You are browsing the archive for 2011 August.

Installing Intel HD Graphics Driver for WinXP with SCCM 2007 SP2 fails with error code 14

11:26 am in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Intel, Operating System Deployment, OSD, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2 by Kenny Buntinx [MVP]

If you need to install the latest release of the Intel HD Graphics Driver via a SD package or OSD task sequence with SCCM 2007 SP2.

I downloaded the driver from the Intel website and built a package for a silent install (just adding -s to setup.exe) .

If I run it manually, it works fine. If I have it run by a SCCM SD program or OSD task Sequence , it runs fine, but the SCCM program log reports error 14.

The IntelGFX log shows no error, the drivers installs fine… why does SCCM say it didn’t ? SCCM reports that error code (14) is related to the product.

 

Workaround :

Make a .cmd that installs it, and add echo finish at the end so that the .cmd file is sending return code 0(Zero) to SCCM.

 

Hope it Helps ,

Kenny Buntnx

Download the Latest Evaluation software to build your Private Cloud with System Center

7:10 pm in Cloud, Private Cloud, System Center by Kenny Buntinx [MVP]

Did you ever wanted to build and test out a  “Private Cloud” ? The core is the System Center suite.

In order to build and test out a “Private Cloud” with  the System Center and Hyper-V stack , you can find the following evaluation versions of the software below :

 

Datacenter or Enterprise editions to look at Hyper-V

Free Server just Hyper-V No Windows Server (Free)

VMware , Hyper-V or Xen can both be managed by this current product

The 2012 version of SCVMM . A better way to manage any virtualization and can work with different fabric.

Known as SCOM helps you monitor what’s going on real time with your operations

Known as SCCM, The product that helps you roll out clients or servers and properly configure them and baseline them.

The next version of SCCM which is really a brand new product.

 

Hope it Helps ,

 

Kenny Buntinx

·

SCCM Out of Band Management Troubleshooting (Part2)

2:11 pm in Uncategorized by Kenny Buntinx [MVP]

In my previous blog posts “SCCM out of band management troubleshooting Part 1” I explained already that the Kerberos Tokensize with Intel vPro KVM stuff for System Center Configuration Manager is very important. You can read the article here at “http://scug.be/blogs/sccm/archive/2011/08/10/sccm-out-of-band-management-troubleshooting-part1.aspx

In this blog post I will talk about the following issue , which is not an easy part to explain , called certificates.

 

Topic 2. Telnet Client

You will get this  error  in Configmgr when ussing the oob console and  try to connect to clients via SOL interface : “There is no active serial-over-lan connection, make sure installing telnet client"

You will find the OOBConsole.log under C:\Program Files\Microsoft Configuration Manger\AdminUI\AdminUILog directory and in order to get more information, I would recommend you change the "Error" to "Verbose" mode into C:\Program Files\Microsoft Configuration Manager\AdminUI\bin\oobconsole.exe.config file (i.e. you can use the notepad to do it).

When opening up the log :

[18/07/2011 2:51:39 PM] :Error occured when Launch terminal, make sure installing telnet client
[18/07/2011 2:51:39 PM] :Closing SOL terminal…
[18/07/2011 2:51:39 PM] :SOL terminal closed

Based on the problem description, looks that your system do not have the telnet client installed. For Windows 2008/7 you must do it manually in "Turn Windows Features On/Off" and install the Telnet client feature.

 

Topic 3. Internal PKI Certificates troubles

You still aren’t able to connect to the BIOS with a SOL / IDE connection , but you can open the OOBconsole and make a initial connection. Check the OOBConsole.log at <ConfigMgrInstallationPath>\AdminUI\AdminUILog .

You will see success to at least connect to the AMT/vPro device :

[9/08/2011 9:39:43] :GetAMTPowerState success with 2.
[9/08/2011 9:39:53] :GetAMTPowerState success with 2.
[9/08/2011 9:39:58] :Open SOL connection…
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :status message Type:Audit, ID:0x00000000C000766A, User:VVM\sccmamt, Machine: xxxx, Target: xxxxx add to queue, waiting for report.
[9/08/2011 9:40:01] :Closing SOL terminal…
[9/08/2011 9:40:01] :SOL terminal closed
[9/08/2011 9:40:02] :GetAMTPowerState success with 2.
[9/08/2011 9:40:12] :GetAMTPowerState success with 2.
[9/08/2011 9:40:21] :GetAMTPowerState success with 2.
[9/08/2011 9:40:31] :GetAMTPowerState success with 2.
[9/08/2011 9:40:40] :GetAMTPowerState success with 2.
[9/08/2011 9:40:50] :GetAMTPowerState success with 2.
[9/08/2011 9:40:59] :GetAMTPowerState success with 2.
[9/08/2011 9:41:08] :GetAMTPowerState success with 2.

