Hi!
I have a computer with a Celeron G-series processor that uses a detection tool to check that the system, detection tool show This system is vulnerable.
But the Celeron G series is not affected by this list, what is the problem?
Thanks!
↧
INTEL-SA-00086 Detection Tool question
↧
Missing Boot Options on AMT WebUI
Hello everyone
I have a strange behavior with my IPC system. After unprovisioning the system I can not enable boot options any more. The boot option "Boot from local hard drive" is lost.
See screen-shots. A second SSD is installed.
Would be great if anybody could support her.
AMT Fw: 9.1.41.3024
Processor: i7-6822EQ, QM87
MEI: 9.5.10.1538
WebUI before unprovision
I used the function from ACUWizard.
And after reconfiguration the boot options are lost.
↧
↧
Intel vpro remote desktop
I have enabled vpro on a linux server that I am because it is in a really hard place to get to. I do not care about what I need to do to get this setup but I just don't know what I am missing. After I enabled it I was able to connect with a program called mashcommander. It will let me reboot the machine and do serial over lan but I can not get it to show me the desktop or show the bios screen to me nor does it seem to have the option. I know it is possible but not even sure if my hardware supports it. I have an optiplex 960 which this is setup on. If I need to use other programs I have no problems with that. I am just tired of having to pull out a monitor to keep troubleshooting this machine.
↧
Disabling AMT
Most of our HP workstations have AMT. Our management has decreed that we disable AMT based on the recent security advisory. We've never provisioned our systems. We struggled through running the tools in May to pull inventory on affected systems and deployed updated firmware from HP. The whole experience was exhausting.
I've read some posts that suggest to disable AMT we need to remove the LMS service as well as delete LMS.exe. In our inventory, only some of our newer systems are running LMS. Is there an alternative way to disable AMT (short of accessing the BIOS of each system) on all our workstations?
Will ACUConfig.exe offer protection? Should I setup SCS to disable AMT?
Thanks for any help and advice.
↧
LMS service high CPU, stuck in stopping state
Hello,
Yesterday an auto-update occurred and I saw a flash of a CMD window show it was updating Intel ME. Since then the LMS service will work start running continually at around 35%. In searching the forums I found mention of the gms.log file and opened it. It show that the LMS service seems to be working fine and at the time it starts using high CPU and the service shows a status of stopping.
Below is a sample from the log that shows the sequence of events that occur. Once it breaks I have to force an End Task or restart. Any ideas as to how to fix this?
(2476)[2017-11-07 14:52:16.367395] [LM_DEBUG] LMS:_acceptConnection(AF_INET)
(2476)[2017-11-07 14:52:16.367395] [LM_DEBUG] LMS:Sending channel open request to LME. Address: 127.0.0.1, requested port: 16992.
(2476)[2017-11-07 14:52:16.368398] [LM_DEBUG] LMS:Send channel open request to LME. Sender 2324. addr:127.0.0.1 port:59749
(2476)[2017-11-07 14:52:16.385451] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.385451] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.389965] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.389965] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.393978] [LM_DEBUG] LMS:Received 499 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.394481] [LM_DEBUG] LMS:Sending 499 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.396486] [LM_DEBUG] LMS:Received 401 bytes from socket 2324. Sending to LME
(2476)[2017-11-07 14:52:16.396987] [LM_DEBUG] LMS:Sending 401 bytes to recipient channel 1.
(2476)[2017-11-07 14:52:16.446317] [LM_DEBUG] LMS:Received 0 bytes from socket 2324.
(2476)[2017-11-07 14:52:16.446317] [LM_DEBUG] LMS:Sending channel close to LME. Recipient: 1.
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 15:48:49.264961] [LM_DEBUG] GMSC: <-- handle_output
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 16:48:49.134016] [LM_DEBUG] GMSC: <-- handle_output
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService service handle timeout
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] GMSC: --> handle_output
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] HostChangesNotificationService::HandleAceMessage
(11356)[2017-11-07 17:48:49.133035] [LM_DEBUG] GMSC: <-- handle_output
↧
↧
NTEL-SA-00075 Detection does not detect status in registry
Hello,
I am about to scan our enviroment in order to check the status on the client. I downloaded the tool from .Download INTEL-SA-00075 Detection and Mitigation Tool . At first glance it seems to work correctly. The Gui version, the xml file and the console version shows the vulnerability status. The problem is about registry. The system information is missing.
How am I supposed to collect the inventory information at large scale if the vulnerability status is not written in registry ?
