We have come across an issue with the Dell Precision 5510 with respect to utilizing Intel AMT (Advanced Management Technology) when on a wired connection. We are unable to remote provision these notebooks as we get an "on-board LAN not found" error. Please let us know how to correct this problem. These Units do not come equipped with onboard LANs. Instead they come with USB-C external NICs. The Dock is also connected using a USB-C connector.

Hi,

I not sure if this is something that I should be asking here or on the HP support site. We have 48 HP EliteDesk 800 G2 DM 65W mini desktop machines. I provisioned them all with a very basic profile and they have been working and responding correctly to AMT commands. However after a time some of the machines became unauthorized and the only way to fix this was to reset the AMT in the BIOS to un-provisioned and then provision them again.

Does anybody have any idea why the machines are becoming unauthorized?

Thanks

Is it possible to remote provision an Intel vPro AMT equipped notebook via Wi-Fi? That is... If the Wired NIC is unplugged, is it possible to remote provision the system via the Wi-Fi adapter?

We have our PCs configured with AMT and we can use the Manageability Commander Tool to remotely reboot these device when they freeze up and are not responding. We are trying to script reboot since we get notifications when the system stops responding and needs the reboot.

I am trying to find a few things.

• First, I think I will have to use PowerShell for the scripting, is there any documentation on this?
• What are the return codes for sending the remote reboot? (this might be answered with the first question) i.e. 1 reboot command sent successfully...
• I have found some information on creating scripts to reboot. Does any one have more information on creating this script?

Any help is much appreciated.

We have a Dell Mobile Precision 5510 notebook. We are unable to remote provision this system due to the error below:

Exit with code 75 - Failed to complete remote configuration of this Intel(R) AMT device.Details: Configuring via RCS is not possible because this computer does not have an onboard wired network card.

-0xc000284a

ACUConfig failed with error 75

This notebook only has an Intel Wi-Fi network adapter. Dell stated that this system is equipped with Intel AMT technologies. Additionally, after manually entering the configuration via the MEBx BIOS we are unable to access the Intel Web-UI via http://mysystem.mycompany.corp:16992/

Tried to configure using the USB thumb drive and it fails with "Error applying IPv4 parameters"

We have other Dell Latitude Models that have no issues with remote provisioning.

Please help.

We are unable to remote provision a Dell Precision Mobile 5510 via Wi-Fi. We get the following error below (in bold). Note: this model does not have an on board LAN adapter. How can we fix this?

Starting log 2016-10-27 15:22:57

Verifying the digital signature of ACU.dll, this operation might take up to 3 minutes...

Entering

Exiting

Set compatibility mode to 10.0.

ACUConfig 11.0.0.214

MyNotebook.MyDomain.corp: Starting to configure AMT via RCS...

Entering

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Entering

Exiting

Intel(R) AMT  in PROVISIONING_MODE_ENTERPRISE

Entering

Exiting

Exiting

Entering

Exiting

Calling function Discovery...

Calling function GetLocalSystemAccount over MEI...

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Function GetLocalSystemAccount over MEI ended successfully

Host Based Setup is not supported (WS-MAN call Failed with gSoap error code: 24)

Function Discovery ended successfully

Entering

Exiting

GetHostAndMEInfo output data:

  IsAMT:True,

  isEnterpriseMode:True,

  configurationMode:2,

  isRemoteConfigEnabled:True,

  AMTversion:11.0.0,

  isMobile:True,

  provisioningTlsMode:2,

  uuid:4C4C4544-0032-4A10-8051-B8C04F4D4332,

  isClientConfigEnabled:False,

  hostBasedSupport:False,

  configurationState:2,

  FQDN:MyNotebook.MyDomain.corp,

  embeddedConfigurationAllowed:False.

  isLANLessPlatform:True.

  PKIDNSSuffix:MyDomain.corp

***** Start RemoteConfiguration ******

Entering

Exiting

Get OS IP:An invalid IP address was supplied in the parameter.