You will see that you will connect to the AMT/Vpro chipset , but you still aren’t able to connect to the BIOS with a SOL / IDE connection with the following message “IMR_SOLOpenTCPSession fail with result:0x00000020”.

Potential Root cause(s):

  • Issue 1 : Your AMT Web Certificates are being issued from a Subordinate Certificate Authority and the Full certificate chain is not being pass correctly during a SOL/IDER session within SCCM. Place a copy of the Subordinate Certificate Authority certificate in the Local Computer – "Trusted Root Certificate Authorities" of the server or workstation that the Out Of Band Management Console is run from.
  • Issue 2: There is an issue with having multiple Root Certificates in the "Trusted Root Certificate Authorities" and the OOB is getting confused . I will explain this a little more into detail later .

If you look at the KVM plugin , you will see clearly the error if your certificate chain is not correct ! :

image

 

To solve issue 1:

1. On to the client where the OOB console has run , please open a internet explorer and go to your root or subordinate certificate authority .

image

2. Select “Download a CA certificate Chain or CRL”

image

3. Select “Install this CA Certificate Chain”

image

4. Select “Yes” to continue

image

5. Select “Yes” to continue

clip_image002

6. You will see that it was successful.

clip_image002[6]

7. Go to internet explorer > Internet options and go to certifications. See under “Trusted root certification authorities” if your root and subordinate certificate is installed .

 

To solve issue 2:

There is an issue when having multiple Root Certificates (I don’t know how this happened yet)  in the "Trusted Root Certificate Authorities" ,  then the  OOB console or KVM plugin is getting confused for some reason .

In the screenshot below you will clearly see 3 “ROOTCERT” certificates . If this is the case , please delete them ALL and follow the above solution from Issue 1 .

image

 

Solution :

After solving either issue 1 or 2 , you will see that it can connect flawless . See screenshot below .

clip_image002[9]

See more in the upcoming SCCM Out of Band Management Troubleshooting (Part3) , that is under construction.

Hope it Helps ,

 

Kenny Buntinx

SCCM Out of Band Management Troubleshooting (Part1)

1:47 pm in AMT, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, System Center Service Manager, Tokensize, Vpro by Kenny Buntinx [MVP]

It’s no secret for most people that KVM Remote Control is one of my favorite vPro features within System Center Configuration Manager  (System Center Configuration Manager 2007 R3 / System Center Configuration Manager 2012 Beta 2) or System Center Service Manager (System Center Service Manager 2010).

Why go to an end user to fix his PC when you can use KVM Remote Control to do it from your own desk? With a feature this awesome, it’s challenging to make improvements. With the next generation Intel Core vPro Processors, KVM Remote Control now supports resolutions up to 1920×1200 at 16 bits per pixel color depth.

In my previous blog posts I explained already where to download the Intel vPro KVM stuff for System Center Configuration Manager . You can read the article here at “SCCM 2007 : Intel AMT–VPRO KVM add-on for SCCM 2007

If you want to go and download the tools directly from the Intel site , please go to the following links  :

However to use any of the above plugins , your systems should be made ready to use Vpro. There are a lot of requirements to make it happen , that I am not going to explain here in detail . Here are all my System Center Configuration Manager 2007: Out Of Band Management blog posts. I am just going to list them up  :

After you have performed the installation by the book , it will probably not work directly out of the box and this could have multiple reasons. I will explain below  the necessary steps to debug your potential issues in different blog posts:

1. Kerberos Ticket Size issue !

If you have problem that the Out Of Band Management console won´t connect to client computer, then it might be that Kerberos Ticket size is too big. It means that your user account belongs to too many groups.

You can find more information here:

 

If you have problems to connecting client computer with OOB console then check OOBConsole.log  at <ConfigMgrInstallationPath>\AdminUI\AdminUILog .

I found this error message when I tried to connect with OOB console with user account which has too big Kerberos Ticket size after I modified the OOBConsole.exe.config file and set error logging value in the file to verbose.

