This topic provides troubleshooting information to help you resolve issues when out of band management in Configuration Manager 2007 SP1 and later fails to provision AMT-based computers.
 Note |
|---|
| The information in this topic applies only to Configuration Manager 2007 SP1 and later. |
If you need help with deploying the PKI certificates for out of band management, see the following:
- Step-by-Step Example
Deployment of the PKI Certificates Required for AMT and Out of Band
Management: Windows Server 2008 Certification Authority
- Step-by-Step Example
Deployment of the PKI Certificates Required for AMT and Out of Band
Management: Windows Server 2003 Certification Authority
For issues related to using the out of band management console after computers are successfully provisioned for AMT, see Out of Band Management Console Issues.
| Note |
|---|
| For issues that are specific to AMT, such as behavioral differences between versions, how to install and configure the Intel translator, and how to configure AMT, refer to the Intel vPro Expert Center: Microsoft vPro Manageability Web site (http://go.microsoft.com/fwlink/?LinkId=132001). |
For additional troubleshooting information, see The Out of Band Management Support Team blog (http://go.microsoft.com/fwlink/?LinkId=183661).
Configuration Manager Fails to
Provision Computers for AMT Because One or More Prerequisites Are
Missing
Out of band management has a number of prerequisites that must be met before Configuration Manager can successfully provision computers for AMT. Before investigating specific errors, ensure that all these prerequisites have been met.
Solution
To verify that you have met all the prerequisites, see Prerequisites for Out of Band Management.
Configuration Manager Fails to
Provision Computers for AMT Because Files Installed with Hotfix
942841 Are Overwritten
Installing hotfix 942841 is one of the prerequisites for out of band management when the out of band service point role is installed on Windows Server 2003 Service Pack 2.
The files installed with this hotfix might be overwritten by another software installation, which results in AMT provisioning failure.
If the correct files are missing, this could be one of the reasons for the following error in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
- For Configuration Manager 2007 SP1 only:
Error: Device internal error. Check Schannel, provision
certificate, network configuration, device.
- For Configuration Manager 2007 SP2 and
later: Error: Device internal error. This may be caused by: 1.
Schannel hotfix applied that can send our root certificate in
provisioning certificate chain. 2. incorrect network
configuration(DHCP option 6 and 15 required for AMT firmware). 3.
AMT firmware self signed certificate issue(date zero). 4. AMT
firmware is not ready for PKI provisioning. Check network interface
is opening and AMT is in PKI mode. 5. Service point is trying to
establish connection with wireless IP address of AMT firmware but
wireless management has NOT enabled yet. AMT firmware doesn't
support provision through wireless connection.
Solution
Check that the file version listed for the hotfix matches the file information on the out of band service point site system server. If it does not match or if you are in doubt about the files being overwritten, reinstall the hotfix.
For more information about this hotfix, see http://go.microsoft.com/fwlink/?LinkId=106107.
Configuration Manager Fails to
Provision Computers Because Infrastructure Servers (DNS and DHCP)
Are Configured Incorrectly
When you are provisioning AMT-based computers, some configuration of infrastructure servers, such as DNS and DHCP, is usually required. This configuration is required so that the AMT-based computers can be configured with their DNS domain suffix and register their host name in DNS. Out of band provisioning might also require an entry in DNS so that AMT-based computers can locate their provisioning server. If these required procedures fail, AMT provisioning will fail.
If infrastructure servers are not configured correctly, the following error in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log could occur:
- For Configuration Manager 2007 SP1 only:
Error: Device internal error. Check Schannel, provision
certificate, network configuration, device.
- For Configuration Manager 2007 SP2 and
later: Error: Device internal error. This may be caused by: 1.
Schannel hotfix applied that can send our root certificate in
provisioning certificate chain. 2. incorrect network
configuration(DHCP option 6 and 15 required for AMT firmware). 3.
AMT firmware self signed certificate issue(date zero). 4. AMT
firmware is not ready for PKI provisioning. Check network interface
is opening and AMT is in PKI mode. 5. Service point is trying to
establish connection with wireless IP address of AMT firmware but
wireless management has NOT enabled yet. AMT firmware doesn't
support provision through wireless connection.