-IPAddress

Entering

Exiting

Entering

Exiting

RCSaddress=MyRCSServer.MyDomain.corp, RCSWMIUser=, RCSProfileName=LAN-LESS

MyNotebook.MyDomain.corp

RCSaddress=MyRCSServer.MyDomain.corp, RCSWMIUser=, UUID=4C4C4544-0032-4A10-8051-B8C04F4D4332, ConfigMode=3, PID=, RCSProfileName=LAN-LESS, AMTVersion=11.0.0, OldADOU=, Configure AMT Name= True. Configure AMT IPv4= True. AMT Name= Host Name- MyNotebook Domain Name- MyDomain.corp . Source For AMT Name= Host Name- MyNotebook Domain Name- MyDomain.corp . Default OS Name= Host Name- MyNotebook Domain Name- MyDomain.corp . Configure AMT IPv4 to DHCP mode= True.

***** END RemoteConfiguration ******

***********

Exit with code 75.

Details: Failed to complete remote configuration of this Intel(R) AMT device.

Initial connection to the Intel(R) AMT device failed.

A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

ACUConfig failed with error 75

Starting log 2016-10-27 15:24:02

Verifying the digital signature of ACU.dll, this operation might take up to 3 minutes...

Entering

Exiting

Set compatibility mode to 10.0.

ACUConfig 11.0.0.214

MyNotebook.MyDomain.corp: Starting to discover the system information...

***** Start SystemDiscovery ******

Entering

Entering

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Entering

Exiting

Intel(R) AMT  in PROVISIONING_MODE_ENTERPRISE

Entering

Exiting

Exiting

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Entering

Exiting

Entering

Hash Handles number:19

Exiting

Entering

Exiting

Entering

AMT Status code - Essential data is missing from the AMT.

(0xc0004a71)

Exiting

AMT Status code - An internal error has occurred in the Intel(R) AMT device. This might indicate an interface error, or an application error.

(0xc0004269) (ConfServerDiscovery)

Entering

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

AMT Status code - An internal error has occurred in the Intel(R) AMT device. This might indicate an interface error, or an application error.

(0xc0004269) (GetPID)

Entering

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Entering

Calling function Discovery...

Calling function GetLocalSystemAccount over MEI...

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Function GetLocalSystemAccount over MEI ended successfully

Host Based Setup is not supported (WS-MAN call Failed with gSoap error code: 24)

Function Discovery ended successfully

Exiting

Entering

Exiting

Entering

Exiting

Entering

Exiting

Entering

Exiting

Exiting

Entering

Exiting

Get OS IP:An invalid IP address was supplied in the parameter.

-IPAddress

Entering

Exiting

Entering

Exiting

Connected to the Intel(R) Management Engine Interface driver, version

11.0.0.1181

Connection data - Connection type: HTTP, FQDN: MyNotebook.MyDomain.corp, IP: 127.0.0.1, UserName: $$OsAdmin

Connection Info-MyNotebook.MyDomain.corp $$OsAdmin HTTP_CONN:

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

Soap call

GetCoreVersion. Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

Soap call

GetCoreVersion. Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Testing the connection with AMT IP instead of FQDN. 127.0.0.1

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

Soap call

GetCoreVersion. Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Failed while calling

Soap call

GetCoreVersion. Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Testing the connection with AMT IP instead of FQDN. 127.0.0.1

Failed while calling

Soap call

GetCoreVersion. Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

, error in discover 0xc000521c

Connection data - Connection type: HTTP, FQDN: MyNotebook.MyDomain.corp, IP: 127.0.0.1, UserName: $$OsAdmin

Connection Info-MyNotebook.MyDomain.corp $$OsAdmin HTTP_CONN:

Failed while calling

.

.

.

.

