Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 7 : Deploying Intel AMT

Posted: January 30, 2014 in Configuration Manager, System Center Configuration Manager 2012
Tags: , , ,

We are now ready to deploy our first system for Out of Band Management using the Intel SCS integration, so we have support for newer versions of Intel AMT.

In my lab I have 2 HP laptops for demoing this (EliteBook 2560p and EliteBook 8440p), and before we start we need to make sure that our clients have all the pre-requisites installed;

  • BIOS – it’s always recommended to run the latest version of BIOS available
  • AMT Firmware –  check your vendor’s site for latest firmware for AMT for your model, also recommended to always run the latest version available
  • Intel Management Engine Components – all major vendors have this available on their pages for the system you’re running (You’ll need the full installation, not only the driver)

In my lab I’ve installed these prerequisites manually, but in a production environment you’ll package these and make sure the systems you want to include in OOB have these installed automatically. At my customer we upgrade/install these prerequisites during the OSD process fully automated.

So with all the pre-requisites installed, we are now ready to provisioning both our clients for Out of Band Management;

  1. Enable the Intel SCS Platform Discovery Task Sequence and verify that it completes on your computers (Remember that if you enable the Task Sequence with the default deployment it will target all your systems as mentioned in Part 6 of this series).1
  2. If you now refresh your AMT Collections you will see that your member count for the different collections are increased based on what’s discovered running the previous task sequence. (If there is no change initiate a Hardware Inventory on your clients and refresh the collections again).2
  3. We now enable the Intel AMT Discovery Task Sequence and verifies that it completes on all the computers.3
  4. If you now refresh your AMT Collections you will see that the Intel AMT Systems: Not Configured now includes the machines where the Intel AMT Discovery Task Sequence where run. (If it’s empty initiate a Hardware Inventory on your clients and refresh the collections again).4
  5. Finally we enable the Intel AMT Configuration Task Sequence and verifies that it completes on all the computers.5

Once this is done we need Configuration Manager to discover the provisioned systems so we can use the built-in Out of Band Management Console.

  1. Expand the Intel AMT Systems: Configured so you can see all the members. Right click one of the computers, select Manage Out of Band and select Discover AMT Status (You can monitor this process in the amtopmgr.log file on your server).6
  2. Right click on one of the top columns and select AMT Status and AMT Version7
  3. You will then get 2 columns added that shows the AMT Status, Externally Provisioned and AMT Version, the version of AMT on the computer system. (If this is blank right after you’ve finished step 2 do a refresh of the computer in the console)9
  4. You have now successfully provisioned and discovered a computer for Out of Band Management. If you right-click the computer and select Manage Out of Band you now will see that you have the option to start the Out of Band Management Console and do Power Control.8

Now that we have successfully provisioned and discovered a computer for Out of Band Management we can use the Out of Band Management Console and in the next part of this series we will go through all the options we have and see how these works. This includes Web Interface, KVM, Serial Over LAN (SOL), IDE Redirection (IDER), Power Commands and Integration with Wake-On-Lan. I’ll also show you the functionality of some other 3rd party tools you can use to control computers that are provisioned with AMT.

Previous Postings in this series:

Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 4 : Configuration Profiles for Intel AMT
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 5 : Configuring SCCM 2012 R2
Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 6 : Installing Intel SCS Add-on

Advertisements
Comments
  1. aerobaticrug says:

    Love this series, I’ve been battling with SCS integration for a few months, but got stuck with the CA part – we tried and external CA and couldn’t make it work, so thanks for this.

    One question, I keep getting machines unconfiguring and then reconfiguring in a loop – have you experienced this at all?

    Steve

  2. […] Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 1 : Introduction Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 2 : Active Directory Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 3 : Certification Authority Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 4 : Configuration Profiles for Intel AMT Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 5 : Configuring SCCM 2012 R2 Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 6 : Installing Intel SCS Add-on Integrating Configuration Manager 2012 R2 with Intel SCS 9.0 – Part 7 : Deploying Intel AMT […]

  3. Evan Erwee says:

    Thank you for great work

  4. Evan Erwee says:

    We have now spent close to 60 hours trying to get technology to work. Sadly, no luck. We have acquired brand new machines, Core i5 Gen 3, AMT 9. I have followed the blog in an LAB environment, step by step twice. Intel AMT Configuration Failed. PKI is working 100%, SCCM 2012 R2 working 100%.

    Some of the errors: Configure Profile Failed: TLS cannot be configured because cryptography is disabled on this system. (0xc00027b3).

    I have 18 years experience with SMS/SCCM.

