Hi,

I have troble to install MEi driver and software using SCCM to Windows 10 clients.

From CMD all goes fine, but using sccm is problem.

LOG file:

2017:05:17 11:58:39:691:   Effective command line: "C:\WINDOWS\ccmcache\1m\SetupME.exe" -s -report c:\amt.txt

2017:05:17 11:58:39:714:   >>> Log start

2017:05:17 11:58:39:721:   Mutex with given name doesn't exist. Creating new one.

2017:05:17 11:58:39:730:   Obtained mutex succesfully.

2017:05:17 11:58:39:736:   Single-instance mutex has been obtained

2017:05:17 11:58:39:743:   Core version: 2.6.0

2017:05:17 11:58:39:750:   Setup version: 2.3.9.0

2017:05:17 11:58:39:758:   Command line: "C:\WINDOWS\ccmcache\1m\SetupME.exe" -s -report c:\amt.txt

2017:05:17 11:58:39:766:   OS data: 10-0-1-0 64-bit

2017:05:17 11:58:39:774:   System up time: 434 sec

2017:05:17 11:58:39:779:   Reboot pending: No

2017:05:17 11:58:39:786:   Current UI language: 0409

2017:05:17 11:58:39:794:   Language folder: C:\WINDOWS\TEMP\IIFA0A7.tmp

2017:05:17 11:58:40:672:   Loading language 0000

2017:05:17 11:58:40:677: E Language load error [2]

Why itš try to load incorect language?

Hello all, -hope this is the correct place for my SA-00075-related questions.

I got my new used laptop (HP Elitebook 8770w) 15th of may. Installed clean Win7 64-b, and went on to load and update drivers. Found several that made me look closely at anything related to SA-00075, because it is a vPro system.

HP has a Patch for 00075 that I have applied:

- Intel Corporate Management Engine (ME) Firmware Component - Version: 8.1.71.3608

HP also has a BIOS update that I have applied:

- SOFTPAQ FILE NAME: SP79723.exe - BIOS VERSION: F.65 REV: A PASS: 1

I have run several of the recommended Intel diagnostics tools trying to determine wether my system now is safe and secure (preferably safe enough for me to start using ME / AMT), and the one that both confuses me the most and at the same time looks to give most useful information, is the "INTEL SA-00075 DiscoveryTool", that outputs this information:

Risk Assessment

Based on the version of the ME, the System is Check With OEM.

If Vulnerable, contact your OEM for support and remediation of this system.

For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689

or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075

INTEL-SA-00075 Discovery Tool GUI Version

Application Version: 1.0.1.39

Scan date: 20.05.2017 13:44:05

Host Computer Information

Name: CAEGEAR-PC

Manufacturer: Hewlett-Packard

Model: HP EliteBook 8770w

Processor Name: Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz

Windows Version: Microsoft Windows 7 Professional

ME Information

Version: Unknown

SKU: Unknown

Provisioning Mode: None Detected

Control Mode: None

Is CCM Disabled: Unknown

Driver installation found: False

EHBC Enabled: False

LMS service state: NotPresent

microLMS service state: Running

First question:

I gather the status: "Check with OEM" means Intel cant confirm HPs Patch for ME is fixing the 00075. Neither does HP supply me with a probing tool that lets me know 00075 is fixed after Patch. Would anyone share their take on wether I can assume "Check with OEM" means Im ok as long as i Patched according to OEM?

Second, and more important (to me anyway) question:

I have not installed or started a service called "microLMS". I can not find it (or info about it) in the registry or in any documentation available to me (locally, from HP, here on intel site, or in google). I have found that one version of this "microLMS" is placed in the extraction-folder tor the Intel SA Discovery Tool, and I have found another, much larger file online from Mesh Commander / Intel Mesh / Mesh Central (MeshCentral ). Both are called "Mesh Agent Service", -one signed by "MasterRoot" and one signed "Intel". I quess the first of these is a Beta version Intel Mesh Central use for web UI, and the second one extracted by Discovery tool is some "full version" of this small LMS service. The one Mesh Central / Mesh Commander use is afaik (and according to Ylian @ intel / meshcentral) just a port forwarding tool for integration between AMT and Web UI / Meshes. What the Intel signed smaller one is, I have no idea.

Screenshots of the two "microLMS" exes properties:

And (tadaaa...) my question is:

Is there an actual service running on my computer called "microLMS"? Does the Discovery tool from Intel invoke it from its own directory upon start of Tool for some kind of auditing purpouse? Is it used to confirm port binding of some sort and thus the last line in the result from the Discovery tool stating "microLMS service state: Running", does not mean a LMS service is actually running on my system?

