Hi All!
I posted the following thread in SCS, but im not sure if its more suitable here
Any idea's are appreciated!
Thanks
↧
Intel vPro Kerberos Issue
↧
Intel LMS service won't start?
Hi guys,
Am trying to run up a new Intel AMT/SCS environment, as we are building a new server environment to replace our current Prod environment. Intel AMT, console etc. were all configured by the previous IT team that are no longer around, and of course there's no doco available for how the install was done initially.
Having said that, I have the console up and running on the server, we've got a cert updated and installed, and I have installed the latest Intel IME that I downloaded from the PC vendor.
When trying to get the PC to connect to the console server, it's complaining about not being able to find the LMS service:
2017-09-05 14:50:05: Thread:1416(ERROR) : ACU Configurator , Category: Host Based Setup Discovery Source: Src\ActivatorDll.cpp : GetHostAndMEInfo Line: 3983: Error: Host-based configuration is not currently available because the Local Manageability Service (LMS.exe) is not running on the system.
On investigating, there's a very good reason for that - it's installed, but not running. If I try to run it manually (acuconfig.exe /verbose ConfigViaRCSOnly hostname.domain profile_name), it starts, but stops immediately. I've had a look at the Windows Event Viewer, which has 2 entries - one saying "Started" and the other saying "Stopped". No info as to WHY it stopped. I've looked in the application folder but can find no logs there for it, either.
Having looked over the info here on the Intel site, and searching the community, I've not been able to find anything which may indicate why it is that this is failing? I've compared the config of the service between the new PC, and one of our older ones that are working, and there's no difference there - both are running under the Local System account.
Any suggestions on what could be causing this, please??
Cheers,
Brad.
↧
↧
Vpro
Wdrożyliśmy w naszej Instytucji VPro - jest skonfigurowane na końcówkach w celu komunikacji pomiędzy Landeskiem a komputerami.
Mieliśmy jakiś czas temu audyt bezpieczeństwa i okazało się, że Intel Activ Menagment rozgłasza się w sieci po http://FQDN-of-workstation:16992 ( nie szyfrowany ruch )
w raporcie jest to traktowane jako duża podatność.
Moje pytania:
1. Czy istnieje możliwość wyłączenia tego agenta tak żeby nie stracić funkcji w landesku ( czyli żeby stacja nie nasłuchiwała na tym porcie 16992 ) ?
2. Czy jest możliwość włączenia https://FQDN-of-workstation:16993 bez użycia serwera PKI ?
3. Czy istnieje jakiś sposób użycia CA własnego ( posiadanego przez komputer) tak aby ruch odbywał się po https poprzez web agenta ?
Proszę o pomoc, ewentualnie jakiś manual.
-------------------------------------------------------------------------------------------------------------------------------
We have implemented in our VPro Institution - it is configured at the ends to communicate between Landesk and computers.
We had some time ago a security audit and it turned out that the Intel Activ Menagment was broadcasting over the net after http: // FQDN-of-workstation: 16992 (no encrypted traffic)
This report is considered to be highly susceptible.
My questions:
1. Is it possible to disable this agent so that it does not lose functionality in the landesku (that is, to not listen on this port 16992)?
2. Is it possible to enable https: // FQDN-of-workstation: 16993 without using a PKI server?
3. Is there any way to use my own CA (owned by the computer) so that the traffic is going through https through a web agent?
Please help, maybe some manual.
↧
Power on script failing with Error 408
So I have a few hundred machines configured and I can connect to them fine individually and power them on, remote desktop, etc but when I try to run the power on script via right-clicking on a device collection in SCCM and selecting "Intel AMT Power-on" the script fails with:
Script Started
Call failed with error 408
Script Completed
Same result with Mesh commander 0.51 too.
Any ideas?
Cheers,
Graham
↧
UnprovisionTool.exe Silent Mode?
Trying to deploy this on about 500 machines. Works fine, except that it displays an extraction screen, a "starting MicroLMS" screen, and a few others. Is it possible to disable all notification so that the user is unaware that it is taking place?
Even if we send out notices, with 500 users, we will still be swamped with freaked out users.
Thanks!
-JF
↧
↧
Wrong IRQ triggered for AMT SOL on NUC5i5MYHE?
I am experiencing problems using the AMT SOL feature on a NUC5i5MYHE. Here's the symptom:
- Windows 7 just hangs when using the port (e.g., using PowerShell). If I configure a timeout, I just get the timeout, but no serial output.
- Linux experiences a long delay after printing the characters, but it also complains about unexpected interrupts. Using the "irqpoll" cmdline option, it works fine.
- A baremetal kernel works fine without interrupts, and even the interrupt-driven configuration works if you find the correct interrupt to use.
