Failed to test the connection to the Intel(R) AMT device after configuration completed.

This solution has been verified by our customers to fix the issue with these environment variables

Knowledge

Error Messages

000038773

08/09/2019

What are you seeing?

After having partial success with provisioning, the following issue is experienced: ·The Dell computers with IntelME firmware 12.0.x would get remotely configured on the chipset. But in the RCS server database the following log entry error persists: “Failed to test the connection to the Intel(R) AMT device after configuration completed. The SSL handshake failed because of an unsupported, unverified, or corrupt certificate.” ( However, all existing IntelME firmware 11.x computers are configured successfully on the RCS server and its Connection status is Connected without errors in logs)


Environment:

Intel(r) Active Management Technology

Intel(r) Setup and Configuration Software 12.0


How to fix it:

Test connection to Intel® AMT fails after configuration completes
Once Intel® AMT configuration is complete, you may see the following error displayed when Intel® SCS attempts a test connection to the Intel AMT device:
Details: Failed to test the connection to the Intel(R) AMT device after configuration completed.  The SSL handshake failed because of an unsupported, unverified, or corrupt certificate
This error is caused by modification of the system registry settings.
Microsoft Windows Server 2012 and Windows Server 2016
Microsoft Windows Server 2012 and Windows Server 2016 automatically support the level of TLS required to connect to Intel AMT 6 and above. However, if you modify registry keys under either the Schannel Protocol or WinHTTP registry locations then the TLS versions available to the operating system will be limited, which can result in this error.
To correct this problem, ensure your registry settings match the tables in the sections below (Schannel Protocol and WinHTTP) for the version of Intel AMT you are attempting to connect with.
Microsoft Windows Server 2008 R2 SP1
For systems running Microsoft Windows Server 2008 R2 SP1, an update is required which properly sets the registry for Schannel Protocol and WinHTTP. This update is available at the following Microsoft support article (upon which this KB article is based).
https://support.microsoft.com/en-ae/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi
Go to the link above, then scroll to the Easy Fix section and click the Download button. Once the update is installed, verify that your registry settings for Schannel Protocol and WinHTTP match the tables in the sections below for the version of Intel AMT you are attempting to connect with.
Note: The Easy Fix update only enables TLS 1.1 and TLS 1.2, so if you are attempting to connect to Intel AMT v6 devices, you will need to manually update the DefaultSecureProtocols value in WinHTTP to 0xA80 (see the WinHTTP section below).
Note: Microsoft Windows Server 2008 SP2 only supports TLS 1.0, and cannot connect to Intel AMT version 11.8.60.3561 and later.
 
Schannel Protocol
Under Schannel Protocols, ensure the TLS subkeys based on the Intel AMT generations present in your environment match the table below.
Note: if there are no TLS subkeys under Schannel Protocols, proceed the next section of this article (WinHTTP).

Schannel ProtocolsDisabledbyDefaultEnabledIntel AMT 6Intel AMT 7-10Intel AMT 11.x - Intel AMT 11.8.55.3510Intel AMT 11.8.60.3561 Intel AMT 12
TLS 1.001YesYesYesNoNo
TLS 1.101NoYesYesYesYes
TLS 1.201NoNoNoNoYes

 
Registry Location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
User-added image
 
Example: TLS 1.0/1.1/1.2 are all enabled with the same 32-bit DWORD values as shown here.
Note: For these TLS connections Intel SCS is the client and Intel AMT is the server, so only modify the Client subkeys.
 
WinHTTP
The second location is WinHTTP, which is not created by default and should only be modified if you have a DefaultSecureProtocols value that conflicts with the Intel AMT versions you are trying to configure or maintain. WinHTTP has 32-bit and 64-bit locations, but you only need to modify the DefaultSecureProtocols value for the OS version (32-bit or 64-bit) you are running.
Note: Modifications to WinHTTP require a server reboot for the value to take effect.

TLS VersionsRegistry Value (Hex)Intel AMT 6Intel AMT 7-10Intel AMT 11.x - Intel AMT 11.8.55.3510Intel AMT 11.8.60.3561 Intel AMT 12
1.00x80YesYesYesNoNo
1.10x200NoYesYesYesYes
1.20x800NoNoNoNoYes
1.1/1.20xA00NoYesYesYesYes
1/1.1/1.20xA80YesYesYesYesYes

 
32-bit OS:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
64-bit OS:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Note: You only need to modify one of the above (32-bit or 64-bit) depending on your operating system.
 
User-added image
 
User-added image
Example: Changing the DefaultSecureProtocols value to enable TLS 1.0/1.1/1.2 with a 32-bit DWORD value of 0xA80.


Cause & More Information:

THE INFORMATION IN THIS ARTICLE HAS BEEN USED BY OUR CUSTOMERS BUT NOT TESTED, FULLY REPLICATED, OR VALIDATED BY INTEL. INDIVIDUAL RESULTS MAY VARY. ALL POSTINGS AND USE OF THE CONTENT ON THIS SITE ARE SUBJECT TO THE TERMS AND CONDITIONS OF USE OF THE SITE.