image

When attempting to provision an AMT enabled device you may be unable to do so and the AMT Status of the device in the SCCM console may remain as Detected instead of Provisioned or Not Provisioned.  Additionally the AMTOPMGR.log may contain this message:

Incoming Connection from 10.1.210.28:16994.
Incoming data is - Configuration version: PKI Configuration.
Count : 20
UUID : 4C4C4544-0053-4D10-8058-C4C04F474A31
Error: Hash list of AMT device 4C4C4544-0053-4D10-8058-C4C04F474A31 doesn't contain our provision server certificate hash.

On the client itself, in the Oobmgmt.log, you may see the following errors when we attempt to provision:

ON SCHEDULE OOBMgmt 4/15/2009 12:25:30 PM 2584 (0x0A18)
BEGIN oobmgmt 4/15/2009 12:25:30 PM 2584 (0x0A18)
Retrying to activate the device. oobmgmt 4/15/2009 12:25:30 PM 2584 (0x0A18)
Raising event:
[SMS_CodePage(437), SMS_LocaleID(1033)]
instance of SMS_OOBMgmt_StartConfig_Failure
{
ClientID = "GUID:2B148D27-91F1-4B90-A17B-2FA92836A864";
DateTime = "20090415172530.635000+000";
ErrorCode = "1";
FailureCategory = "None certificate is valid between device and server certificate
hash.";
MachineName = "5ZTW3J1D";
ProcessID = 1672;
SiteCode = "EGN";
ThreadID = 2584;
};
oobmgmt 4/15/2009 12:25:30 PM 2584 (0x0A18)
Failed to Call CheckCertificate provider method, 80041001 oobmgmt 4/15/2009
12:25:30 PM 2584 (0x0A18)
END oobmgmt 4/15/2009 12:25:30 PM 2584 (0x0A18)

Note the "ON SCHEDULE OOBMgmt " task refers to the default provisioning attempt that SCCM makes. This default attempt is every 24 hours, it is defined in the Site Control file and is not configurable in the SCCM Console.

To provision immediately, manually on the client use sendsched with the following parameters:

cscript sendsched.vbs {00000000-0000-0000-0000-000000000120}

Note: The CA ROOT HASH will not be visible anywhere on the client in Windows or in the SCCM/AMT logs on the client. This value is stored in the internal AMT configuration of the machine which is the MEBEX interface which is in turn available at system boot by pressing - CTRL P

So what causes this?  This issue can occur if the wrong ROOT CERTIFICATE HASH is stored on the client, if the client is missing the correct ROOT Cert Hash, if the SCCM Site Server has the incorrect provisioning certificate loaded in the console or if the provisioning certificate listed in the console rolls up to a ROOT Cert Hash that IS NOT stored in the AMT clients MEBEX console.

To resolve this follow these steps:

1. On the site server see what the Root CA Cert Hash of the Provisioning Certificate is by looking at the AMTOPMGR.log after the AMT threads have restarted:


Get certificate data from database.
Found new provision server certificate with hash
D99058AB414EE081095B5CFAFB10EACD60D18B92.
Get ROOT HASH of provision server 4A09309FCDD183B1E132C1EB428CEBCAB3F2C02A. <--------This is the CA ROOT HASH that MUST be stored in the clients MEBEX console
Push back new found provision certificate to memory for future use.

2. Insure that the correct provisioning certificate has been added to SCCM.  First identify the correct certificate, open it and go to Details, then scroll to the bottom, the Thumbprint field is what we want to see in the AMTOPMGR.LOG entry titled: Found new provision server certificate with hash........this is the certificate that we want in the SCCM Console under Component Configuration\Out Of Band Management.

3. Insure that the correct provisioning certificate rolls up to the correct Root CA CERT.  For the provisioning certificate go to the Certification Path tab. The top most Cert in the chain is the Root CA Cert, double click this cert and go to details scroll down and go to Thumbprint, this will align with this entry in the AMTOPMGR.LOG = Get ROOT HASH of provision server....For clarification the "correct provisioning cert: is either one of two things:

A. A provisioning certificate and corresponding root CA cert that you created using the steps from Technet AND that rolls up to the correct corresponding root CA cert hash that manually got entered into the MEBEX BIOS on the AMT enabled Devices.

or

B. A provisioning certificate and corresponding root CA cert that you purchased from a vendor whose Root CA Cert Hash is PRELOADED onto the AMT enabled devices MEBEX BIOS by default.

Buz Brodin | Senior Support Escalation Engineer