Solution
Unless you are using a customized firmware image for your AMT-based computers, you might need to register an alias in DNS for the out of band service point and configure an active DHCP scope with options for DNS servers (006) and Domain name (015). The DHCP server must also dynamically update DNS with the computer resource record.
For more information about whether you need to register an alias in DNS, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS.
For more information about using a customized firmware image, see Decide Whether You Need a Customized Firmware Image From Your Computer Manufacturer.
Configuration Manager Fails to
Provision Computers Because the Active Directory OU or Container
Does Not Exist
If you specify an Active Directory OU or container in the out of band management component properties that does not exist in the AMT-based computer’s domain, provisioning will fail with the following logged in the file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:
CActiveDirectoryUtils::CreateObject - failed to get container.
AD Task - CreateObject failed.
Immediately after the CreateObject failed message, you will see the FQDN of the AMT-based computer and the OU or container name that was tried during the provisioning attempt.
Failure to create the AMT-based computer object might occur in one of the following scenarios:
- The originally specified OU or container has
been renamed in Active Directory Domain Services.
- The originally specified OU or container has
been deleted in Active Directory Domain Services.
- The out of band service point is attempting
to provision AMT-based computers from different domains, and not
all the domains have been configured with the specified OU or
container.
Solution
If the value specified as the OU or container in the out of band management component does not match the OU or container in Active Directory Domain Services, correct this misconfiguration so that the values match.
For a procedure showing how to configure the OU or container in Active Directory Domain Services, see How to Prepare Active Directory Domain Services for Out of Band Management.
For a procedure showing how to configure the OU or container in the out of band management component properties, see How to Configure AMT Provisioning.
Configuration Manager Fails to
Provision Computers with a Disjointed Namespace
Out of band management does not support AMT provisioning of computers that have a disjointed namespace. An example of a disjointed namespace is when an AMT-based computer has a DNS name of computer1.corp.fabrikam.com and resides in an Active Directory domain named na.corp.fabrikam.com instead of in an Active Directory domain named corp.fabrikam.com.
Solution
There is no workaround to this requirement other than to align the DNS namespace with the Active Directory namespace.
In-Band Provisioning Fails When
Computers Are Not Approved with Configuration
Manager 2007 SP2
Configuration Manager clients must be approved before they can be provisioned in-band in a mixed mode Configuration Manager 2007 SP2 site. When in-band provisioning fails because a client is not approved, the following error is displayed in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
Error: Cannot provision computer in-band because the Configuration Manager client is not approved.
Solution
Approve the client. For more information, see How to Approve Configuration Manager Clients. For more information about approval, see About Client Approval in Configuration Manager.
Cannot Configure the AMT
Provisioning Certificate Because the Option Is Disabled in the Out
of Band Management Component Configuration Properties: General
Tab
If you run the Configuration Manager console from a primary site and connect to a child primary site, the option to configure the AMT provisioning certificate for the child site is disabled.
Configuration Manager prevents you from configuring the AMT provisioning certificate for a child primary site from a parent primary site because this would result in overwriting the AMT provisioning certificate in the parent site.
Solution
Configure the AMT provisioning certificate directly from the child site.
Configuration Manager Fails to
Provision Computers Because They Are Not Running a Version of AMT
That Is Natively Supported by Configuration Manager
Configuration Manager cannot natively provision AMT-based computers that have a version of AMT that is not supported by Configuration Manager. For information about supported versions, see Configuration Manager 2007 SP1 Supported Configurations and Configuration Manager 2007 SP2 Supported Configurations.
It might be possible to provision these computers if you install and configure the Intel WS-MAN translator and then configure Configuration Manager to enable support for the translator. These computers must then be provisioned using the out of band provisioning method.
Solution
For more information about the Intel translator, see http://go.microsoft.com/fwlink/?LinkId=108363.
You can confirm the AMT version information in a number of ways, including viewing the value in the AMT Version column in the Configuration Manager console and by running the report Status of out of band management provisioning.
