14 July 2016

Intel SCS Task Sequences not working with SCCM 2012 R2 | Intel AMT: Discovery

Recently I have been labbing a new setup with SCCM 2012 R2 with Intel SCS.  The idea was to get Out of Band Management working with SCCM for some workstations which had Intel AMT.  I followed this guide, which was very helpful in getting everything setup.  The only difference was that I was using the latest version of Intel SCS 11.0 rather than version 9.0.  When I ran into some issues (and let's face it, you always run into issues when using SCCM), I noticed that there was literally nothing online with regard to the issue I was having...so here it is!

The problem I hit was when I was enabling the various Task Sequences to run discovery and configuration of the workstations for Intel AMT.  The first task sequence works fine, which is Intel SCS Platform Discovery.  The second task sequence however; Intel AMT Discovery fails when I try to run it.  I'm not really able to find out what is going on through the logs, as you know with SCCM, it's almost impossible to find anything as there's like 1,000,000 logs to sift through.

Looking into the Task Sequence, all it does it call up a batch file called Discover.bat.  I ran this script manually, adding a pause command at the end so I could see what was going on.  I noticed the following errors:

So it looks like there's nothing wrong with SCCM, and there's potentially nothing wrong with the batch script.  The issue looks to be certificate related.  Great!

Looking at the batch file, it calls an Executable file to run.  I opened this file up (right-click, Properties), then checked the Digital Signatures of the file:

As you can see, there's a lot of intermediary certificates that are required.  I only had the Root CA certificate installed.  I went through that list and installed each certificate, then ran the Task Sequence again from Software Center (through SCCM).  This time it was successful.  In future, we will need to ensure that these certificates are exported and then deployed to all computers within the network.

Part 2 - Intel AMT: Configuration

1 comment:

  1. Hey mate,

    Modify the SCCM batch and add the /LowSecurity: Disables authentication of digital signatures of files used by the Configurator (for example: ACU.DLL).

    Eg: acuconfig /output console /verbose /lowsecurity ConfigViaRCSOnly

    Add the /lowsecurity after every acuconfig command in the batch.

    Adam C