Here is the exported values from the registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]
"Scan Date"="30/11/2017 13:34:52"
"Computer Name"="Test"
"Application Version"="1.0.1.39"
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]
"Computer Manufacturer"="HP"
"Computer Model"="HP ZBook 15 G3"
"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]
"ME Version"="11.0.18.3003"
"ME Version Major"=dword:0000000b
"ME Version Minor"=dword:00000000
"ME Version Build"=dword:00000bbb
"ME Version Hotfix"=dword:00000012
"ME SKU"="Intel(R) Full AMT Manageability"
"ME Provisioning State"="Provisioned"
"ME Driver Installed"="True"
"LMS State"="NotPresent"
"Micro LMS State"="Running"
"EHBC Enabled"="False"
"Control Mode"="Admin"
"Is CCM Disabled"="False"
And from WoW3264 node
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool]
"Scan Date"="30/11/2017 13:34:52"
"Computer Name"="WPLCND708524T"
"Application Version"="1.0.1.39"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\Hardware Inventory]
"Computer Manufacturer"="HP"
"Computer Model"="HP ZBook 15 G3"
"Processor"="Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Intel\Setup and Configuration Software\INTEL-SA-00075 Discovery Tool\ME Firmware Information]
"ME Version"="11.0.18.3003"
"ME Version Major"=dword:0000000b
"ME Version Minor"=dword:00000000
"ME Version Build"=dword:00000bbb
"ME Version Hotfix"=dword:00000012
"ME SKU"="Intel(R) Full AMT Manageability"
"ME Provisioning State"="Provisioned"
"ME Driver Installed"="True"
"LMS State"="NotPresent"
"Micro LMS State"="Running"
"EHBC Enabled"="False"
"Control Mode"="Admin"
"Is CCM Disabled"="False"
Any ideas ?
Thanks
Tomasz
↧
chipset requirement for Authenticate and Data Guard
I understand that both Intel Authenticate and Data Guard do not require a specific chipset like AMT does (ie Q270), but would appreciate if someone can confirm that for me. I think part of the MFA info associated with Intel Authenticate is stored at the chipset level, but never found more detailed information about this matter.
Thanks!
↧
macsec
Hi,
One of my costumer is planning to implement MACSec on each switch port.
I would like to know from which version vPro supports MACSec.
Thanks
Marcio Paulino
↧
After booting my Thinkpad T61 I get a message from intel active management that my (intel @ AMD?) status is disabled to fix contact my authorized system administator i guess to enable it please help
↧
↧
SA-00086 Detection Return Codes
I'm deploying the SA-00086 detection console in SCCM using the steps outlined here Using ConfigMgr to Monitor Intel Vulnerability INTEL-SA-00086 | Microsoft Cloud Solutions | Windows Management Experts
I've noticed that many of the installs are coming back as errors with a return code of 100. I can't find a list of valid return codes for the detection console so I was wondering if anyone knew what that return code means or if there is a log on the client that I can check to see what the error is about.
Thanks!
↧
Enable Intel AMT Remotely
Hello,
Suppose we have 100 vPro computers without Intel AMT enabled. They are connected to our network.
We know we can enable Intel AMT manually one by one, but Can we enable Intel AMT of those 100 computers at once?
I have spent hours, but I could not find any answers for this.
Note that I am not talking about remote configuration.
We know that once Intel AMT is enabled and network connected, we can provision several computers at once.
Thank you in advance.
Abe
↧
Intel Capability Licensing Service Client is obsolete
Hi,
I've patched the ME vulnerability using Intel's SA-00086 detection tool. However a message is saying an Intel service is obsolete (see screenshot). There's no link to a patch and I could not find anything on Intel's support site.
Any ideas on what I should do next?
Thks,
jfg
↧
Intel-SA-00086 console and GUI don't work
I tried to use your detection tools, but neither the GUI nor the console one does work on my laptop. Both of the programs crash.
Sorry, but my Windows runs with german language, therfor the error messages are in german too.
Has anyone the same problems as me?
↧
↧
NUC mini andRemote keyboard issue
We have a NUC mini. May have clicked on something with regard to the Intel remote keyboard by mistake. Now my mouse and keyboard are basically disabled. Can only force a shut down which we did. No restart possible at this point. Need a solution
↧
Mutual TLS Authentication
Hi,
I am having a problem with TLS Mutual Authentification. I am getting all the time this error:
"Category: Certificate store Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 1202: Valid certificates for SSL connection not found. Certificate for Mutual TLS"
Running ACUconfig systemdiscovery command on the vPro client confirmed that the Certificate was indeed added to intel ME. Double checked the certificate and it's valid (The Cert. Template was created according to the SCS User manual.)