To enable the option to support the Intel translator, use the following procedure.
To enable support for the Intel WS-MAN translator
-
Navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.
-
Right-click Out of band management component, and then click Properties.
-
Click the AMT Settings tab, select Enable support for Intel WS-MAN translator, and then click OK.
Configuration Manager Fails to
Provision Computers Because Permissions Are Not Configured
Correctly for the AMT Certificate Template
The site server computer requires the Windows security permissions of Read and Enroll on the certificate template that you are using for the AMT Web server certificate. If these permissions are not set correctly, the following error is logged in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
Error: Missed device certificate. To provision device with TLS server or Mutual authentication mode, device certificate is required.
The issuing certification authority will list the rejected certificate requests in the Failed Requests node in the Certification Authority console.
| Note |
|---|
| If you are using the default Web Server certificate template without modification, the site server computer will be unable to use it for provisioning AMT-based computers. |
Solution
Either configure the certificate template you are using so that the site server has Read and Enroll permissions or use another certificate template for this nondefault configuration.
If you need procedural steps for configuring the AMT certificate template correctly, see Step-by-Step Example Deployment of the PKI Certificates Required for AMT and Out of Band Management: Windows Server 2003 Certification Authority.
Configuration Manager Fails to
Provision Computers in a Child Domain Because of Missing DCOM
Access Permissions
If the primary site server does not have the appropriate DCOM permissions to request certificates from the issuing CA, provisioning will fail. In this scenario, the log file Amtproxyomgr.log will display multiple retries to provision the AMT-based computer, eventually failing with the following access denied error:
ERROR: ICertRequest2->Submit failed: 0x80070005
Solution
Ensure that the site server computer is a member of the security group CERTSRV_DCOM_ACCESS (Windows Server 2003) or Certificate Service DCOM Access (Windows Server 2008) in the domain where the issuing CA resides. For more information about these groups and how they are used with certification authorities, see the Windows Server Certificate Services documentation.
Configuration Manager Fails to
Provision Computers Because the AMT-Based Computers Do Not Have the
Correct Certificate Thumbprint
Configuration Manager cannot provision AMT-based computers unless they have configured in their BIOS extensions the certificate thumbprint (also referred to as the certificate hash) of the root certification authority (CA) that issued the AMT provisioning certificate.
If the certificate thumbprint does not match during out of band provisioning, you will see the following error logged in the file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log on the site system server running the out of band service point role:
Error: Hash list of AMT device <UUID> doesn’t contain our provision server certificate hash.
If the certificate thumbprint does not match during in-band provisioning, the following error is logged in the file Oobmgmt.log, which is located in the folder %Windir%\System32\CCM\Logs on 32-bit workstation computers and in the folder %Windir%\SysWOW64\CCM\Logs on 64-bit workstation computers that are running the Configuration Manager 2007 SP1 (or later) client:
None certificate is valid between device and server certificate hash.
For more information about this requirement, see the section "The AMT Provisioning Certificate" in About Certificates for Out of Band Management.
Solution
Ensure that the certificate thumbprint of the root CA that issued the AMT provisioning certificate is specified correctly in the BIOS extensions of the AMT-based computers.
If you are using your own internal CA to issue the AMT provisioning certificate and you want to confirm the certificate thumbprint, see How to Locate the Certificate Thumbprint of Your Internal Root Certificate for AMT Provisioning.
Refer to your manufacturer instructions if you need procedural information for locating or entering the certificate thumbprint in the BIOS extensions.
Computers Fail to Provision In-Band
Because They Are Not Configured for Automatic AMT Provisioning
When the Configuration Manager 2007 SP1 (or later) client is installed, you can use in-band provisioning to automatically provision these computers for AMT. Computers will fail to provision if either of the following configurations apply:
- The computers are not in a collection that is
configured for automatic AMT provisioning.
- The computers are in a collection that is
configured for automatic AMT provisioning, but they are configured
with the option to disable automatic AMT provisioning. This can
occur if you have removed provisioning information from the
AMT-based computer or if you imported the computer from another AMT
management solution by using an export tool.
