Hi,

I used Mesh Commander to setup a TLS secured connection, using a self issued certificate. The connection works fine via Mesh Commander.

However, on certain devices I can only use the browser interface. I can connect via Android for example, without TLS enabled, but need this to work with TLS.

As a test I imported the user certificate into firefox, and tried to connect via port 16993 with TLS enabled.

I receive SEC_ERROR_UNKNOWN_ISSUER so I added the address as an exception, then I get SSL_ERROR_BAD_MAC_ALERT.

How can I use the browser interface with TLS enabled? (or alternatively, is there an Android app where this is possible?)

Much appreciated!

Thanks

Hi,

I have been using Intel vPro via Mesh Commander for a few months now.

It usually connects fine. However, on a few occasions, when the remote machine is crashed it will not connect.

I understood that Intel vPro is not OS dependant, so I wonder what causes this.

One of the primary reasons I am interested in using vPro is to reboot machines that are inaccessible via SSH. However, sometimes it is not possible and immediately upon manual reboot vPro again works fine (pointing to issues with the machine itself rather than the network, at the router the machine seems to be connected but still inaccessible prior to reboot).

Is there any reason this might occur? I would really love to able to use vPro to reboot otherwise inaccessible machines (due to OS problems).

Thanks

Has anyone tried using system defense rules in AMT? I am trying to see if we can use it to restrict AMT connection from a specific management server IP.

I created a Drop all rule and I can still connect to AMT from anywhere the management console is installed (So long as I am using an account that has access, such as user ID and password, or Kerberos via AD groups).

So I then thought OK, can I limit connections to a specific port, say SMB (445) - I created a filter and a policy and applied it using Mesh Commander, but I can still connect to the endpoint via SMB. Confusing!

Can you see anything wrong with my 445 filters?

ProtocolID=6,SrcAddress=xx.xx.xxx.xxx,SrcMask=xxx.xxx.xxx.x,HdrDestPortStart=445,HdrDestPortEnd=445

I have an Intel NUC, which has Intel vPro (in fact I have several of these same machines).

One of them is acting up.

I can connect with Intel Manageability Commander (both v1 and v2 work).

I can view system status, hardware, event logs etc.

However, when I try Remote Desktop it will say:

Connecting...

Setup...

Disconnected

This specific machine has been working for 1+ year.  It is at a remote site, so I don't have local access.

The audit log will log the following when I attempt to use the Remote Desktop option.

Redirection Manager, KVM Session Started

Redirection Manager, KVM Session Ended

There is only 1 second between the audit log entries.

Sometimes when I have issues with Remote Desktop, I would use the power actions and either reset to BIOS or power up to BIOS and that gets me back into the machine if the screen resolution was not compatible or something.

This time I'm stuck.  I have tried everything I can think of but can't get Remote Desktop to maintain a connection.

How can I debug this thing as there seems to be no error occurring.

We currently have an internal domain with a .local ending and are aiming for the Remote Configuration via PKI for our AMT Systems (9.x and up). The problem here

is the DHCP option 15 check, that does not work because publicly trusted CAs no longer issue certificates with internal names. As an alternative a Intel representative

suggested to set an external name at the internal DHCP Option 15, but this is not possible because many devices in our environment rely on the correct local entry.

Another suggestion requires physical contact with the device which we want to prevent.  Spoofing of DHCP or additional Reservations only for the process of initial AMT configuration

is also frowned upon.

My question is if there are any other ways to solve this problem we havent found yet. Thank you.

For reference: How to create a provisioning certificate for internal domain name

Hello dear experts,

We have automated the Operate System deployment of an Intel devices: DELL 7040/7050 computers. We use Linux PXE deployment and we have 2 OS being deployed: Linux Ubuntu and Win10 RS3 (WinPE developed).

We use AMT utilities to perform the remote commands, NetworkAdmin.exe and RemoteControl.exe, taken from SDK source: http://software.intel.com/en-us/articles/download-the-latest-intel-amt-software-development-kit-sdk

and it works fine through "mono" tool in linux: 

"/usr/bin/mono /data/tools/automation/win/amt/bin/RemoteControl.exe  -setbootsource pxe -host ${IP} -user admin -pass ${PS}"

"/usr/bin/mono /data/tools/automation/win/amt/bin/RemoteControl.exe  -changepower busreset -host ${IP} -user admin -pass ${PS}"

Problem Summary:

When we boot the system to deploy Win10 OS by the approach, above. System boots PXE, start downloading and raise up the winpe image. But Windows installation fails in the Disk stage, warns: "Setup was unable to create a new system partition or locate an existing system partition. See the setup log files for more information". Due to the logs the disk was found and the partition has been created. I see it also by: "DISKPART> select Disk 0  -> list partition".

While, when I boot PXE manually (by F12) using AMT console and selecting PXE in boot sequence, system boots and installs fine and no any warnings.

This problem also does not meet in Linux OS automation or manual deployment by a same approach. Works excellent and no any trouble.

Looking for a tool that can remotely re image windows 10 desktops / laptops.

Hello,

in our company we are using Intel-ME and MESH-Commander several years. Our most used features are to start clients without user-action and to boot into BIOS, when the client is not accessible any more.

