCOM_ACCESS (Windows Server 2003) or Certificate Service DCOM Access (Windows Server 2008) in the domain where the issuing CA resides. For more information about these groups and how they are used with certification authorities, see the Windows Server Certificate Services documentation.

Configuration Manager cannot provision AMT-based computers unless they have configured in their BIOS extensions the certificate thumbprint (also referred to as the certificate hash) of the root certification authority (CA) that issued the AMT provisioning certificate.

If the certificate thumbprint does not match during out of band provisioning, you will see the following error logged in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log on the site system server running the out of band service point role:

Error: Hash list of AMT device <UUID> doesn’t contain our provision server certificate hash.

If the certificate thumbprint does not match during in-band provisioning, the following error is logged in the file Oobmgmt.log, which is located in the folder %Windir%\System32\CCM\Logs on 32-bit workstation computers and in the folder %Windir%\SysWOW64\CCM\Logs on 64-bit workstation computers that are running the Configuration Manager 2007 SP1 (or later) client:

None certificate is valid between device and server certificate hash.

For more information about this requirement, see the section "The AMT Provisioning Certificate" in About Certificates for Out of Band Management.

Solution

Ensure that the certificate thumbprint of the root CA that issued the AMT provisioning certificate is specified correctly in the BIOS extensions of the AMT-based computers.

If you are using your own internal CA to issue the AMT provisioning certificate and you want to confirm the certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.

Refer to your manufacturer instructions if you need procedural information for locating or entering the certificate thumbprint in the BIOS extensions.

When the Configuration Manager 2007 SP1 (or later) client is installed, you can use in-band provisioning to automatically provision these computers for AMT. Computers will fail to provision if either of the following configurations apply:

  • The computers are not in a collection that is configured for automatic AMT provisioning.

  • The computers are in a collection that is configured for automatic AMT provisioning, but they are configured with the option to disable automatic AMT provisioning. This can occur if you have removed provisioning information from the AMT-based computer or if you imported the computer from another AMT management solution by using an export tool.

You can check whether an AMT-based computer is eligible for automatic in-band provisioning by using the Configuration Manager column Automatic AMT Provisioning, which will display either Enabled or Disabled.

Solution

Use the following procedure to configure a collection for automatic in-band provisioning and to change the disabled status for an individual computer so that it is enabled for automatic in-band provisioning.

To configure a collection for automatic in-band AMT provisioning

  1. Right-click a collection that contains computers to be provisioned in-band, click Modify Collection Settings, and then click the Out of Band tab.

  2. Select Enable automatic out of band management controller provisioning, and then click OK.

To change the disabled status for an individual computer so that it is enabled for automatic in-band provisioning

  • Right-click the computer in a collection, click Out of band management, and then click Enable automatic provisioning.

If out of band provisioning is used and the AMT-based computer has already been discovered by Configuration Manager before the provisioning process starts, provisioning fails with Configuration Manager 2007 SP1 and later. In this scenario, after running the Import Computer for Out of Band Management Wizard, the site code is incorrectly missing from the client record, which causes provisioning to fail.

Solution

This issue is addressed with Configuration Manager 2007 SP2. If you cannot upgrade to Configuration Manager 2007 SP2, a workaround to complete out of band provisioning in this scenario is to delete the client record in the Configuration Manager console before running the Import Computer for Out of Band Management Wizard. Alternatively, use in-band provisioning.

If you are automatically registering an alias of ProvisionServer in DNS so that AMT-based computers can provision for AMT out of band, you must enable the option Register ProvisionServer as an alias in DNS after the out of band service point is installed. Otherwise, the site server will not register the alias. As a result, computers that attempt to provision out of band will be unable to find their provisioning server.

If out of band provisioning fails because the site server could not register the alias of ProvisionServer in DNS, it could generate the following error in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log, after the instruction Send request to AMT proxy component to add the alias ProvisionServer.<domain_suffix> in the DNS. The machine’s FQDN is <out_of_band_service_point_FQDN>.domain_suffix>:

Unable to create instruction file for AMT Proxy task: <ConfigMgrInstallationPath>\MP\OUTBOXES\Amtproxy.box

Solution

Ensure that the out of band service point is installed. Disable the option Register ProvisionServer as an alias in DNS, and then re-enable it.

For more information about registering an alias of ProvisionServer, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS and How to Register an Alias in DNS for the Out of Band Service Point.

For more information about installing the out of band service point, see How to Install the Out of Band Service Point.