I found this though in the intel documentation.
"If mutual TLS authentication is enabled, any applications that interact with the device must supply client certificates that the device uses to authenticate the applications"
does this mean that we need to issue a "Client Authentication" Certificate for the SCS Server and install it in the System Account Store (RCS Service is running under the bult-in Network Service account)??
PS: The only certificate installed on the SCS server is the Prov. Cert. issued by a 3rd party CA (using the "For Intel AMT use" checkbox on the CA Req. Website) and it was validated by the RCSutil tool. It is only valid for ZTC but not Mutual TLS
"The certificate is not valid for Intel(r) RCS Mutual TLS(HTTPS) connection and is valid for Intel(r) RCS remote PKI(ZTC)"
Any ideas?
Thanks
A.S.M
↧
macsec
Hi,
One of my costumer is planning to implement MACSec on each switch port.
I would like to know from which version vPro supports MACSec.
Thanks
Marcio Paulino
↧
Intel-SA-00086 detection without tools
Hello,
I want to check if my computers are vulnerable. However, I can not run the tool because I am not .NET Framwork.
How is it possible to find the version of frimwares (IME, SPS, TXE) on a computer with windows 7.
Thank you.
↧
↧
Cannot provision Intel AMT 11.x devices?
I'm having a problem provisioning Intel AMT 11.x devices.
It's a relatively new setup with SCS. I've been able to provision AMT 7.x, 9.x devices without much problems. I'm using host-based configuration running "ACUConfig.exe ConfigAMT profile.xml /DecryptionPassword xxxxxxx" to do it.
For the 7.x and 9.x machines I saw the "Wire support 1 **************" messages in the ACUConfig logs, and the provisioning completed successfully.
With the 11.x machines we just got (ASUS Q270M-C motherboards), when I try to provision them I get an error in the log about the certificate.
2017-12-15 10:51:27:(INFO) : ACU Configurator , Category: HandleOutPut: Starting log 2017-12-15 10:51:27
2017-12-15 10:51:27:(INFO) : ACU Configurator, Category: : ACUConfig 11.2.0.35
2017-12-15 10:51:27:(INFO) : ACU Configurator, Category: -Unknown Operation-: HOSTNAME.FQDN: Starting to configure AMT...
2017-12-15 10:52:34:(INFO) : ACU Configurator , Category: Information message: Active certificate hashes have the following names: (0xc000005a)
2017-12-15 10:52:35:(INFO) : ACU Configurator , Category: Information message: Active certificate hashes have the following names: (0xc000005a)
2017-12-15 10:52:42:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (retry set to = 0)
2017-12-15 10:52:43:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (RCS not busy.)
2017-12-15 10:52:43:(INFO) : ACU Configurator , Category: WMI Access Layer: Success. (0) (RCS is currently handling = 0 threads)
2017-12-15 10:52:44:(ERROR) : ACU Configurator , Category: ConfigAMT failed: A call to this function has failed - (0xc000278b) (Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. (0xc000521f). )
2017-12-15 10:52:44:(ERROR) : ACU Configurator, Category: Exit: ***********Exit with code 74. Details: Failed to complete the Setup operation on this Intel(R) AMT device. The status of Intel(R) AMT on the system might have changed. Use the "Status" command to see the current system configuration. Failed while calling WS-Management call GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error 0xc000521f: An SSL error occurred. Verify the username and password, and the PSK or certificate settings, where applicable. Valid certificate for PKI configuration not found.
The cert has been added to the PKI configuration in MEBx setup, remote configuration is enabled, etc. I can't figure out what the error is. I've tried enabled verbose logging but that wasn't helpful either. Any ideas would be greatly appreciated.
↧
MEManuf Test Fail
Ran "MEManufWin64 -s0 -verbose"
Error 173: Communication with WLAN device failed
Error 117:MEManuf Operation Failed
The wireless is install correctly,driver OK.
↧
Intel® Anti-Theft block upgrade BIOS at HP EliteBook 8440p
Hello
Intel® Anti-Theft block upgrade BIOS at HP EliteBook 8440p
1. I can load windows 7 without any problem
2. i can re-install windows 7, but can't update to windows 10 becuase of old version of BIOS, but upgrade bios failed with Intel® Anti-Theft issue
3. Intel AT theft utility show that AT status = Stolen ( but i bought this notebook and previos owner didn't setup Intel® Anti-Theft Service)
Please advice/ provide instuctions how to obtain possible upgarde my BIOS
Thank you
↧