As I said, I can not for the life of me find a service through Windows GUI that remotely looks like it is called "Mesh agent service", Meshagent, microLMS, or anything containing those words. Nor have I installed anything other than drivers and updates to the fresh (as of 15. may 2017) Windows 7 64-bit Pro. If I have a service running, I would love to know where it originated from (how it even came to reside on my s\ystem), If I can disable it, but maybe more importantly if it is an actual indication of a running service that I may or may not want.

Sorry this post may be a bit long. I am trying to relay enough information for anyone to maybe understand me, and I am not very versed in many of the (to me) complex IT-systems-related terms I suddenly find I am kind of forced to understand in order to make my new (used of course) HP Elitebook 8770w actually be mine to administer

Client is fully provisioned using RCS with PKI.  I can connect and retrieve information via commander and web interface but when I press the "Connect" button it briefly shows "Connecting..." then goes back to Disconnected.  Please see attached SCSDiscovery output.

Many thanks in advance,

Graham

A couple years or so ago, I wrote this:

Setting up Intel AMT to act as a remote KVM in Linux – JeffLane.2.0

Which documented the things I'd found onlne to get a NUC with vPRO working and providing remote desktop access via VNC.

However, now none of that, nor any of the similar solutions online work because they all depended on the ips-schema hosted at Intel, such as:

http://intel.com/wbem/wscim/1/ips-schema/1/IPS_KVMRedirectionSettingData

Those links all now redirect to a 404.

So my questions:

1:  Where is the ips-schema stored now?

2:  How else can I configure a system with AMT for VNC connections?  There is NO useful information that doesn't assume you're a hardware engineer, that I can find. 

And please do NOT tell me to use some windows tool.  I don't run windows.  I am a Linux engineer, my full time job involves Linux, I do not own ANYTHING that has Windows on it.  Using some Windows tool is simply not an answer, unlike the answer this guy got here:

best way to batch configure?

I do NOT need some Intel RSC server or any other weird thing.  I have A server, that unfortunately uses AMT for management, rather than IPMI based BMCs that just work.  I just need to set a few things to enable VNC and I'm ridiculously frustrated by this right now, given that what I wrote before to configure my NUC is now invalid.

My Intel Desktop Board DB75EN is affected by the AMT vulnerability.

I found a firmware update here:

Intel® Active Management Technology Escalation of Privilege Advisory...

However, when I try to install it, I encounter two problems.

First: I'm running Linux -- and the firmware update utility runs on Windows only. So is there also a utility available to update the FW under Linux?

As a workaround, I created a Windows 10 Recovery Drive (on a USB stick) and copied the update to that USB stick. I then booted the PC using that USB stick and tried to run the firmware update from within that Windows Recovery (WinPE) environment. I then got the following output:

D:\EN-FW-Update\EN-FW-Update-64bit>FWUpdLcl64.exe -f ME8_5M_Production.bin -generic

Intel (R) Firmware Update Utility Version: 8.1.40.1456

Copyright (C) 2007 - 2013, Intel Corporation.  All rights reserved.

Error 8743: Unknown or Unsupported Platform

Cannot locate hardware platform identification

This program cannot be run on the current platform.

Any idea why this does not work? And how to resolve it?

I have installed SCS and RCS to manage vPro devices.
How ever when I start the RCS Server service the following entries are displayed in the RCSLog.log file :

2017-06-04 00:04:45: Thread:3244(INFO) : RCS Server , Category: CA Mediation Plugins Source: CaMediationCOMInterface.cpp : CAInterfaceNamespace::CAMediationComInterface::init Line: 173: RCS failed to load a valid 3rd party Certificate Authority mediation DLL file, so RCS disabled the option.   (0xc0003f5e).

2017-06-04 00:04:45: Thread:3244(DETAIL) : RCS Server , Category: CA Mediation Plugins Source: c:\workst\f5ded80e061e568\products\scs\modules\cainterface\CaMediationCOMInterface.h : CAInterfaceNamespace::ProcessManager::TerminateIfFilenameMatches Line: 69: Entering

2017-06-04 00:04:45: Thread:3244(DETAIL) : RCS Server , Category: CA Mediation Plugins Source: c:\workst\f5ded80e061e568\products\scs\modules\cainterface\CaMediationCOMInterface.h : CAInterfaceNamespace::ProcessManager::TerminateIfFilenameMatches Line: 75: Exiting

2017-06-04 00:04:45: Thread:3092(ERROR) : RCS Server , Category: Initial 3rd party CA Mediation DLL.  Source: Src\RCSServer.cpp : CServiceModule::Run Line: 1433: RCS failed to load a valid 3rd party Certificate Authority mediation DLL file, so RCS disabled the option.   (0xc0003f5e).