Configuration Manager cannot automatically manage AMT-based computers that have been provisioned by another AMT management solution.

Solution

Decide on a migration strategy to provision these computers with Configuration Manager. You have the following choices:

  • Use in-band provisioning with Configuration Manager.

  • Use out of band provisioning with Configuration Manager, with an export utility.

  • Use out of band provisioning with Configuration Manager, without using an export utility.

For more information, see Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager.

If the primary site server does not have the Issue and Manage Certificates permission on the issuing certification authority, certificate revocation will fail for certificates that have been issued to AMT-based computers. An entry will be added to the Failed Requests node of the certification authority.

To identify this condition, on the site server computer, look for either of the following entries in the log file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:

Error: CCAUtils::RevokeCertificate revoke certificate <certificate_ID> failed with 0x80070005 SMS_AMT_PROXY_COMPONENT <date> <time> 2632 (0x0A48)

Error: CCAUtils::RevokeExistedCertificate revoke certificate <certificate_ID> failed. SMS_AMT_PROXY_COMPONENT <date> <time> 2632 (0x0A48)

Solution

On the issuing certification authority, grant the primary site server the permission Issue and Manage Certificates.

For more information about certificate revocation in out of band management, see About Certificates for Out of Band Management.

AMT-based computers cannot support a root certification authority certificate that has a key length of greater than 2048 bits. In this scenario, provisioning will fail with the following errors in the log file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:

Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.

**** Error 0x193b95c returned by ApplyControlToken

Fail to connect and get core version of machine <IP address of computer to provision>

Solution

Use a certification authority that has a root certificate with a key length of 2048 bits or less.

For more information, see Prerequisites for Out of Band Management and Certificate Requirements for Out of Band Management.

If the computer running the out of band service point is using a version of Windows Remote Management (WinRM) that supports checking the certificate revocation list (CRL) for the AMT-based computer certificate and the CRL cannot be accessed (for example, it is offline), updating the AMT management controller and removing provisioning information from the AMT management controller fails. In these scenarios, the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log displays the following for the associated AMT-based computer:

Description: A security error occurred and Error code: 0x80072F8F

noteNote
Computers running Windows Server 2008 R2 natively install a version of WinRM that supports CRL checking.

All other out of band management actions are also impacted when CRL checking fails, such as power actions, enabling or disabling auditing, and connecting to the AMT-based computer by using the out of band management console. For more information about CRL checking in out of band management, see “CRL Checking and Certificate Revocation for Out of Band Management Certificates” in About Certificates for Out of Band Management.

Solution

Configuration Manager cannot disable CRL checking for this scenario. Ensure that the CRL is accessible and that the AMT-based computer has a valid certificate. As an alternative to removing provisioning information by using Configuration Manager, you can also achieve this by configuring the BIOS extensions in the AMT-based computer.

If you want to remove provisioning information because the AMT-based computer is no longer trusted and the CRL remains inaccessible, you must take one of the following additional actions to help protect your network:

  • If the AMT-based computer is running the Configuration Manager 2007 SP2 client, block the client. This results in the site server revoking all out of band management certificates that are issued to that computer and deletes the corresponding AMT account in Active Directory Domain Services. For more information about blocking clients on AMT-based computers, see About Blocking Clients and Out of Band Management.

  • If the AMT-based computer is not running the Configuration Manager 2007 SP2 client, manually revoke all out of band management certificates that are issued to that computer and manually delete the corresponding AMT account in Active Directory Domain Services.

    noteNote
    To identify the AMT certificate, on the issuing CA, locate the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject. To identify the AMT account, in the computer’s domain, locate the organizational unit (OU) or container specified in the Out of Band Management component properties General tab. The account will have the following format: <computername>$iME.

While AMT-based computers can be managed out of band on a wireless network by Configuration Manager 2007 SP2, Configuration Manager does not support provisioning or updating the AMT management controller over a wireless connection. In this scenario, the IP address of the wireless connection might be incorrectly tried as a result of name resolution, and the connection will fail. If this operation fails on a wireless network, the following errors are displayed in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:

Error: Can not finish WSMAN call with target device. 1. Check if there is a winhttp proxy to block connection. 2. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. 3. For greater than 3.x AMT, there is a known issue in AMT firmware that WSMAN will fail with FQDN longer than 44 bytes.

Solution

Repeat the provisioning or update attempt when the AMT-based computer is on a wired connection.

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft