Quantcast
Channel: Intel Communities : Discussion List - Intel® vPro™ Platform
Viewing all 632 articles
Browse latest View live

Intel SCS Add-on Installation Error

March 28, 2017, 5:25 pm
$
0
0

I'm trying to install the SCS Add-on for ConfigMgr and I'm running into an error right after launching setup. The error is:

 

Failed to identify the SCCM installation.

 

I'm running in a standalone Primary Site running System Center Configuration Manager, Current Branch, build 1702. I have tried installing the SCS Add-on from my own workstation, which has the ConfigMgr console installed, the Site Server, and another test VM, all of which have the console installed and I've verified they connect to the site, work, etc.

 

The Site Server does not have a SMS Provider installed on it, rather 2 other servers have SMS Providers installed on them. Is the Intel SCS add-on installer looking for the WMI namespace on the Site Server, failing, and producing the error I'm seeing?

 

Is there any way I can get a hold of the files which are extracted / installed by the installer and manually install the add-on / console extension?

Intel SCS - Installation Error - 03282017.PNG

 

Edit: I should've included the contents of the SCCMAddon.log file. Here it is:

 

2017-03-28 16:56:58,965 - DEBUG: Starting

2017-03-28 16:56:58,971 - INFO : Starting Log

2017-03-28 16:56:58,972 - INFO : Version: 2.1.8.10

2017-03-28 16:56:59,036 - INFO : No previous settings found.

2017-03-28 16:56:59,160 - DEBUG: Entering SettingsViewModel.ctor

2017-03-28 16:57:01,265 - FATAL: Failed to identify the SCCM installation.

System.InvalidOperationException: Sequence contains no elements

   at System.Linq.Enumerable.First[TSource](IEnumerable`1 source)

   at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder64bit(Architecture& pArchi)

   at SCCMConfig.DAL.SCCMProber.GetSCCMInstallationFolder(Architecture& pArchi)

   at SCCMConfig.DAL.SCCMProber.Detect()

   at SCCMConfig.Actions.ActionPerformer.Detect()

   at Intel.SCS.ACIWizard.ViewModel.WelcomeViewModel.<Init>b__8()

 

Message was edited by: Scott Metzel

Search

HLAPI: Kerberos authentication - getting the realms of a user from a machine that is not in the domain

April 3, 2017, 2:19 am
$
0
0

Hi everyone,

 

I am trying to connect to an AMT machine that is provisioned with Kerberos authentication (no TLS at this point), using the HLAPI. The connection is done from a machine that is not in the same domain as the users defined for Kerberos authentication.

 

The connection to the machine works fine:

amt = AMTInstanceFactory.CreateEX(ci);

               

After I connect, I need to get the realms of the user. If I attempt:

KerberosEntry kerberosUser = amt.Config.ACL.GetKerberosUser(ci.UserName);

List<Realm> realms = kerberosUser.Realms;

 

it fails with an exception with failure: Intel.Manageability.Exceptions.ACLFailures.UserNameDoesNotExists

 

This probably makes sense, since the HLAPI GetKerberosUser() function uses the system functions to get the SID of the given username:

string sid = (userNameOrSID.Contains("\\")) ? GetUserNameSID(userNameOrSID) : userNameOrSID;

and GetUserNameSID tries:

NTAccount account = new NTAccount(userName);

SecurityIdentifier sIdentifier = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));

 

It cannot translate the username to an SID because the object does not exist in the Active Directory this machine is part of.

 

My question is: can somehow the SID of the user that was used for Kerberos authentication be obtained from the AMT machine (AMT instance), instead of trying to resolve it locally from the machine where the connection is initiated?

If I could run the GetKerberosUser function giving directly the SID as parameter, instead of username, it would probably succeed and get the realms correctly.

 

Any advice would be greatly appreciated. Thanks in advance.

to pass vPRO verification, the products must have a TPM?

March 20, 2017, 1:08 am
$
0
0

For example, TPM is restricted in China, how can a@ laptop shipping to China pass vPRO vertification?

SCS web service

April 14, 2017, 12:53 am
$
0
0

Hi everyone,

 

I have seen, in a software that can manage AMT machines, a reference to a "SCS Web service" URL that could be used to retrieve a list of AMT devices that the SCS is aware of.. does anyone know if this feature (still) exists, and if yes, how it can be configured? I didn't find anything resembling this in the Intel documentation, or in my SCS installation.