Can anybody tell me what causes the error message " RCS failed to load a valid 3rd party Certificate Authority mediation DLL file,"
I have checked the certificates and they are all correct.
Any suggestions are welcome

I am experimenting with using Intel AMT as the sole 802.1X supplicant for the whole device. The goal is to remove the need for the operating system to know anything about 802.1X, as it is ideally completely handled by AMT.

The results so far indicate that AMT is not suitable for that purpose, and I require some clarification on configuration options within AMT regarding 802.1X.

My main source of confusion comes from the configuration option "Enable 802.1X for AMT even if host is not authorized for 802.1X" in the advanced wired 802.1X settings. How is that detected? How will AMT behave? What exactly does authorized mean in this context?

Environment:

• Windows Server 2016 acting as Active Directory, Certificate Services, Network Policy Server (RADIUS), as well as providing DHCP and DNS
• Cisco Catalyst 2960 acting as a 802.1X-enforcing switch
• Dell Latitude E7470 acting as the client
  • AMT v11 is provisioned and has valid and working 802.1X credentials (EAP-TLS)
  • Host OS (Windows 10) does not have any 802.1X credentials (This is intended!). The 802.1X supplicant service (Wired AutoConfig) is enabled but deactivated for the network interface.

The device shows the following behavior:

The third case is the interesting one here. Note that AMT does not answer the Switch's Request Identity Messages, but rather initiates the 802.1X Session on its own issuing EAPoL Start messages.

What is the purpose of this periodical AMT-based 802.1X login? Do I have to be lucky as an Admin to connect to the device just in the right moment or tell my customer to turn their device off to properly administrate it?

And finally, is there any option I missed, that would allow the Host OS to freely use an unlocked network connection once AMT has dealt with the 802.1X authentication?

I am thankful for any input.

what tools for network discovery of AMT/ASF hosts ?

for example like manageability commander :

Download Intel® Manageability Commander

I am familiar with http port 16992 for AMT, how to discover and use for example netxtreme nic ASF ?

Hey guys! New here so I'm not sure it's the right place to post this but...

I've started using the IntelvPro Powershell module, but I can't do a simple line:

Get-AMTFirmwareVersion -ComputerName:<ComputerName>

I get the following:

ComputerName                  Property                            Value

------------                            --------                                -----

<ComputerName>              Error                                 Cannot connect

Any ideas as to why?

$./INTEL-SA-00075-Discovery-Tool

INTEL-SA-00075-Discovery-Tool -- Release 1.0

Copyright (C) 2003-2012, 2017 Intel Corporation. All rights reserved

Error: No such file or directory /dev/mei0

Cannot establish a handle to the Intel(R) MEI driver. Refer to Tool User Guide for more information.

---------------------------------------------------------------------------------------------------------------------------------

$ ls -l /dev/mei*

$ service lms status

LMS is running

$ find / | grep mei

/lib/modules/3.0.101-84-default/kernel/drivers/misc/mei

/lib/modules/3.0.101-84-default/kernel/drivers/misc/mei/mei.ko

I am having trouble verifying CVE-2017-5689. why dont I have /dev/mei# on my machine (SLES11 SP4).

Am I missing something..?

We've got about 900 HP systems, notebooks and desktops that we'll need to update the AMT firmware on. Is there any way to accomplish this without user intervention?

HP has suggested using FWUpdLcl.exe Firmwarefile.bin -allowsv -generic as a command line.

High CPU usage on the process Intel Local Management service on start-up.  If we stop it...the server is fine.  Checked for Threats with Malwarebytes and ESET, but none. AMT is uninstalled. on the properties of the process it refers to windows\Vss\writers\  but i cant find any files in there.

Strangely nothing is on the startup as well, so i'm really concerned where is it coming from. My guess for now is a left over app...service.

please help.  

Hi all, just wondering what is the physical difference between a Dell optiplex computer with vpro and one exactly the same spec but without vpro.

When purchasing a Dell optiplex you can choose to have it with vpro or without.  If you choose with it will add ~$40 to the build.

I am wondering what is this ~$40 paying for?

In the build the CPU is the exact same model i5-7500 that has vpro support bult in.  So the CPU is not getting changed when you select the PC to come with vpro.

So what am I paying for?  Is it a AMT chip that gets added to the motherboard when you selct the pc to come with vpro ?

or

Is it paying Dell to simply enable vpro via software?

thanks

crizz

I run "intel-SA-00075-console.exe -DisableLMS", it does not have any return.

How can I know whether LMS disable or not in script?

Do i need to use other command to verify the result?

Some user report that when they run detection tool, the tool show " the toll was unable to detect ME or SMBIOS information to assess vulnerability".

What does ti means?