[22.07.2011 13:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 13:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80338126
[22.07.2011 14:00:26] :GetAMTPowerState fail with result:0x800703E3

or

[22.07.2011 14:54:32] :System.Management.ManagementException\r\nInvalid parameter \r\n at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
[22.07.2011 14:56:25] :RefreshAmtThirdPartyStorage fail with result:0x80070005
[22.07.2011 15:00:26] :GetAMTPowerState fail with result:0x80070005

To see the value of the tokensize  , you need the following background information . Each AMT version has a different maximum tokensize as shown below in the table :

 

 

Below I have 2 accounts :

  • My account
  • SCCMAMT – An account especially created to be only in the AMT SCCM group and the rights to execute AMT stuff within SCCM

In the screenshot below , you will clearly see that my accounts tokenize is way to big (9418) :

image

While the SCCMAMT accounts Token Size is (2577) :

image

 

After Logging in with the SCCMAMT account , check OOBConsole.log at <ConfigMgrInstallationPath>\AdminUI\AdminUILog . You will see success to at least connect to the AMT/vPro device :

[9/08/2011 9:39:43] :GetAMTPowerState success with 2.
[9/08/2011 9:39:53] :GetAMTPowerState success with 2.
[9/08/2011 9:39:58] :Open SOL connection…
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession2 with user = VVM\sccmamt fail with result:0x20, description:Failed to Establish TLS Connection
[9/08/2011 9:39:59] :IMR_SOLOpenTCPSession fail with result:0x00000020.
[9/08/2011 9:39:59] :status message Type:Audit, ID:0x00000000C000766A, User:VVM\sccmamt, Machine: xxxx, Target: xxxxx add to queue, waiting for report.
[9/08/2011 9:40:01] :Closing SOL terminal…
[9/08/2011 9:40:01] :SOL terminal closed
[9/08/2011 9:40:02] :GetAMTPowerState success with 2.
[9/08/2011 9:40:12] :GetAMTPowerState success with 2.
[9/08/2011 9:40:21] :GetAMTPowerState success with 2.
[9/08/2011 9:40:31] :GetAMTPowerState success with 2.
[9/08/2011 9:40:40] :GetAMTPowerState success with 2.
[9/08/2011 9:40:50] :GetAMTPowerState success with 2.
[9/08/2011 9:40:59] :GetAMTPowerState success with 2.
[9/08/2011 9:41:08] :GetAMTPowerState success with 2.

You will see that you will connect to the AMT/Vpro chipset , but you still aren’t able to connect to the BIOS with a SOL / IDE connection with the following message “IMR_SOLOpenTCPSession fail with result:0x00000020”.

I will explain the fix for this error in SCCM Out of Band Management Troubleshooting (Part2) , that is under construction.

Hope it Helps ,

Kenny Buntinx

Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2 Part 4

1:05 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Installation, Intel, OOB, out of band management, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 R3, SCCM 2007 SP2, sccm2007, Vpro by Kenny Buntinx [MVP]

This is my last post about the step by step series about Step by Step guide for provisioning Intel VPro clients in SCCM 2007 SP2.

In my previous post I have talked about importing the 3rd Party Remote Configuration Certificate on the OOB Service Point (In this example we will use a certificate from GoDaddy ) to provision Intel vPro technology based systems in SCCM at http://scug.be/blogs/sccm/archive/2010/05/06/step-by-step-guide-for-provisioning-intel-vpro-clients-in-sccm-2007-sp2-part-3.aspx

In my previous posts I talked about what is OOB, OOB requirements and little bit about the necessary certificates. In this post I will talk about internal PKI infrastructure and how to configure OOB management point within SCCM. ConfigMgr 2007 SP2 uses four types of certificates for Out Of Band Management. These four different certificates are:

  • AMT Self Signed certificate – IntelAMT will generate a self-signed certificate during the PKI provisioning process to secure the connection with the ConfigMgr 2007 Server.
  • AMT provisioning certificate – This certificate is used by ConfigMgr 2007 to provision Intel AMT devices. The most simple and automated method for provisioning is the process of purchasing this certificate from a third-party provider (VeriSign, GoDaddy, Comodo, or Starfield). This certificate will need to be installed on each OOB Service Point in the environment.
  • Web server certificate -This certificate is generated by an internal Enterprise Certificate Authority during the provisioning process and installed on each AMT device within the firmware. This will allow for a TLS management session between the ConfigMgr 2007 OOB Management console and the AMT firmware.
  • 802.1x RADIUS Certificate – Optional certificate that allows the Intel AMT client to securely authenticate to an 802.1x network without the operating system being present.