Interestingly, the interrupt that both Linux and Windows report (17) does not match the actual one that can be observed (19). Furthermore, IRQ 19 is also the SATA interrupt, which makes me wonder if 17 is actually the correct one, but for some reason it is not being used.
This happens on several machines of this model, and I have tried multiple BIOS versions, including the most recent one (86A.0038).
Has anyone else seen this? I would really appreciate some help
↧
AMT Remote Configuration over Wireless
Does anyone know if its possible / supported to perform Remote Configuration (SCS) for a client who is on a WIRELESS only connection?
We are able to get clients configured, but only if they are hard wired.
Is Wireless Remote Configuration a supported option? If so, is there any documentation we can reference to get it going?
Thanks!
↧
vPro/AMT powershell module 3.2.6 enable network access remote and change admin password
We in the IT Department of the organization I am working in, are really enjoying AMT as we a re located in our country's capitol and have branch offices all over the country . We have computers from DELL, HP and Lenovo and using Managability Commander Tool to start up, and above all; use VNC for KVM.
Our last badge of computers was Lenovo X1 Carbon. Lenovo could factory set a lot of bios and vPro/AMT settings, but notActivate Network Access: Yes
So my first, and I do realize a bit naive question (due to obvious security concerns) is; is it possible to override this by the use of the PowerShell module?
We also have a lot of computers we do have physical access to and it would save us a lot of work to set Activate Network Access remotely.
My second question is more straight forward. Most of our computers have not factory set a custom password for admin. Is it possible to change the password by the use of the PowerShell module?
The script under btw is working very well given the fact that Active Network Access is set:
import-module intelvpro
$cred = Get-Credential
Write-AmtCredential -Username $cred.UserName -Password $cred.Password # vpro admin and pw
read-amtcredential
New-PSDrive -Name amt -PSProvider AmtSystem -Root "\" -computername localhost -Credential $cred
Set-Item amt:\Config\KVM\AccessPointEnabled $true
Set-Item amt:\Config\KVM\ConsentRequired $false
Hopefully is it also possible to set credentials without prompting...(?)
↧
Intel vPro not working on DELL Precision 5520
Hello All,
I am having Issues with configuring Intel vPro on Dell laptop. I have configured the vPro through MEBx BIOS as we usually do for other laptops.
The laptop is connected to ethernet cable via USB-C adapter. When I look into Intel Management and security status, Its not even listing the Wired connection in the list.
Does any one have any experience with this?
Thanks in Advance!
↧
↧
AMT IDER for linux setup
I was having a hard time configuring AMT, but I was able to configure it.
Also I succeeded in setting up remote Windows with AMT.
But I am using CentOS.
So I want to install CentOS remotely .
However, AMT only supports suse linux.
It seems to be an error when trying to install other Linux remotely
Is there any way to install CentOS remotely? I want to know.
If not, I want to know if the reason is not support.
Attach a picture of the error that occurs when installing centos.
Thank you!
↧
LMS service high CPU, stuck in stopping state
Hello,
Yesterday an auto-update occurred and I saw a flash of a CMD window show it was updating Intel ME. Since then the LMS service will work start running continually at around 35%. In searching the forums I found mention of the gms.log file and opened it. It show that the LMS service seems to be working fine and at the time it starts using high CPU and the service shows a status of stopping.
Below is a sample from the log that shows the sequence of events that occur. Once it breaks I have to force an End Task or restart. Any ideas as to how to fix this?
(2476)[2017-11-07 14:52:16.367395] [LM_DEBUG] LMS:_acceptConnection(AF_INET)
(2476)[2017-11-07 14:52:16.367395] [LM_DEBUG] LMS:Sending channel open request to LME. Address: 127.0.0.1, requested port: 16992.
(2476)[2017-11-07 14:52:16.368398] [LM_DEBUG] LMS:Send channel open request to LME. Sender 2324. addr:127.0.0.1 port:59749
(2476)[2017-11-07 14:52:16.385451] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.385451] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.389965] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.389965] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.393978] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.394481] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.396486] [LM_DEBUG] LMS:Received 401 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.396987] [LM_DEBUG] LMS:Sending 401 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.446317] [LM_DEBUG] LMS:Received 0 bytes from socket 2324.
(2476)[2017-11-07 14:52:16.446317] [LM_DEBUG] LMS:Sending channel close to LME. Recipient: 1.
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] GMSC: <-- handle_output
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] GMSC: <-- handle_output
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] GMSC: <-- handle_output
↧
How to disable Intel Anti-Theft service in Intel ME Status?
I have a Thinkpad X220 laptop with Windows 10 Pro installed, I have set the Intel AT setting in firmware/bios to "permanently disabled", but the Intel Management and Security Status application still shows the status of Intel AT service as Enabled (see the image below).