Hello Guys,

In this version I can't see anymore legacy redirection mode option in AMT menu ctrl +P, only SOL, KVM, IDER.

Could you please help? Running on Centos 7.

Thanks.

I have this problem : Intel SCS Add-on Installation Error

That thread is now closed.  Is there a document detailing the manual steps to take or do I need to raise an incident?

Hello,

I am trying to get Intel vPro AMT configured on my new Windows 10 machine (named COLORADO) which I'll call "the server"

The problem is that I cannot connect to it remotely from a different machine (the client).

I have posted several screenshots/photos in the following gallery:

https://postimg.org/gallery/ot3kli5c

These are photos of the web interface run on the server, at:

http://colorado:16992/index.htm

and the MEBX (BIOS extension) accessed with Ctrl-P on boot.

and one of the network configuration in the ACUWizard application.

The web interface, running on the local machine COLORADO in Internet Explorer, is reporting the local IP address as: 0.0.0.0

I don't think this is right?

On a remote machine (even if I turn off the firewall on both computers), I get a web page not found if I try to go to the same URL as above.

Yet on that remote machine, if I run (in a command prompt window):

telnet COLORADO 16992

it does connect, though does not prompt for anything. So there IS something running on port 16992 accessible across the network.

If I run:

PING COLORADO

I get a response from 192.168.1.67

So there is network connectivity to the OS across the network.

VNC client on the client machine cannot connect to the server.

, and the Intel "Manageability Commander Tool" run on the client also tries to connect for a few seconds, then stops trying with no error message.

Both AMT and the local operating system on COLORADO are configured with static IP address: 192.168.1.67

with default gateway and DNS server set to my router: 192.168.1.254

I had tried setting them both to DHCP, with the DHCP server set to 192.168.1.67 as a fixed IP address, but no difference.

The machine is home-built (June 2017) with a SuperMicro X11SSV-Q motherboard (which supports vPro).

It is in a workgroup (not a member of a windows domain).

It is on a wired network (Ethernet) connected to a home broadband router, and I am currently using a Windows 7 client on wireless on the same local network.

The MEBX version is: Intel(R) Management Engine BIOS Extension v11.0.0.0008/Intel(R) ME v11.6.27.3264

In one of the client apps, it said that MEBX was in client mode. Perhaps it needs to be in Admin mode?

(I tried to do this, but it wanted to see a provisioning server or something, and "SCS").

I suspect it got into Client mode when I used ACUWizard on COLORADO to try to configure it, including changing the password for the "Admin" user to a new password.

The purpose for which I need AMT is to allow me to remote power-cycle the machine. Also to be able to use VNC client to access the BIOS on reboot, and see any errors occurring at reboot.

On the server by default there was no installation of the windows service "Intel(R) Management and Security Application Local Management Service".

To install this I had to download an installer from the SuperMicro FTP site, and this installer was quite old (2009), so might be obsolete??

Any ideas?

Thanks

Neil M

I have a question about VLAN for AMT.

Getting Started with Intel® Active Management Technology (AMT) | Intel® Software

> VLAN Settings for Intel AMT:  X

Intel(R) AMT SDK Implementation and Reference Guide

> Releases 4.x, 6.0 and later releases do not support VLAN.

Which is correct?

I tried to configure VLAN, but got an error "SetVlanParameters retuned error: UNSUPPORTED."

[My Environment]

DC53427HYE (Intel® Active Management Technology firmware version: 8.1.30-build 1350)

NUC5I5MYHE (Intel® Active Management Technology firmware version: 10.0.45-build 1024)

We have over 100 different models in our enterprise organization. When I review certain AMT firmware versions, I see consumer or corporate. I'm wondering what the difference is? In our standing offer agreement we specify that the model must have a vPro enabled chipset.

Hello,

I'm using Intel SCS 11.0. I'm trying to provision my vPro client with the command:

acuconfig /verbose ConfigViaRCSOnly rcs.domain.com ProfileDefault /AbortOnFailure

But get error:

Thread:3224(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : configurator::LogAndExit Line: 226: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. A Soap Fault occurred. An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificates for SSL connection not found.

I've purchased my GoDaddy certificate with CN=rcs.domain.com. I've put this certificate in the service account that is running RCS server's personal certificate store and made sure I have all the Root/Intermediates to chain properly to the GoDaddy Root CA.  I've also validated that the hash is matches the GoDaddy Root CA hash I have on vPro clients.

FQDN is client.domain.com. Primary Dns Suffix and DHCP Option is domain.com.

Wireshark display many packets in TCP (WMI queries client<->rcsserver) and after try rcsserver TCP port 16992 on client. Handshake is success, but on POST HTTP/XML data respond RESET connection. 

Any suggestion to right direction is appreciated.

Thank you