 

All I found from the Intel documentation was a reference to an AMTConfServer.exe, which I don't have.. I installed the SCS 11.1 from a SCS_download_package_11.1.0.75 downloaded from Intel, installed it from the RCS folder, and under Program Files I have a folder Intel containing Console, License, and Service. No AMTConfServer. What am I missing?

 

Thanks in advance!

Wireless Profile Synchronization for Intel AMT/ME on Windows 10 ?

April 20, 2017, 3:48 pm
$
0
0

Hello People,

 

lately I have experimented and learn a lot about my vPro enabled system, and I successfully operated remote KVM capability between a Windows 7 laptop with Wired & Wireless profile, and a Windows 10 desktop with the default Wired profile.

 

But here is the thing: it appears that both my laptop and my desktop computers have a Wifi connection using the Intel 8260.

 

On the Windows 7, the full/real PROSet utility allows me to synchronize the Wifi profile as shown below:

 

Intel Wifi Profile Synchronization AMT-ME.png

 

However, on Windows 10, here how looks like the Intel PROSet/Wireless utility:

 

Intel Wifi PROSet Windows 10.png

 

this is it.

 

I don't see any option to synchronize the Wifi profile with AMT.

 

So I tried to do my homework and review as much doc on intel and google as I can find, but it seems none is complaining about any PROset limitation on Windows 10 related to AMT usage.

 

So allow me to ask simply: What am I missing here ?

 

how to synchronize a Wifi profile with AMT on a Windows 10 machine ?

 

Please advise.

 

Thanks very much in advance for your assistance.

 

Hassan

AMT filter description

April 24, 2017, 2:54 am
$
0
0

Hi everyone,

 

I would like to list all AMT subscriptions from a target AMT system, and for each subscription, list the filter.

 

I saw that you can add a subscription either by defining its filter manually:

constructor:

public Filter(byte deviceAddress, byte eventSensorType, byte eventOffset, byte eventSourceType, byte eventSeverity, byte sensorNumber, byte entity, byte entityInstance, byte policyID, byte eventType);

so a new filter would be e.g. Filter filter = new Filter(255, 255, 15, 255, 0, 255, 0, 0, 28, 255);

or by using the existing dictionary

e.g. Filter filter = new Filter(Events.Battery.Battery_Level_is_Critically_Low);

 

This last filter corresponds to the dictionary entry: EventsDictionary.Add("Battery_Level_is_Critically_Low", new eventDetails(new eventDetails.filterValues(255, 41, 0, 88, 1, 255, 38, 0, 103, 111), FilterName.Platform));

 

The question is: is there an enum or any description of what each of these values mean?

e.g. what the byte eventType = 111 stands for? or byte sensorNumber = 38?

 

I would like to print these values "translated" into something more readable.

Thanks in advance.

Client AMT WMI properties not displaying properly

April 27, 2017, 3:13 am
$
0
0

Hi all, I have a strange issue were some of my clients do not show the AMT properties within WMI explorer.  See attached screenshots:

WMI Explorer prob.JPG

This is what it should look like and indeed does on a few of my clients.

WMI Explorer good.JPG

Both clients have the full Management Engine driver installed.  Intel Manageability is enabled within the BIOS.

Has anyone else come across this?

Regards,

Graham

SCCM SCS Add-on Discovery

May 2, 2017, 7:54 am
$
0
0

I am trying to install SCS Add-on for Microsoft SCCM, only with Platform Discovery. The installation guide and the installation refers to platformdiscovery.exe.

 

 

From this link http://www.intel.com/content/www/us/en/software/setup-configuration-software.html I find this option refering to platform:

 

When downloading and extracting this file, I get the SCSDiscovery.exe file.

 

Skim reading SCS installation guide, suggest this is two different files.

Next page:

 

Anyone got an idea of what I am missing?

Search

How do I configure VNC from Linux now?

May 3, 2017, 10:18 am
$
0
0

A couple years or so ago, I wrote this:

 

Setting up Intel AMT to act as a remote KVM in Linux – JeffLane.2.0

 

Which documented the things I'd found onlne to get a NUC with vPRO working and providing remote desktop access via VNC.