    Any ideas where we can start looking will be helpful.

    • Hi Evan,

      have you checked that the Cryptographic Services is running on the computers you’re trying to configure?

      If it’s running and it’s still not working the problem could be that the Hardware Crypto is disabled on the system. Some countries import restrictions limit this feature. This firmware feature is set by the OEM during the manufacturing process and may not be changeable. Please discuss with your OEM.

      The statement from Intel is; “You cannot use a configuration profile containing TLS settings to configure Intel AMT systems that have Cryptography disabled.”

      Have you tried to provision one computer without TLS in the configuration profile, to see if it successfully completes then?

      What type of make/model is the computers you are testing on?

  5. Evan Erwee says:

    The problem indeed appears to be Cryptography disabled. This is on USA based machines, Acer, etc. I have asked the client for an HP. It appears that even USA machines wont work in the USA. This standard was not followed by all hardware vendors. I’m learning.

  6. Evan Erwee says:

    Lesson learned here: Just because a machine was bought in the USA, have vPro on the motherboard, have the correct CPU, does not mean it will work. Intel didn’t really think thru this technology it seems.

  7. Evan Erwee says:

    Lastly “Have you tried to provision one computer without TLS in the configuration profile, to see if it successfully completes then?”

    No it doesn’t. Fail on: C:\_SMSTaskSequence\Packages\Z000001D>.\RedirectionConfig.exe -setsolinterfacestate true -host WKSTA003-PC.PRIV.RWHOME.INFO -krb -tls

    Error Occurred in Wsman Connection!

    • Try and copy the IntelSCS\ACU_Wizard\ folder over to the client from the Intel SCS source folder and run the ACUWizard.exe (must run elevated) and select Configure via Windows and configure your profile without the use of TLS to verify if you can provision it this way.

      I also see others that are struggelig to provision Acer machines with TLS because the Cryptography is disabled, not finding any issues with other make/models. I’ve tested HP, Lenovo and Dell and have not run into anything.

  8. Nick says:

    Hi,
    When i following steps to step 3, enable the Intel AMT Discovery Task Sequence then check the software center on client, the Intel AMT Discovery is install fail(Error code:0x4005).
    Do you know what problem on it?
    Thanks.

    • Hi Nick,

      is the Run-as account you specified in the Task Sequence in Part 6 member of the local Administrators group on the client where you try to run this Task Sequence? Quote: “Also note that this account must be member of the local administrator group on each client where you want to run this package”

      Regards,
      Odd-Magne

  9. Nick says:

    Hi Odd-Magne,

    Thanks for your reply.
    The account on all client are domain\Administrator. is it OK for your comment?
    And i try to run all bat file(SCS Platform Discovery, AMT Discovery and AMT Configuration) manually on client, all can executed successfully and provisioned, but the AMT status show “Detected” on SCCM and the list of Out of Band are all gray out expect Discover AMT Status.
    So i cannot use AMT function through SCCM.

  10. Roger Bommelin says:

    Hi Odd-Magne,

    Thanks for this excellent instruction. I have been battling with this for a while. I think everything is working as it should on the server side. But I have one problem with the client I’m trying to provision.

    In the AMT Status column it says ‘Not Supported’ and I can’t figure out whats wrong. The client is a Dell Latitude E5440 with the latest Bios (A05). The Intel ME components have the following versions:
    MEBx Version 9.0.0.0025
    FW Version 9.5.14.1724
    LMS Version 9.5.10.1628
    MEI Driver Version 9.5.15.1730
    SOL Driver Version 9.5.10.1586

    Have you ever accounted this problem before?

    BR/Roger

  11. Jeremy says:

    I get error code:0x4005 for the Intel AMT Configuration task sequence. The Run-as account is a member of local admins and I have followed the rest of the guide with success. Both the Discovery task sequences are able to run successfully. Can you please give me some guidance on how I can troubleshoot the issue? cheers

    • Manuel says:

      Hello,
      I have exactly the same Problem – did you find a solution?

      BR

    • Per says:

      I had the same issue, in my case it was solved by pushing out an update of the root certificate. then I could deploy the task sequence ( KB931125)

      • Moez says:

        hi , can please explain more how i can do a pushing out an update of the root certificate? because i have the same error in the configuration step , thanks

  12. Andrew says:

    My problem is simple. Running the AMT Discovery TS fails. From the client, I mapped a network drive to the location where discover.bat was located, then ran it. Turned out I was getting an Access is Denied error. I opened an elevated command prompt, remapped the network drive, and ran discover.bat again, and it worked this time.