You can check whether an AMT-based computer is eligible for automatic in-band provisioning by using the Configuration Manager column Automatic AMT Provisioning, which will display either Enabled or Disabled.
Solution
Use the following procedure to configure a collection for automatic in-band provisioning and to change the disabled status for an individual computer so that it is enabled for automatic in-band provisioning.
To configure a collection for automatic in-band AMT provisioning
-
Right-click a collection that contains computers to be provisioned in-band, click Modify Collection Settings, and then click the Out of Band tab.
-
Select Enable automatic out of band management controller provisioning, and then click OK.
To change the disabled status for an individual computer so that it is enabled for automatic in-band provisioning
-
Right-click the computer in a collection, click Out of band management, and then click Enable automatic provisioning.
Computers Fail to Provision Out of
Band Because the Computer Has Been Discovered by Configuration
Manager
If out of band provisioning is used and the AMT-based computer has already been discovered by Configuration Manager before the provisioning process starts, provisioning fails with Configuration Manager 2007 SP1 and later. In this scenario, after running the Import Computer for Out of Band Management Wizard, the site code is incorrectly missing from the client record, which causes provisioning to fail.
Solution
This issue is addressed with Configuration Manager 2007 SP2. If you cannot upgrade to Configuration Manager 2007 SP2, a workaround to complete out of band provisioning in this scenario is to delete the client record in the Configuration Manager console before running the Import Computer for Out of Band Management Wizard. Alternatively, use in-band provisioning.
Computers Fail to Provision Out of
Band Because the Alias for the Out of Band Service Point Did Not
Register in DNS
If you are automatically registering an alias of ProvisionServer in DNS so that AMT-based computers can provision for AMT out of band, you must enable the option Register ProvisionServer as an alias in DNS after the out of band service point is installed. Otherwise, the site server will not register the alias. As a result, computers that attempt to provision out of band will be unable to find their provisioning server.
If out of band provisioning fails because the site server could not register the alias of ProvisionServer in DNS, it could generate the following error in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log, after the instruction Send request to AMT proxy component to add the alias ProvisionServer.<domain_suffix> in the DNS. The machine’s FQDN is <out_of_band_service_point_FQDN>.domain_suffix>:
Unable to create instruction file for AMT Proxy task: <ConfigMgrInstallationPath>\MP\OUTBOXES\Amtproxy.box
Solution
Ensure that the out of band service point is installed. Disable the option Register ProvisionServer as an alias in DNS, and then re-enable it.
For more information about registering an alias of ProvisionServer, see Decide Whether You Should Register an Alias for the Out of Band Service Point in DNS and How to Register an Alias in DNS for the Out of Band Service Point.
For more information about installing the out of band service point, see How to Install the Out of Band Service Point.
Configuration Manager Fails to
Provision Computers for AMT Because They Are Provisioned for
Another AMT Management Solution
Configuration Manager cannot automatically manage AMT-based computers that have been provisioned by another AMT management solution.
Solution
Decide on a migration strategy to provision these computers with Configuration Manager. You have the following choices:
- Use in-band provisioning with Configuration
Manager.
- Use out of band provisioning with
Configuration Manager, with an export utility.
- Use out of band provisioning with
Configuration Manager, without using an export utility.
For more information, see Decide How to Migrate from an AMT-Based Management Solution to Out of Band Management in Configuration Manager.
The Site Server Cannot Revoke
Certificates for AMT-Based Computers
If the primary site server does not have the Issue and Manage Certificates permission on the issuing certification authority, certificate revocation will fail for certificates that have been issued to AMT-based computers. An entry will be added to the Failed Requests node of the certification authority.
To identify this condition, on the site server computer, look for either of the following entries in the log file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:
Error: CCAUtils::RevokeCertificate revoke certificate <certificate_ID> failed with 0x80070005 SMS_AMT_PROXY_COMPONENT <date> <time> 2632 (0x0A48)
Error: CCAUtils::RevokeExistedCertificate revoke certificate <certificate_ID> failed. SMS_AMT_PROXY_COMPONENT <date> <time> 2632 (0x0A48)
Solution
On the issuing certification authority, grant the primary site server the permission Issue and Manage Certificates.