My problem is:

When I attempt to log
on to the Intel AMT WebUI using a web browser,
the logon box prompts for a domain-based credential (domain\user with
associated password). The same credentials work correctly with VNC Viewer.
When I Deselect the IE option Enable Integrated Windows
Authentication
I am able to log with the admin and the mebx password. I want use the
active directory for  Web Ui authentication.

My computer settings:

Windows 8.1 and IE11

My SCSnsole
version 11 

My amt version 9.1.20 intel
vpro

I look this kb http://support.microsoft.com/kb/908209 but is a very old kb.

Some people can help me
please?

Thanks

Eric

Hello everyone,

I am working with SCCM 2012 R2 (Current branch version 1511) and I manage about 100 000 computers.

I am interested with the AMT Technolgy which can permit us to power on computers or manage other system settings

As you know in SCCM 1511, the "Out Of Band Management" and the "Enrollment Point" have been revemoved (depreciated) from the product.

We still can install the Intel SCS for SCCM add-on which add collections, task sequences and packages but how can I "manage" computers after intel AMT is configured ?

The Out of Band menu is no present anymore.

Does anyone have already integrate this feature on his hierarchy ? Is still effective with 1511 version ?

Any help regarding this topic is welcome !

Jérémie

I have a bunch ( 200-300 ) computers ranging from amt 6 to 9 configured with the most basic way of lan connectivity ( can't remember the name this has on each amt version ), I want to configure their kvm sol ider etc, and I'm looking for the fastest way to do it

I have manageability commander tool mesh edition v0.1.35 and am able to connect to the computers and individually configure them, this of course is mind numbing

I've tried with vpro SDK but run into the problem that the line call "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm" "IWSManClient.dll" /codebase /tlb gives me an error, if I remove /codebase /tlb it works, but then the js fails anyway when it tries to create the amt object, this has been tested on windows 8 and 10 and regasm from different versions of .net

I've also tried to follow this http://jefflane.org/v2/technology/setting-up-intel-amt-to-act-as-a-remote-kvm-in-linux/ but looks like the address http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData it relies on is no longer operative

is there any other way I can run an exe/script which can take parameters and can batch configure my machines?, or can anyone help so I can get any previous solutions to work for me?

Hello!

I trying to configure Intel AMT-ME 5.0-5.2 motherboard based on Q45 to use SSL/TLS-HTTPS connection.

Intel AMT versions - Wikipedia - tells that AMT 5.0 have TLS.

I make all needed settings at BIOS and ME-BIOS and successfully access to AMT PC via Web-GUI at 16992 port. But I want SSL/TLS connection encryption.

First I try to use AcuWizard, but it tells that AMT5.0 does not support host-configuration (only AMT7.0 or later), but USB-key configuration does not have certificates and SSL/TLS options.

Second I try MeshCommander (latest v0.3.8) - but all the way it shows only Error:400.

Third I use "ToolMesh - Manageability Director/Commander" - it works more stable, so I create and import to AMT module 2 security certificates (root and user) - certificates was added successfully. Also I add those certificates to local Windows certification storage (at PC from where I trying to connect to AMT PC). And also I delete some suspicious 3rd party application from AMT named as "venCA (Unicenter)". But when I trying at "Manageability Director" setup SecurityProfile to AMT-PC with "intel AMT Security" option set to any of 4 types with TLS - error appears: "SetTLSKeyAndCertificate() returned FAILED_WEB_CALL". Also at AMT PC tab "Security" option TLS shows as "Unsupported" and drop-down menu is absent.

I try Intel SCS console configuration to make "Delta configuration USB key" but it needs some "CA RCS server reach Microsoft CA" (something like this) and can not just use certificates stored at the near folder at the same PC... OMG! Also IntelSCS tells something about alternative "CA local plugin" but google tells me that this plugin does not exist yet.

Making AMT<7.0 works through TLS is some kind of maltreatment!!!

Can anyone help with SSL/TLS-HTTPS enabling at AMT5.0???

Also at all those software I dont see possibility to use IDE-R image mount, where is it?!