 

However, now none of that, nor any of the similar solutions online work because they all depended on the ips-schema hosted at Intel, such as:

 

http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData

 

Those links all now redirect to a 404.

 

So my questions:

 

1:  Where is the ips-schema stored now?

 

2:  How else can I configure a system with AMT for VNC connections?  There is NO useful information that doesn't assume you're a hardware engineer, that I can find. 

 

And please do NOT tell me to use some windows tool.  I don't run windows.  I am a Linux engineer, my full time job involves Linux, I do not own ANYTHING that has Windows on it.  Using some Windows tool is simply not an answer, unlike the answer this guy got here:

 

best way to batch configure?

 

I do NOT need some Intel RSC server or any other weird thing.  I have A server, that unfortunately uses AMT for management, rather than IPMI based BMCs that just work.  I just need to set a few things to enable VNC and I'm ridiculously frustrated by this right now, given that what I wrote before to configure my NUC is now invalid.

 

 

vPro vulnerability question

May 3, 2017, 1:41 pm
$
0
0

Hi there, I have a number of vPro ready Dell Optiplexes in my office. They are in use, their firmware is of the "vulnerable" version, but Intel ME is still un-configured at the "factory default" state. Can someone confirm these boxes are not at risk to the AMT/ISM/SBT Vulnerability (INTEL-SA-00075) as long as they are "un-configured". Your help is appreciated.

AMT Support on the Intel NUC5i3MYHE

May 5, 2017, 10:18 am
$
0
0

Is AMT supported on the Nuc5i3MYHE? Looks like ME 10 firmware is supported on this particular NUC's spec sheet, but it seems the i3-5010U does not support vPro.

 

I've tried configuring AMT on one of these units without luck, which may not be a surprise given that the processor does not have vPro.

 

Thanks

Intel AMT - quick temporary fix until new BIOS release ?

May 6, 2017, 5:48 am
$
0
0

My quick temporary fix regarding CVE-2017-5689 vulnerability until you can apply a new BIOS update:

 

Change default admin name account to something random, do not create another admin account:

 

AMT-ca1.jpgAMT-ca2.jpgAMT-ca3.jpg

 

Is this approach viable if admin account name is unknown to attacker ?

 

Update 7-05-2017:

This method was confirmed by other professionals to be effective for protecting your computer from remote AMT login !

 

Renaming default admin name account to something random will protect your computer with AMT active only from other host accessing your AMT computer by LAN or WAN.

 

It will NOT protect you from login/attack via local interface with LMS access !!!

It is best to use AMT with TLS so connection and traffic will be encrypted and admin name account can't be sniffed !

 


Remember you are still vulnerable from attack via local interface LMS access !!!

 

If you are looking for 100% protection then follow Intel advisory and unprovison and disable AMT !
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

 

Message was edited by: Lucian L.

Are separate Intel gigabit NIC cards a solution to AMT vulnerability?

May 8, 2017, 11:10 am
$
0
0

Assuming I have one of the affected boards (from the link below) and a vPro processor, does AMT still function if I disable onboard networking and add an Intel NIC card?

https://communities.intel.com/message/472155#472155

 

Would it make any difference if the card was PCI or PCIe? I wouldn't think so.

 

I believe AMT does not function through a Realtek NIC card. Please correct this assumption if I am in error.

 

And in case it's not obvious, I don't use AMT so disabling it would not present a problem.

Intel AMT Firmware drivers vulnerability issue

May 10, 2017, 1:12 am
$
0
0

Hello guys,

I want to confirm if a machine has the Firmware driver that is considered vulnerable (X.X.XX.1XXX) and a MEI (Intel Management Engine Components Driver) driver installed,

is it still considered vulnerable to the local security issue and does step 2 from the mitigation guide(disabling/removing the LMS service) still needs to be followed?

Also is the Intel management and security application local management service (LMS) installed with the MEI drivers? And if removed would the MEI drivers need to be reinstalled?

Thank you.

Intel AMT detection Tool - Windows Server Compatibility

May 12, 2017, 2:07 am
$
0
0

When I run the detection tool provided for Intel AMT vulnerability check, I get the following message "Based on the Version of the ME the System is "Unknown" . This means, tools is not compatible for OS i'm running? or other reasons. I'm running this on the Windows Server 2008.@

Search

Error while connecting to VPro RCS using SCS console on same machine.