 

In our case , you will need an internal certificate Authority and create two certificates :

AMT provisioning certificate – In this case the Godaddy cert and Request, install and prepare the AMT remote configuration certificate ( Already done in the previous blog post)

Web server certificate – this certificate is requested by the primary site server on behalf of AMT-based computers and then installed in the AMT firmware in the computers

 

To Prepare Web server certificate – see the steps below :

 

1. Open your Certificate Authority issuing PKI Server –> Click Start> All Programs > Administrator Tools > Certification Authority

2. Right Click on Certificate Templates > Manage

3. In the Certificate Templates Console Window, right click on Web Server and select Duplicate Template

4. In the Duplicate Template Window, select the radio button for Windows 2003 Server, Enterprise Edition and Click OK

DDT.d96awjjfrximbk2m2qsliu5ye

DDT.a3k4l9_t2azme_c6ef0l46s

 

5. In the Properties of New Template Window and enter ConfigMgr AMT Web Server Certificate

6. Check the Box to Publish certificate in Active Directory

7. Proceed to next step to set the security rights on this template.

DDT.1267ggmdv9kybtbns5en0x9kb

DDT.prcs5_hsztigngwakhvneme6f

8. Select the Security Tab and click Add

9. Select the ConfigMgr site server 2007 primary site server computer group and Click OK

10. With the ConfigMgr Primary Site Servers group highlighted, check Read and Enroll , Click OK

11. Close the Certificate Templates Console

DDT.ys6tg1xa66xrq0bybc63m1l2f

DDT.xifb6o_8tyh4zjfsw3k2achah

 

12. In the Certification Authority Window, right-click on Certificate Templates > New > Certificate Template to Issue

13. In the Enable Certificate Templates Window, select ConfigMgr AMT Web Server Certificate (this template was created in the previous step)

14. Click OK

DDT.sfg1r_sf0gnzq2opcslrkw5y

DDT.ardw0uy_44ezggibpo1dmc4lb

 

15. In the Certification Authority Window, you will now see ConfigMgr AMT Web Server Certificate listed in the right hand Window and ready for use by the Out of Band Service Point

Note: This Web Server Template will be used by ConfigMgr 2007 SP2 to generate a unique certificate for each Intel AMT system during the provisioning process,and used for TLS session during management of the Intel AMT client .

 

How to Configure OOB service in SCCM

 

After you have your exported *.pfx certificate we will import this into the SCCM out of band management properties box. Now you have configured all certificates, permissions and have a certificate private key we are going to configure the OOB management point.

1. Open SCCM console -> Site Settings -> Component Configuration -> Out Of Band Service Point

 

 

2. Create extra OU in Active Directory where SCCM creates AMT computer objects. Make sure the Configmgr Primary Site Server has permissions on that container to create those objects!

2. Configure MEBx password that SCCM uses to connect AMT-based computers. By default this password is admin but you can change this later on.

3. You could select “Allow out of band provisioning” and “Register ProvisionServer as an alias in DNS” but it wouldn’t be necessary if you only are going to in-band provision ( Thru the SCCM Client)

4. Configure Provisioning certificate. From here you now have to import that *.PFX file and enter your previous  configured password.

5. Configure your web certificate template. From here you have to select your internal PKI CA and select your ConfigMgr AMT Web Server Certificate.

You can configure all the other tabs at your own flavor .

You will find a good document from Intel with all the steps at www.intel.com/en_US/Assets/PDF/…/cg_MicrosoftConfigMgr_vPro.pdf

Hope it Helps ,

 

Kenny Buntinx

Intel AMT Vpro KVM Configmgr plugin doesn’t work out of the box

12:49 pm in AMT, ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, ConfigMgr2007 R3, Intel, out of band management, sccm, sccm2007, Vpro by Kenny Buntinx [MVP]

In my previous blog post “SCCM 2007 : Intel AMT–VPRO KVM add-on for SCCM 2007” , I have written that Intel had release a KVM (version 6 or higher) plugin for Configmgr 2007 .

I was experiencing issues with the Intel Vpro KVM Configmgr plugin. It seems that the extensions are not installed correctly by Intel. After installing the plugin , I opened up the console and it didn’t show me any Intel Vpro options as shown in the picture below .

image

 

If you launch the KVM tool manually , it works perfectly. However in the console I don’t see any right click action as shown in the above screenshot.

When I looked a little closer , I saw that the default SCCM admin console is installed in the following default path “C:\Program files\Microsoft Configuration Manager Console\” while Intel’s setup seems to create the following path “C:\Program files\Microsoft Configuration Manager\”(missing the console part)  that contains the extensions XML file called “IntelVproExt.XML”.

 

clip_image001

Also if you didn’t stick to the default install paths , you will have the same issues .

 

Solution:

Copy the folder structure from “C:\Program files\Microsoft Configuration Manager\” to “C:\Program files\Microsoft Configuration Manager Console\” . Now you will have the option in the console .

 

Hope it helps

Kenny Buntinx