Let me start by saying I'm a complete amateur when it comes to PC's. Here's what my issues with AMT are:

1. My computer became slower and slower. After an analisys with a software called MTB (taken from bleepingcomputer.com), I discovered that I have many errors involving AMT. You can see all of them in the attached file called "MTB". Also to help you, I used a software called Speccy, which gives you a full view of my PC. The report is here: http://speccy.piriform.com/results/08Dcu2Zcwl3tSIRLOrURhwo

What can I do about those errors? Are they the ones slowing my computer?

2. since this is my personal PC, would it help if I disable the AMT feature? I found a guide here How to Disable Intel Active Management | Chron.com. Is the process described correctly?

Thank you in advance for all the help.

Later edit: meanwhile, I have also used a software called "Cristal Disk Info" which reported that my disk is in good condition.

Hello,

As standalone problem I ask to help me to connect MechCommander (0.3.8) (MC) or IntelManageabilityCommander 1.0.8 to my AMT 5.0 PC.

They cant find this AMT-PC via IP range. I add AMT-PC manually but when I trying to connect:

at 16992 with NO TLS - Error 400 (after some time);

at 16993 with TLS - Timeout error (appear just immediately, without any delay).

Of course 2 TLS certificates Root+User added to MC-CertificateManager and Root-CA set as Trusted.

Also I can normally connect and configure this AMT PC via Manageability Director/Commander.

What is the problem and how to resolve it? Maybe MechCommander/IntelManageabilityCommander does not support AMT v5 ???

We have some Dell 7040 mini desktop that are provision with Vpro via USB sticks. They are mounted to our ceiling tvs and are use for displaying videos. I recently notice that i lost KVM control of those machines and i can no long vpro into them. The only solution i found so far is to go into the IntelMBex Bios to disable and enable KVM. Once i do that they work fine again, this has happen to me twice in the last couple of months.

Has anyone had this issue before?

Thanks,

We are develop our system on Ubuntu Server 16.10, but current Intel SCS only support on Windows or SUSE Linux

How could I set up key for Intel AMT on Ubuntu pc

Hi, we have SCCM 1606 and we would like to deploy Intel SCS in order to be able to remotely wake and control our clients via SCCM.  I am completely new to Intel vPro / SCS so I need to understand where to start with this.  I have read somewhere that all clients need to have a certificate installed and they can get this certificate from an internal PKI server (which we have).  Is there a guide that covers the whole thing or can someone give me the basic steps that we need to work through to get this up and running?  So far I have Installed "Intel Manageability Commander 1.0.8" on my own PC and I can see "Intel AMT Power-On" when I right click on computer device collections.

Kind regards,

Graham

Hi there,

I'd like to just double check that it should be possible to power-on / wake a remote machine via the Manageability Commander if the environment is configured correctly?

I have a basic lab comprising two workgroup windows 10 x64 machines connected via an unmanaged switch.  The firewall is off on both machines and I have configured IPv4 and disabled IPv6.

I have configured a Lenovo M900z (Intel Ethernet I219-LM) using the ACUWizard and I am able to connect to it remotely using the Manageability Commander 1.0.8.  I am then able to connect via remote desktop and power cycle the machine, etc.  The problem I have is that I am unable to wake the machine up if it is switched off but I'm not sure if I am doing something wrong.  I have been able to wake the machine from sleep so I am close!  If you look at the attached image you can see that under Power policy, ON is only configured for S0.

I've also attached some images showing the M900z NIC configuration.

Many thanks in advance.

Graham

We want to manage a lot of workstations via the KVM remote control  (or any other remote control Using Intel vPro Solution Manager). How can I accomplish this? Do I need to assign the static (or via the VPN DHCP server) IP of the Cisco VPN adapter.  Do we need to enable the KVM redirection feature of "KVM-Remote" Control so it will listen to the VPN adapter? The remote session is over the internet so we want to make sure there is a security mechanism involved. I called Dell and gave me this forum.

