Troubleshooting OOBConsole connectivity after an Intel vPro enabled device has been successfully provisioned in ConfigMgr 2007

toolsign

Just in case you somehow happened to miss the announcement, we made Windows 7 Service Pack 1 and Windows Server 2008 R2 SP1 available to MSDN and TechNet Subscribers as well as Volume License customers yesterday.  I've been running it for a few days now here and so far I'm pretty impressed, although admittedly I'm probably a little biased.  In addition to the standard hotfixes and whatnot, we added some cool virtualization specific features like Dynamic Memory and RemoteFX in Windows Server 2008 R2 SP1 so if you work with any kind of virtualization you'll definitely want to check that out.

But to get back to the real topic of this post, our own Buz Brodin  wrote up some great troubleshooting steps you can use if you're experiencing OOBConsole connectivity issues after an Intel vPro enabled device has been provisioned in ConfigMgr 2007.  Buz is one of our top AMT/OOB/vPro experts based out of our Charlotte, North Carolina office so if you ever had the chance to call in you very well may have spoken to him.  Thanks Buz!

====== 

The following lists the steps needed and troubleshooting methods available for OOBConsole Connectivity AFTER an Intel vPro enabled device has been successfully provisioned in SCCM 2007.

For OOBConsole and HTTPS connectivity to work the following is required:

1. The IE registry change from article KB908209 must be set on the machine initiating the connection.  For Windows XP and Windows Server 2003, the related hotfix needs to be installed first, then the registry key implemented. For newer versions of Windows or Windows XP and 2003 versions that have superseded the patch in KB908209, the registry key change STILL needs to be implemented.

For 32-bit computers

1.  Click Start , click Run , type regedit , and then click OK .

2.  In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl

3.  On the Edit menu, point to New , and then click Key .

4.  Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 , and then press ENTER.

5.  On the Edit menu, point to New , and then click DWORD Value .

6.  Type iexplore.exe , and then press ENTER.

7.  On the Edit menu, click Modify .

8.  Type 1 in the Value data box, and then click OK .

9.  Exit Registry Editor.

 

For 64-bit computers

1.  Click Start , click Run , type regedit , and then click OK .

2.  In the left pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl

3.  On the Edit menu, point to New , and then click Key .

4.  Type FEATURE_INCLUDE_PORT_IN_SPN_KB908209 , and then press ENTER.

5.  On the Edit menu, point to New , and then click DWORD Value .

6.  Type iexplore.exe , and then press ENTER.

7.  On the Edit menu, click Modify .

8.  Type 1 in the Value data box, and then click OK .

9.  Exit Registry Editor.

Note: A reboot is not required.

2. Telnet must be installed on the machine initiating the OOBConsole connectivity. Telnet is installed by default in Windows XP and Windows Server 2003, however in newer versions of Windows (2008, Win7) Telnet must be manually installed.

3. The USER account initiating the OOBConsole connection must be listed with the required rights in the Component Configuration\Out of Band Management Properties\Amt Settings\Amt user accounts, SCCM Admin Console interface. More information on this can be found here:

https://technet.microsoft.com/en-us/library/cc431399.aspx.

Note that after making changes here the clients provisioning data will also need to be updated. Right click the client or control/shift click multiple clients, select Out Of Band Management and select Update Provisioning Data in Management Controller Memory.  The Amtopmgr.log will log this process and it should be fairly quick.

4. (Possibly Optional): Insure the Internal Subordinate and Root CA certs are in both Trusted Root and Intermediate CA stores on the client you are connecting to and the provisioning/oobconsole machine.

Troubleshooting:

The OOBConsole.log file logs information regarding connection attempts to AMT provisioned computers using the Out Of Band Management Console accessible through the collection view.  This log is located in the AdminUI logs folder on the site server and can be used to troubleshoot connectivity errors. You can enable verbose logging using the following procedure:

1. Close the Configuration Manager Console and any open Configuration Manager Windows
2. In Windows explorer, navigate to the bin folder for Admin UI, usually in c:\Program Files\Microsoft Configuration Manager\AdminUI\bin
3. Locate the file oobconsole.exe.config, open it in Notepad
4. Locate the tag "<source name="OOBConsole" switchValue="Error">"
5. Change the Value "Error" to "Verbose"
6. Save the changes

Future attempts to use the Out Of Band management Console will now log in the verbose mode.  The procedure can be reversed to set logging back to the default mode. (set "Verbose" to "Error").  Some Oobconsole tasks will not function if the User Account that is connecting via Oobconsole has a Kerberos Token that is too large. This is an AMT/vPro limitation and is dependent on the version of AMT firmware the customer has in place. There is further information and a chart from Intel here:

https://communities.intel.com/community/openportit/vproexpert/blog/2009/03/23/kerberos-ticket-size-can-stop-you-from-connecting-to-vpro-systems-and-using-idersol?wapkw=(tokensz)

To view Token Size grab the Tokensz utility from here: https://www.microsoft.com/downloads/en/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&DisplayLang=en

Run with the current user logged on with the following parameters:

tokensz.exe /compute_tokensize.

Output at the bottom will show MaxToken = ####

To reduce Token Size, remove the user from some groups or use a fresh account that is not a member of so many groups.  After doing this you may need to use KerbTray (from Microsoft resource kits) to flush the local Kerberos ticket cache.

Something important to note is that while Right Click/Power Control functions may work, you may find that Oobconsole functions do not. This is because Power Control uses TLS Authentication and OobConsole and the HTTPS web page uses Kerberos.

Intel has a Configuration Manager 2007 vPro Troubleshooting guide here as well: https://communities.intel.com/message/10377

Hope this helps,

Buz Brodin | Senior Support Escalation Engineer

The App-V Team blog: https://blogs.technet.com/appv/
The WSUS Support Team blog: https://blogs.technet.com/sus/
The SCMDM Support Team blog: https://blogs.technet.com/mdm/
The ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
The SCOM 2007 Support Team blog: https://blogs.technet.com/operationsmgr/
The SCVMM Team blog: https://blogs.technet.com/scvmm/
The MED-V Team blog: https://blogs.technet.com/medv/
The DPM Team blog: https://blogs.technet.com/dpm/
The OOB Support Team blog: https://blogs.technet.com/oob/
The Opalis Team blog: https://blogs.technet.com/opalis
The Service Manager Team blog: http: https://blogs.technet.com/b/servicemanager
The AVIcode Team blog: http: https://blogs.technet.com/b/avicode

clip_image001 clip_image002