    This is despite running the TS as a user which is a member of the local Administrators group on the client.

    How the heck do you make the TS run the batch file in an elevated command prompt?

  13. louwie says:

    Hi, great guide. Working fine in our test envoirement for amt version 7 & 9. But no luck with version 5 and 6 on older hardware.

    exit with code 68. Details: invalid parameter was found. (RCSAAddress) is found in the Windows event viewer.

    and in the Sccm console AMT Status is Not Supported (version 6) and Detected (version 5).
    Version 7 and 9 are having the status Provisioned and the out of the band management console is working.

  14. Zachary says:

    Hi I followed your steps but am stuck on getting the Intel AMT Discovery Task Sequence to run. It fails with this in the logs.

    Error getting system isolation info. Code 8027000C TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Remediation failed. Code 8027000C TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Remediation failed with error code 8027000C TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Parsing task sequence . . . TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Task sequence schema version is 3.10 TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Current supported schema version is 3.10 and 3.00 TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Starting Task Sequence Engine . . . TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    **************************************************************************** TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSNextInstructionPointer=0 TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSInstructionTableSize=1 TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable SMSTSRebootRequested= TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable SMSTSRebootDelay= TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable SMSTSRebootMessage= TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable SMSTSRebootReason= TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set a global environment variable SMSTSRetryRequested= TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    The task execution engine started execution TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Set authenticator in transport TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Default CSP is Microsoft Enhanced RSA and AES Cryptographic Provider TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Default CSP Type is 24 TSManager 1/26/2015 1:03:21 PM 5368 (0x14F8)
    Start executing an instruction. Instruction name: Intel AMT: Configuration. Instruction pointer: 0 TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSCurrentActionName=Intel AMT: Configuration TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSNextInstructionPointer=0 TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a local default variable SMSTSDisableWow64Redirection TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a local default variable _SMSTSRunCommandLineAsUser TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a local default variable SMSTSRunCommandLineUserName TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a local default variable SMSTSRunCommandLineUserPassword TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSLogPath=C:\WINDOWS\CCM\Logs\SMSTSLog TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Expand a string: smsswd.exe /run:SLU00030 Configure.bat “.\SLUAMT001.xml” “SCCM2012” %_SMSTSMachineName% “%_SMSTSMP%” %_SMSTSSiteCode% TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Expand a string: TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Start executing the command line: smsswd.exe /run:SLU00030 Configure.bat “.\SLUAMT001.xml” “SCCM2012” %_SMSTSMachineName% “%_SMSTSMP%” %_SMSTSSiteCode% TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    !——————————————————————————————–! TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Expand a string: WinPEandFullOS TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    Executing command line: smsswd.exe /run:SLU00030 Configure.bat “.\SLUAMT001.xml” “SCCM2012” %_SMSTSMachineName% “%_SMSTSMP%” %_SMSTSSiteCode% TSManager 1/26/2015 1:03:22 PM 5368 (0x14F8)
    [ smsswd.exe ] InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    PackageID = ‘SLU00030’ InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    BaseVar = ”, ContinueOnError=” InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    ProgramName = ‘Configure.bat “.\SLUAMT001.xml” “SCCM2012” MININT-FKG5BE9 “sccmtest-mp-01.adtest.stlawu.local” SLU’ InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    SwdAction = ‘0001’ InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    Getting linked token InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    failed to get the linked token information. It may not be available. Error 1312 InstallSoftware 1/26/2015 1:03:22 PM 2644 (0x0A54)
    ResolveSource flags: 0x00000000 InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    SMSTSPersistContent: . The content for package SLU00030 will be persisted InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    Locations: Multicast = 0, HTTP = 0, SMB = 1. InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    Multicast is not enabled for the package. InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    Trying C:\WINDOWS\ccmcache\2. InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    Local path: C:\WINDOWS\ccmcache\2 InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    Copying from C:\WINDOWS\ccmcache\2 to C:\_SMSTaskSequence\Packages\SLU00030. InstallSoftware 1/26/2015 1:03:25 PM 2644 (0x0A54)
    VerifyContentHash: Hash algorithm is 32780 InstallSoftware 1/26/2015 1:03:27 PM 2644 (0x0A54)
    Hash could not be matched for the downloded content. Original ContentHash = BF2AA15C4A0D2762A41BE912D86F4E02A73F839A57A56757E7ED2DF3C34D791F, Downloaded ContentHash = FD852B98EF7FDF6A7EA06F3F59AF4C6C0B3DAE6D83745C0A288BA50CC7BDF5FF InstallSoftware 1/26/2015 1:03:27 PM 2644 (0x0A54)
    DownloadContentAndVerifyHash() failed. 80091007. InstallSoftware 1/26/2015 1:03:27 PM 2644 (0x0A54)
    Failed to resolve the source for SMS PKGID=SLU00030, hr=0x80091007 InstallSoftware 1/26/2015 1:03:27 PM 2644 (0x0A54)
    Install Software failed to run command line, hr=0x80091007 InstallSoftware 1/26/2015 1:03:28 PM 2644 (0x0A54)
    Process completed with exit code 2148077575 TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    !——————————————————————————————–! TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Failed to run the action: Intel AMT: Configuration.
    The hash value is not correct. (Error: 80091007; Source: Windows) TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Set authenticator in transport TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSLastActionRetCode=-2146889721 TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Set a global environment variable _SMSTSLastActionSucceeded=false TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Clear local default environment TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Failed to run the action: Intel AMT: Configuration. Execution has been aborted TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Set authenticator in transport TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Failed to run the last action: Intel AMT: Configuration. Execution of task sequence failed.
    The hash value is not correct. (Error: 80091007; Source: Windows) TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Set authenticator in transport TSManager 1/26/2015 1:03:28 PM 5368 (0x14F8)
    Task Sequence Engine failed! Code: enExecutionFail TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    **************************************************************************** TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Task sequence execution failed with error code 80004005 TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Cleaning Up. TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Removing Authenticator TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Cleaning up task sequence folder TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    File “C:\_SMSTaskSequence\TSEnv.dat” does not exist. (Code 0x80070002) TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Deleting volume ID file C:\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca … TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)
    Successfully unregistered Task Sequencing Environment COM Interface. TSManager 1/26/2015 1:03:30 PM 5368 (0x14F8)