For more information about certificate revocation in out of band management, see About Certificates for Out of Band Management.
Configuration Manager Fails to
Provision Computers for AMT Because the Root Certification
Authority Certificate Has a Key Length of Greater Than 2048
Bits
AMT-based computers cannot support a root certification authority certificate that has a key length of greater than 2048 bits. In this scenario, provisioning will fail with the following errors in the log file <ConfigMgrInstallationPath>\Logs\Amtproxymgr.log:
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.
**** Error 0x193b95c returned by ApplyControlToken
Fail to connect and get core version of machine <IP address of computer to provision>
Solution
Use a certification authority that has a root certificate with a key length of 2048 bits or less.
For more information, see Prerequisites for Out of Band Management and Certificate Requirements for Out of Band Management.
AMT Management Controllers Fail to
Update or Remove Provisioning Information Because CRL Checking
Failed
If the computer running the out of band service point is using a version of Windows Remote Management (WinRM) that supports checking the certificate revocation list (CRL) for the AMT-based computer certificate and the CRL cannot be accessed (for example, it is offline), updating the AMT management controller and removing provisioning information from the AMT management controller fails. In these scenarios, the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log displays the following for the associated AMT-based computer:
Description: A security error occurred and Error code: 0x80072F8F
| Note |
|---|
| Computers running Windows Server 2008 R2 natively install a version of WinRM that supports CRL checking. |
All other out of band management actions are also impacted when CRL checking fails, such as power actions, enabling or disabling auditing, and connecting to the AMT-based computer by using the out of band management console. For more information about CRL checking in out of band management, see “CRL Checking and Certificate Revocation for Out of Band Management Certificates” in About Certificates for Out of Band Management.
Solution
Configuration Manager cannot disable CRL checking for this scenario. Ensure that the CRL is accessible and that the AMT-based computer has a valid certificate. As an alternative to removing provisioning information by using Configuration Manager, you can also achieve this by configuring the BIOS extensions in the AMT-based computer.
If you want to remove provisioning information because the AMT-based computer is no longer trusted and the CRL remains inaccessible, you must take one of the following additional actions to help protect your network:
- If the AMT-based computer is running the
Configuration Manager 2007 SP2 client, block the client. This
results in the site server revoking all out of band management
certificates that are issued to that computer and deletes the
corresponding AMT account in Active Directory Domain Services. For
more information about blocking clients on AMT-based computers, see
About Blocking
Clients and Out of Band Management.
- If the AMT-based computer is not running the
Configuration Manager 2007 SP2 client, manually revoke all out
of band management certificates that are issued to that computer
and manually delete the corresponding AMT account in Active
Directory Domain Services.
NoteTo identify the AMT certificate, on the issuing CA, locate the certificate that was issued to the site server with the FQDN of the AMT-based computer in the certificate Subject. To identify the AMT account, in the computer’s domain, locate the organizational unit (OU) or container specified in the Out of Band Management component properties General tab. The account will have the following format: <computername>$iME.
Configuration Manager 2007 SP2
Fails to Provision or Update Wireless AMT-Based Computers
While AMT-based computers can be managed out of band on a wireless network by Configuration Manager 2007 SP2, Configuration Manager does not support provisioning or updating the AMT management controller over a wireless connection. In this scenario, the IP address of the wireless connection might be incorrectly tried as a result of name resolution, and the connection will fail. If this operation fails on a wireless network, the following errors are displayed in the log file <ConfigMgrInstallationPath>\Logs\Amtopmgr.log:
Error: Can not finish WSMAN call with target device. 1. Check if there is a winhttp proxy to block connection. 2. Service point is trying to establish connection with wireless IP address of AMT firmware but wireless management has NOT enabled yet. AMT firmware doesn't support provision through wireless connection. 3. For greater than 3.x AMT, there is a known issue in AMT firmware that WSMAN will fail with FQDN longer than 44 bytes.
Solution
Repeat the provisioning or update attempt when the AMT-based computer is on a wired connection.