Thanks,

Tik

On the section of the ACUWizard when you can specify the AD integration, I have been able to specify my OU and I would also like to add the computer account to a security group but for some reason when I try to find the group, it is missing from the drop down list.  Does anyone know why?  There are tons of other groups listed but not the one I want.  The group was created a few days ago so it can't be anything to do with replication.  I've also noticed that it doesn't properly sort the list alphabetically.

Thanks,

Graham

Hi all,

We are using 802.1X to secure our wired network and our Windows 10 machines are using PEAP (Computer Authentication) as specified using Group Policy.  This all works great but I now need to try and figure out how to get 802.1X working for AMT.  The only guide I can find regarding how to configure the template is this one specifically the section "Creating and Issuing the Client Authentication Certificates for 802.1X AMT-Based Computers".  Does this still apply given that our build of SCCM (1610) no longer supports OOB?  The problem is that when building a profile on a test machine, in the part where I specify the special 802.1X certificate, it doesn't appear within the drop down box.  I can only select my "AMTClientConfigurationcertificate" certificate.

I have another question:

I've mostly been using this guide for setting it all up but I wondered if the "Web certificate" part is still required given we are using SCCM 1610?

Many thanks in advance,

Graham

We design and build deterministically modeled systems which use Intel Trusted Execution Technology (TXT) as the basis for the platform trust root.  We have been working to develop platforms based on TPM2/TXT hardware in order to support future development paths since TPM 1.2 based hardware systems are being phased out.  In the process of doing this we have run into a number of issues and wanted to get some feedback from others who may be working in this venue.  We are posting here since TXT is a vPro branding element and there doesn't appear to be a forum specific to TXT issues, at least none that we could find.

First of all, for the benefit of others, it does not appear that the TBOOT hypervisor, as of its most recent 1.9.5 release, can properly implement a TPM2 based measured launch environment.  There is a system initialization ordering problem which results in a null-pointer de-reference when the TPM2 initialization code attempts to read the Authenticated Code Module (ACM) header to determine the TPM2 device characteristics which are supported by the ACM.  This causes the TPM2 initialization code to use random data from memory to sets its operational characteristics.  At least in our environment this causes tboot to use the 'new' NVram indexes on its first invocation and the 'old' NVram indexes on its second invocation by the ACM after the dynamic root of trust has been initialized.  There are also the obvious security concerns associated with null pointer de-references.

Secondly, with respect to NVram indexes.  Why do the Intel TXT provisioning tools default to using the 'new' NVram indexes when all of the micro-architectures which support TPM2, ie. from Broadwell forward, have Intel released ACM's which specify that the 'old' NVram indexes are to be used?  Are the 'new' indexes reserved for server class hardware which have the ACM embedded in their firmware?  It is our understanding that an alternate ACM can be loaded in the multiboot stack, but if all of the alternate ACM's available on Intel's TXT site specify the 'old' indexes this would cause platform operability issues since the TPM provisioning will be incompatible with the ACM.

The final issue which we wanted to toss out, which is problematic from a security perspective, is that TBOOT appears to be unable to conduct post-S3 suspend memory verification on TPM2 based systems.  It appears that TBOOT is unable to reference the ephemeral primary key which is generated on platform boot and which is used as the trust anchor for the key which is generated to seal the Message Authentication Code (MAC) secret.  As a result the hypervisor cannot verify that the memory contents coming out of suspend are the same as the contents going into suspend.

After an initial TBOOT based launch one of the transient handles appears to be in use.  After an S3 suspend all of the transient handles are available so our assumption is that the transient handle used by TBOOT for the sealing key is flushed as part of powering down the hardware.  The TPM2 hardware is reporting a 0x910 error during S3 resume processing which indicates that the transient object being requested is not loaded so the observed behavior is consistent with the premise for the regression.

Any comments or reflections on the above, along with experiences of others working on TPM2/TXT based systems would be of interest.

Have a good day.