  15. Jegadesh says:

    I have installed SCS Add-On for SCCM. Enabled Task sequence for discovery and configuration. I have 2 machines configured and showing up in “Intel AMT: Configured” collection. Right clicked on machine –> Manage Out of Band –> Discover AMT Status, I get below error.

    Any troubleshoot direction ?

    AMT Discovery Worker: Error, CSMSAMTDiscoveryWorker::ParseInstructionFile failed – open file

  16. Michael says:

    At the Discover AMT Status i see a Connection Problem in amtopmgr.log:
    CAMTDiscoveryWSMan::DoConnectToAMTDevice: Failed to establish tcp session to 10.10.10.100:16993.
    I checked Windows Firewall and the ports are open.
    Intel AMT is also sucessfully configured.
    Can you help me? Thanks

    • Michael says:

      I solved this problem by myself: I used static IP Addresses on the Client and this IP Address was not configured in the MBEx.
      Now the Discovery succeed with AMT Status 4 but i dont get any Information about the AMT Status and Version…

      • Michael says:

        I have AMT Version 6.2.50… I don’t know if this Version is supported with the SCS Integration because SCCM 2012 R2 should support this out of the box. Where are the differences in the configuration Actions, where i can search further…? Thanks.

  17. Michael says:

    I found the solution to my Problem here on TechNet:

    Problem with Out of Band Discovery resulting with Out of Band features not available in SCCM console for computers with …

    Add the Computer Account which has the Out of Band Management Role to the Local Group SMS_SiteSystemToSiteServerConnection_MP_XXX on the SCCM 2012 R2 Primary Site Server and restart the SMS_Executive on the Out of Band Management Server.

  18. IDRRA says:

    Hi!

    Awesome information, really got me going with AMT. I am stuck with my AMT system Configured and in Client mode. SCCM shows device status as Detected. At first it was showing Not Supported. Do I need a GoDaddy certificate or something like to get this working? It looks like kerberos is not working but I am completely out of ideas. I have also tried the RCS method and still same results. Can’t even login to the Web UI with AD credentials. Any suggestions?

  19. Divya says:

    I have AMT machines in my lab environment which have static IP address. Please let me know what all configuration do I need to do in following. Current AMT Status is “Detected” though ideally it should be “Externally Provisioned”.
    AMT Profile
    BIOS
    MEBX

  20. Divya says:

    What configuration needs to be done in BIOS, ME and MEBX on client side?

  21. James says:

    Hi! You have a great blog!

    But I’m having difficulties – all of three task sequences have completed successfully but in the SCCM console my test computer’s AMT status is showing “Not Supported.”
    AMT version is 7.1.

    How should I start to troubleshoot this?

    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s