Hi guys,
We have configured an environment with Intel SCS and intel vpro enabled clients. We have successfully created policies and have distributed these to our clients. All of the funtions/settings are working as expected, we are using the following policy
Profile Name: KerberosProfile
Profile Type: Intel AMT
Network Settings
FQDN will be the same as the Primary DNS FQDN
IP will be taken from DHCP
Active Directory Integration
Active Directory OU:OU=AMT Objects,DC=Demo,DC=local
Access Control List (ACL)
User 1: administrator
User Type: Digest
User has both remote and local access to the realms listed below
Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control
User 2: Demo.LOCAL\AMT-Admins
User Type: Active Directory
User has both remote and local access to the realms listed below
Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control
User 3: adminkvm
User Type: Digest
User has both remote and local access to the realms listed below
Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader, User Access Control
User 4: Demo.LOCAL\Domain Users
User Type: Active Directory
User has local access to the realms listed below
Realms: Redirection, PT Administration, Hardware Asset, Remote Control, Storage, Event Manager, Storage Administration, Agent Presence Local, Agent Presence Remote, Circuit Breaker, Network Time, General Info, Firmware Update, EIT, Local User Notification, Endpoint Access Control, Endpoint Access Control Administrator, Event Log Reader
Transport Layer Security (TLS)
Server authentication used for remote interface
Server Authentication Certificate Properties:
Certificate Authority: TEMPCA-IntelSCS.Demo.local\Demo Temp CA
Certificate Template: IntelTLSaccesscertificate
Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID
Network Configuration
WiFi
Do not enable synchronization of Intel® AMT with host platform WiFi profiles
Wired 802.1x
802.1x setup: 802.1x Setup1
Protocol: EAP-TLS
Root Certificate Authority: Demo Temp CA, Demo, local
Certificate Authority: TEMPCA-IntelSCS.demo.local\Demo Temp CA
Certificate Template: IntelSCSprovisioningcert
Common Names (CNs) in certificate: DNS Host Name (FQDN), Host Name, SAM Account Name, User Principal Name, UUID
Do not allow roaming identity
Do not verify RADIUS server certificate subject name
Enable 802.1x for Intel® AMT even if host is not authorized for 802.1x
Keep 802.1x session after boot to allow PXE boot for 60 minutes
Trusted Root Certificates
Below are the trusted root certificates used in this profile:
Root certificate 1: Demo Temp CA, Demo, local
System Settings
Enabled Management Interfaces:
- Web UI
RFB password set
Power Management Settings: Always On (S0-S5), Timeout if idle: 0 minutes
The Intel® AMT clock will be synchronized with the operating system clock
Intel® AMT set to respond to ping requests
Fast Call for Help (within the enterprise network) is Disabled
Problem statement
Now since Intel AMT has been configured we can focus on the problem area:
We use PXE boot on a non 802.1x network to initially install machines. And during the install process machines are provisioned using Intel SCS, with the configuration described as above. When machine is running in full windows we are able to perform all actions like remote control, power feature like shutdown and cold reboot etc.
But if we now try to reinstall the machine the process fails.
Machines, where intel AMT has now been configured they can no longer PXE boot, neither on 802.1x enabled network nor on network without 802.1x. What we are seeing is that machines are able to PXE boot, but during the transfer of WINPE. The PXE boot process stards, boot.sdi is downloaded and then starts the process where WINPE is downloaded. This download fails randomly between 30%-70%. We are using IP helper, and have tried placing the machines on the SAME VLAN as the server, but we get Errorcode 1460 on WDS which indicated TFTP timeout. Just for the sake of testing, we have also tried to set DHCP options 66 and 67. But I must emphasize that, the SAME machine works just fine if we delete the Intel Vpro configuration from BIOS.
Conclusion:
We think that this problem is related to Intel AMT intercepting network communication. But what we find odd is that the problem occurs both on 802.1x enabled and network without 802.1x, why is PXE boot process being effected by enabling/configuring INTEL AMT? Has anyone seen this problem or anything like this? I am wondering if there can be something in the policy that we have attached. During testing, we have also tried to remove the following
Enable 802.1x for Intel® AMT even if host is not authorized for 802.1x
Keep 802.1x session after boot to allow PXE boot for 60 minutes
- Because we are still struggling to get this to work on a non 802.1x network. Any help, pointer and tips is much appreciated as we have exhausted most of our options regarding testing J
Thanking you all in advance for your contribution.
Best regards,
Sean