How can I make the Intel AT service disabled ?
↧
macsec
Hi,
One of my costumer is planning to implement MACSec on each switch port.
I would like to know from which version vPro supports MACSec.
Thanks
Marcio Paulino
↧
↧
vPro adoption in multi forest environment
Hi vPro Experts
Our customer is being supported by it's service provider in activating vPro in a multiforest multidomain environment and has some doubts about the suggested configuration.
I am yet to acquire full details but it would be helpful already to be redirected to resources related to vPro setup in such infrastructure.
Thanks in advance!
Nicola Reina
↧
Remote ISO Launcher nowhere to be found
Hello all, I am trying to find Remote ISO Launcher tool to download so that I can boot a dell pc remotely with a win10 iso image mounted so I can do a fresh install of windows 10. Anyone know a working link to download this tool please?
↧
SCCM and RCS integration
We are running SCCM v.1706 and we are trying to reinstall RCS on the server.
There was a Kyle with Intel that had helped me a couple years ago and it seemed to be working ok until someone removed it from the server.
Now I am trying to get it installed but I am running into an error.
I am running into an error trying to install RCS
- Non-Database Mode - Network Service - Generate storage key file
Error 100. Failed to execute: register /UserName:
NetworkService /Lite
Return value 4294967295
Action 13:58:35: REG_MOF.
Action 13:58:36: REG_SERVICE.
Error 100. Failed to execute: register /UserName: NetworkService /Lite
Return value: 4294967295
Action 13:58:41: Rollback. Rolling back action:
Installation completed with errors.
- Non-Database Mode - [domain\RCSService] - Generate storage key file
Action 14:01:01: REG_SERVICE.
Error 100. Failed to execute: register /Password: ??????? /UserName: [domain\RCSService] /Lite
Return value: 4294967295
Action 14:01:10: Rollback. Rolling back action:
↧
Event viewer error with RCS remote configuration
So I've made an RCS/SCS server, set up the database and CA, set up the DNS, etc but still running into issues when the server-script .bat/.vbs script is called by the scs software.
WMI works to the remote system, I can query for domain name and see the results in the log file.
it's the part of the script which calls ConfigAMT which fails.
retVal = objWMIService.ConfigAMT(uuid, fqdn, ConfMethod, profileName, pid, "", "", "", "", strComputer, "", "", "", "", "", "", "", errorStr)
fqdn, uuid, strComputer, all reflect the test PC's fqdn, uuid, and IP address respectively. That was obviously the intent of the sample scripts. ConfMethod is 2 (PKI), profile name is "CSIT_Managed" which matches a profile I defined in scs. errorStr is always returned empty.
All the variables and their values appear to be correct, but I get an erroneous return value of -1073741718 and in the windows event viewer I see this message:
The following information was included with the event:
Method call ConfigAMT is denied because computer SERVERNAME$ made the call for PCNAME.DOMAIN.CA instead of for itself.
I do not understand where the error is coming from, the error makes no sense.... isn't the whole point for RCS is that the SERVERNAME$ can make a call to provision PCNAME.DOMAIN.CA?
↧
↧
Question about ME/SPS/TXE vulnerability detection tool
I read of the Q3 vulnerability notice on ME/SPS/TXE. It links to a vulnerability detection tool that is supposed to scan for vulnerabilities. I just ran it on a desktop computer and it says "Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer)." Why can't you tell me if a system is vulnerable without the driver? A lot of the systems I'm responsible for are old, should I really be seeking out those drivers just to find out if the systems are vulnerable? Aren't these problems specific to certain chips?
edit: WIRED article about the vulnerabilities:
https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot/
↧
Enable Intel AMT Remotely
Hello,
Suppose we have 100 vPro computers without Intel AMT enabled. They are connected to our network.
We know we can enable Intel AMT manually one by one, but Can we enable Intel AMT of those 100 computers at once?
I have spent hours, but I could not find any answers for this.
Note that I am not talking about remote configuration.
We know that once Intel AMT is enabled and network connected, we can provision several computers at once.
Thank you in advance.
Abe
↧
GA-H87N-WIFI + Core i5-4570 - intel ME support?
Hello,
I have a Gigabyte GA-H87N-WIFI motherboard and a Core i5-4570 CPU, is there any chance to use KVM on this machine? I did not find any references to AMT or ME or MEBx in BIOS and I did not get to MEBx menu via CTRL+P. I have Intel ME Interface driver installed. And I did not find any documentation on usage of Intel vPro with my MB. Where do I begin?
"Intel® Standard Manageability is a base set of manageability features, including: Boot Control, Power State Management, HW Inventory, Serial Over LAN, and Remote Configuration."
So how can I use this "Remote Configuration" feature?
↧