Our last model was a HP ProDesk 600 G3 MT with Intel CORE I3 an the ME 11.8.50.3425, which is working without Problems.

Now there has to be a change and we are testing a HP ProDesk 600 G4 MT with Intel PENTIUM GOLD and the ME 12.0.7.1122.

If I connect the new Client with MESH-Commander I can list all Information, but when I try to take Control with SOL i get an Error:

"Unable to connect to serial-over-lan port (IMR_RES_AUTH_FAILED). Check that the redirection port ist enabled and serial-over-lan feature is turned on."

So the port is enabled and the SOL-Feature seems to be turned on. I alos solved all Internet-hints to IMR_RES_AUTH_FAILED.

I can reach and manage the client over port 16992.

Telnet to port 16994 works also.

With wireshark I get an answer:

HTTP/1.1 200 OK
Date: ...

Server: Intel(R) STandard Manageabilty 12.0.7.1122

X-Frame-Option: DNY

Content-Type: application/Soap+XML; charset=UTF-8

Transfer-Encoding: chunked

0491

<?XML ...

Has anyone an idea?

Thanks

We have been using AMT to provision many machines for the last 2 years however since a couple of days ago we are no longer able to.  When trying to provision via manual job in RCS we get the error:

Operation:  Configuration

Date and Time: 23/11/2018 09:45:58

Error Code: 3221227474

Severity: Failure

UUID: B7D1D480-7086-11E7-9C6F-60A274342700

Intel AMT FQDN: XXX008221.domain.ac.uk

Intel AMT IPv4: 10.4.94.135                        

Server Name: RCS.domain.ac.uk

Description: Initial connection to the Intel(R) AMT device failed.

Failed while calling

WS-Management call

GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error

0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

Within the RCSLog.log we see:

2018-11-23 09:47:40: Thread:2552(DETAIL) : 10.4.94.135, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 120: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

2018-11-23 09:47:40: Thread:2552(ERROR) : XXX008221.domain.ac.uk, Category: AMT Interface error Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 996: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target. , error in discover 0xc000521c

2018-11-23 09:47:41: Thread:2552(DETAIL) : XXX008221.domain.ac.uk, Category: TestAllConnections params Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestAllConnections Line: 548: Connection data - Connection type: TLS-PKI, FQDN: XXX008221.domain.ac.uk, IP: 10.4.94.135, UserName: admin

2018-11-23 09:47:41: Thread:2552(DETAIL) : XXX008221.domain.ac.uk, Category: Test Connection Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 796:

2018-11-23 09:47:41: Thread:2552(DETAIL) : XXX008221.domain.ac.uk, Category: DiscoverAMTConnectionMode Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::TestConnection Line: 888: Connection Info-XXX008221.domain.ac.uk admin PKI: 819a5ecd18486589e241cf32765c52a52b7092b4

2018-11-23 09:47:51: Thread:2552(DETAIL) : XXX008221.domain.ac.uk, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 120: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

2018-11-23 09:48:01: Thread:2552(DETAIL) : XXX008221.domain.ac.uk, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::GetAmtVersion Line: 120: Failed while calling  WS-Management call  GetAmtVersion (CIM_SoftwareIdentity.Get). Intel(R) AMT connection error  0xc000521c: A TCP error occurred. Make sure that the destination settings are correct and that a network connection exists to the target.

The AMT certificate is still valid on the RCS server.  The CA is working fine as far as we can see.  Existing provisioned clients are working perfectly.  We have tried updating the ME firmware on a couple of clients.  The LMS server is started on the clients.  My hunch is that it is SSL / TLS / certificate related but not sure where.

Any ideas?

Cheers,

Graham

Hi all,

I have a Dell Precision 5520 that I'm attempting to configure. I've enabled MEBx and AMT locally upon boot, but I can't seem to reach the Webui *at all* - attempting to reach <ip address>:16992 simply times out. I have a Lenovo X1 Carbon that I've set up identically for which I am able to reach the webui for that device perfectly fine. (Where I'm hitting the login screen)

I have a Windows environment of about 600 desktops all with vPro enabled and functioning.

I have a single AD permission group that provides our level 2 admins access to the vPro functions via their AD role groups.

This all works great for issuing commands via the PowerShell module.

I  wanted to provide our level 1 admins access to vPro to power on computers.

I created a new AD permission group so I could manage permissions separately and populated with their AD role group.

I created a new vPro profile and deployed to a test box.

However no one in the new group can run any commands against the test box.

Thinking it was AD security tokens I tried logoff\logons, reboots of the local and remote machine, and waited a day.

Using the vPro GUI with my level 2 admin account works fine.

However using my test account in the level 1 admin's role group it fails with "Cannot connect".

I have had multiple level 1 admins try, all with the same error.

I noticed it does not say unauthorized like it normally does.

I found that if I use the same test account but intentionally type my password wrong I do get "Unauthorized".

I have also used PowerShell to confirm that the new AD permission group is on the vPro chip's profile on the test computer.

I have run out of ideas and would greatly appreciate any help you guys might be able to provide!

How to configure Intel AMT via Host-based and enable Admin control mode? Is it true that if a certificate is pushed via AMTprofiles in host-based config, it turns on ACM?