May 11, 2017, 5:21 am
$
0
0

Hi,

 

I have installed SCS console and RCS (Vpro) on same machine and I am trying to connect to RCS but unable to connect.

Error says "Failed to connect to Remote Configuration Service.

 

Have tried opening TCP port 135, also enebled

  • Windows Management Instrumentation (ASync-In)
  • Windows Management Instrumentation (DCOM-In)
  • Windows Management Instrumentation (WMI-In).

But was still unable to solve the above error.

 

.RCSError.png

vPro vulnerability detection question

May 11, 2017, 1:18 am
$
0
0

I tried to run the 'Intel-SA-00075-console.exe -n' on the Window Server 2012 R2, but returned the followings, how can I check the vulnerability pro@perly on windows server 2012?

 

*** Host Computer Information ***

Manufacturer: HP

Model: ProLiant DL380 Gen9

Processor: Intel(R) Xeon(R) CPU E5-2609 v3 @ 1.90GHz

Windows Version: Microsoft Windows Server 2012 R2 Standard

 

*** ME Information ***
Version: Unknown
SKU: Unknown
State: None Detected
Driver installed: False
EHBCP Enabled: False
LMS state: NotPresent
MicroLMS state: NotPresent

 

*** Risk Assessment ***
Based on the version of the ME, the System is Unknown.

Cannot access KVM for remote control using vPro on Dell System

May 16, 2017, 12:33 pm
$
0
0

Hello,

 

We have purchased 11 Dell Optiplex 7450 systems.  These particular systems were selected and configured specifically for being able to perform out of band management.  We need remote KVM and storage redirection.

 

The documentation from Dell is abysmal.  Dell ProSupport was not at all helpful.  I downloaded and read through several Intel documents.  I would like to get these systems configured and deployed without a provisioning server.  I prepared a USB key with the Intel SCS Console.  I then provisioned the system with the USB key.  I can connect to the system's web interface at port 16992 and see the system information.

 

When I attempt to connect to the system with VNC, I cannot establish a connection.  I am attempting to do this while the PC is sitting at either the BIOS screen or the MEBx screen, so I know there is no firewall issue.

 

I see no other documentation that I can reference and I am stuck trying to get this implemented.  I would appreciate some assistance in getting these systems configured and deployed.

 

Thank You.

Lenovo Machines connected to VPRO goes to sleep/Unreachable

May 16, 2017, 1:18 pm
$
0
0

Hi Team,

 

We are using Intel vpro technology and manage machines remotely. Primarily ,we use it for imaging purposes .where we deploy images on machines connected to VPRO.

 

If the machine is idle for some time, Its disconnecting from VRPO. Also machine goes to sleep mode during imaging. Due to which the image deployments gets failed.

When checked VPRO connected does not ping at all.

 

We have Lenovo laptops Gen1,2,3,4 machines. We have worked with Lenovo and they informed there are no issues from their end. They just had us to do bios update.

We have ensured all port and network communications are fine.

Not able to unprovision AMT via bios or using ACUConfigure.exe

May 17, 2017, 6:35 am
$
0
0

Hi,

 

As recently identified vulnerability issue with AMT vPro machines, I was trying to unprovision AMT using the "ACUConfigure.exe unconfigure", but fails because LMS service is not there in those machines, and tried doing unprovisioning it via BIOS but on all those machines default password 'admin' is not working, and in one machine I am getting "MEBx Login Error - Error applying new password", when it prompts for changing the password.

 

Here's the situation

- Machines which is AMT provisioned (Provision State=2), does not have LMS service, so when I run "ACUConfigure.exe unconfigure", it fails because of missing LMS service.

- On machines having LMS service, AMT provision state is not 2.

- Most of the machines having AMT provision state 2 are "DT research BU590", since "ACUConfigure.exe unconfigure" is not working, as LMS service is missing, tried unprovisioning it via BIOS, but default password is not working.

- One machine - Thinkpad 460 with provision state 2, getting error while trying to change the password.

 

Please let me know, how to unprovision AMT and remove / uninstall LMS.

 

Also please confirm, if Provision state is 0, then it is unprovisioned.

 

Thanks

Kabilan

Viewing all 632 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>